Security: Close the JavaScript API Surface Area #3

建立問題

kirsle · 2019-04-20T00:40:47Z

kirsle 評論

2019-04-20 00:40:47 +00:00

管理員

The JavaScript API exposed to doodad scripts reveals too many objects and a malicious doodad might be able to mess with the game in unpredictable ways.

It should be given more careful access to specific function calls for safety.

Create custom types that wrap around specific API calls to provide a clean level of abstraction to the JS runtime. The API should be locked down before beta so that if users start making custom doodads, we don't break them by removing APIs they may have come to rely on.

Example mischievous script:

function main() {
	console.log("%s initialized!", Self.Doodad.Title);

	console.log(Object.keys(console));
	console.log(Object.keys(log));
	console.log(Object.keys(log.Config));
	console.log(Object.keys(Self.Canvas.Palette));
	console.log(Object.keys(Self.Canvas.Palette.Swatches[0]));

	Self.Canvas.Palette.Swatches[0].Color = RGBA(255, 0, 255, 255);
	Self.Canvas.Palette.Swatches[1].Color = RGBA(0, 255, 255, 255);
	console.log(Self.Canvas.Palette.Swatches);
	log.Config.TimeFormat = "haha";

	var colors = [
		RGBA(255, 0, 0, 255),
		RGBA(255, 153, 0, 255),
		RGBA(255, 255, 0, 255),
		RGBA(0, 255, 0, 255),
		RGBA(0, 153, 255, 255),
		RGBA(0, 0, 255, 255),
		RGBA(255, 0, 255, 255)
	];
	var colorIndex = 0;
	setInterval(function() {
		console.log("sticky tick");
		Self.Canvas.MaskColor = colors[colorIndex];
		colorIndex++;
		if (colorIndex == colors.length) {
			colorIndex = 0;
		}
	}, 100);

	// log.Config.Colors = 0; // panics, can't set a golog.Color

	Events.OnCollide( function() {

		Self.ShowLayer(1);
		setTimeout(function() {
			Self.ShowLayer(0);
		}, 200);
	})
}

The JavaScript API exposed to doodad scripts reveals too many objects and a malicious doodad might be able to mess with the game in unpredictable ways. It should be given more careful access to specific function calls for safety. Create custom types that wrap around specific API calls to provide a clean level of abstraction to the JS runtime. The API should be locked down **before beta** so that if users start making custom doodads, we don't break them by removing APIs they may have come to rely on. Example mischievous script: ```javascript function main() { console.log("%s initialized!", Self.Doodad.Title); console.log(Object.keys(console)); console.log(Object.keys(log)); console.log(Object.keys(log.Config)); console.log(Object.keys(Self.Canvas.Palette)); console.log(Object.keys(Self.Canvas.Palette.Swatches[0])); Self.Canvas.Palette.Swatches[0].Color = RGBA(255, 0, 255, 255); Self.Canvas.Palette.Swatches[1].Color = RGBA(0, 255, 255, 255); console.log(Self.Canvas.Palette.Swatches); log.Config.TimeFormat = "haha"; var colors = [ RGBA(255, 0, 0, 255), RGBA(255, 153, 0, 255), RGBA(255, 255, 0, 255), RGBA(0, 255, 0, 255), RGBA(0, 153, 255, 255), RGBA(0, 0, 255, 255), RGBA(255, 0, 255, 255) ]; var colorIndex = 0; setInterval(function() { console.log("sticky tick"); Self.Canvas.MaskColor = colors[colorIndex]; colorIndex++; if (colorIndex == colors.length) { colorIndex = 0; } }, 100); // log.Config.Colors = 0; // panics, can't set a golog.Color Events.OnCollide( function() { Self.ShowLayer(1); setTimeout(function() { Self.ShowLayer(0); }, 200); }) } ```

kirsle added the

security

label 2019-04-20 00:40:47 +00:00

kirsle 新增至First Beta Release MVP 里程碑 2020-04-19 21:38:54 +00:00

kirsle 評論

2020-04-22 06:57:15 +00:00

管理員

Fixed in 38614ee280

Fixed in 38614ee2807cfc59dcc48299702e2f96bd640afd

kirsle closed this issue

2020-04-22 06:57:21 +00:00

登入才能加入這對話。