Security: Close the JavaScript API Surface Area #3

已關閉
kirsle2019-04-20 00:40:47 +00:00建立 · 1 comment
管理員

The JavaScript API exposed to doodad scripts reveals too many objects and a malicious doodad might be able to mess with the game in unpredictable ways.

It should be given more careful access to specific function calls for safety.

Create custom types that wrap around specific API calls to provide a clean level of abstraction to the JS runtime. The API should be locked down before beta so that if users start making custom doodads, we don't break them by removing APIs they may have come to rely on.

Example mischievous script:

function main() {
	console.log("%s initialized!", Self.Doodad.Title);

	console.log(Object.keys(console));
	console.log(Object.keys(log));
	console.log(Object.keys(log.Config));
	console.log(Object.keys(Self.Canvas.Palette));
	console.log(Object.keys(Self.Canvas.Palette.Swatches[0]));

	Self.Canvas.Palette.Swatches[0].Color = RGBA(255, 0, 255, 255);
	Self.Canvas.Palette.Swatches[1].Color = RGBA(0, 255, 255, 255);
	console.log(Self.Canvas.Palette.Swatches);
	log.Config.TimeFormat = "haha";

	var colors = [
		RGBA(255, 0, 0, 255),
		RGBA(255, 153, 0, 255),
		RGBA(255, 255, 0, 255),
		RGBA(0, 255, 0, 255),
		RGBA(0, 153, 255, 255),
		RGBA(0, 0, 255, 255),
		RGBA(255, 0, 255, 255)
	];
	var colorIndex = 0;
	setInterval(function() {
		console.log("sticky tick");
		Self.Canvas.MaskColor = colors[colorIndex];
		colorIndex++;
		if (colorIndex == colors.length) {
			colorIndex = 0;
		}
	}, 100);

	// log.Config.Colors = 0; // panics, can't set a golog.Color

	Events.OnCollide( function() {

		Self.ShowLayer(1);
		setTimeout(function() {
			Self.ShowLayer(0);
		}, 200);
	})
}
The JavaScript API exposed to doodad scripts reveals too many objects and a malicious doodad might be able to mess with the game in unpredictable ways. It should be given more careful access to specific function calls for safety. Create custom types that wrap around specific API calls to provide a clean level of abstraction to the JS runtime. The API should be locked down **before beta** so that if users start making custom doodads, we don't break them by removing APIs they may have come to rely on. Example mischievous script: ```javascript function main() { console.log("%s initialized!", Self.Doodad.Title); console.log(Object.keys(console)); console.log(Object.keys(log)); console.log(Object.keys(log.Config)); console.log(Object.keys(Self.Canvas.Palette)); console.log(Object.keys(Self.Canvas.Palette.Swatches[0])); Self.Canvas.Palette.Swatches[0].Color = RGBA(255, 0, 255, 255); Self.Canvas.Palette.Swatches[1].Color = RGBA(0, 255, 255, 255); console.log(Self.Canvas.Palette.Swatches); log.Config.TimeFormat = "haha"; var colors = [ RGBA(255, 0, 0, 255), RGBA(255, 153, 0, 255), RGBA(255, 255, 0, 255), RGBA(0, 255, 0, 255), RGBA(0, 153, 255, 255), RGBA(0, 0, 255, 255), RGBA(255, 0, 255, 255) ]; var colorIndex = 0; setInterval(function() { console.log("sticky tick"); Self.Canvas.MaskColor = colors[colorIndex]; colorIndex++; if (colorIndex == colors.length) { colorIndex = 0; } }, 100); // log.Config.Colors = 0; // panics, can't set a golog.Color Events.OnCollide( function() { Self.ShowLayer(1); setTimeout(function() { Self.ShowLayer(0); }, 200); }) } ```
kirsle added the
security
label 2019-04-20 00:40:47 +00:00
kirsle 新增至First Beta Release MVP 里程碑 2020-04-19 21:38:54 +00:00
Author
管理員

Fixed in 38614ee280

Fixed in 38614ee2807cfc59dcc48299702e2f96bd640afd
登入 才能加入這對話。
未選擇里程碑
No Assignees
1 參與者
訊息
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: SketchyMaze/doodle#3
No description provided.