martedì, febbraio 10, 2009

[jsn] isNative: a.k.a. the windmill war

Long long time ago me and Andrea Giammarchi have nothing better to do to understand if there was a way to understand if you were using a safe function in javascript or if you use a fake one.

We try very hard to make something reliable, and without fail we manage to crack every single code we wrote.

I gave up but since then every now and then I recall that days in which we enjoyed this "windmill war".
Since when I gave up I had an idea, I just tried to see if that I can work out something to make that idea work.

What IDEA?


Basically since we cannot know if a function is real I thought to make the browser fail if I try to eval some code, make the eval code call himself in an infinite loops.

<script type="text/javascript">
eval = function(str){
eval(str);
}

eval("alert('hello, proof');"); //too much recursion on FF, stack overflow on IE ;)
</script>


Basically if I extend this logic to all the string evaluating function
(Function object, eval, Object.eval, setTimeout, setInterval) made them using only one function It should work.

example:

eval = function(){
return function(code){
(new Function(""+code))();
}
};


in this way if I try to use eval to rewrite Function I just can't because Function is called inside eval for the same principle of the first snippet I posted.

So why a windmill war?


Caching.
Function caching to be precise,
in javascript I can write this code:

var f = eval

eval = function(str){
alert("I' m an evil functions! bwahahaha!");
f(str);
}


So I don't need to use Function anymore to rewrote eval, I just Spoof the code,
I can send The spoofed code around using http request (for example a src in images...).

To recap, bear this in mind:
Javascript is so powerful in the way it leaves you modify its behaviour that is totally unreliable.

3 commenti:

QuakePC ha detto...

tu e la tua maniera di indentare il codice...

quando è che invece di trastullarti con il pc ti stacchi e mi paghi la pizza come promesso?

kentaromiura ha detto...

Ho imparato ad indentare leggendo la bibbia bianca.
Piuttosto, per la pizza, non ho una data precisa, ma avanzi...
Io mantengo sempre gli impegni ;)

QuakePC ha detto...

speriamo... il problema è il tempo con cui mantieni gli impegni....