Security: Close the JavaScript API Surface Area #3

New Issue

kirsle · 2019-04-20T00:40:47Z

kirsle commented

2019-04-20 00:40:47 +00:00

The JavaScript API exposed to doodad scripts reveals too many objects and a malicious doodad might be able to mess with the game in unpredictable ways.

It should be given more careful access to specific function calls for safety.

Create custom types that wrap around specific API calls to provide a clean level of abstraction to the JS runtime. The API should be locked down before beta so that if users start making custom doodads, we don't break them by removing APIs they may have come to rely on.

Example mischievous script:

function main() {
	console.log("%s initialized!", Self.Doodad.Title);

	console.log(Object.keys(console));
	console.log(Object.keys(log));
	console.log(Object.keys(log.Config));
	console.log(Object.keys(Self.Canvas.Palette));
	console.log(Object.keys(Self.Canvas.Palette.Swatches[0]));

	Self.Canvas.Palette.Swatches[0].Color = RGBA(255, 0, 255, 255);
	Self.Canvas.Palette.Swatches[1].Color = RGBA(0, 255, 255, 255);
	console.log(Self.Canvas.Palette.Swatches);
	log.Config.TimeFormat = "haha";

	var colors = [
		RGBA(255, 0, 0, 255),
		RGBA(255, 153, 0, 255),
		RGBA(255, 255, 0, 255),
		RGBA(0, 255, 0, 255),
		RGBA(0, 153, 255, 255),
		RGBA(0, 0, 255, 255),
		RGBA(255, 0, 255, 255)
	];
	var colorIndex = 0;
	setInterval(function() {
		console.log("sticky tick");
		Self.Canvas.MaskColor = colors[colorIndex];
		colorIndex++;
		if (colorIndex == colors.length) {
			colorIndex = 0;
		}
	}, 100);

	// log.Config.Colors = 0; // panics, can't set a golog.Color

	Events.OnCollide( function() {

		Self.ShowLayer(1);
		setTimeout(function() {
			Self.ShowLayer(0);
		}, 200);
	})
}

The JavaScript API exposed to doodad scripts reveals too many objects and a malicious doodad might be able to mess with the game in unpredictable ways. It should be given more careful access to specific function calls for safety. Create custom types that wrap around specific API calls to provide a clean level of abstraction to the JS runtime. The API should be locked down **before beta** so that if users start making custom doodads, we don't break them by removing APIs they may have come to rely on. Example mischievous script: ```javascript function main() { console.log("%s initialized!", Self.Doodad.Title); console.log(Object.keys(console)); console.log(Object.keys(log)); console.log(Object.keys(log.Config)); console.log(Object.keys(Self.Canvas.Palette)); console.log(Object.keys(Self.Canvas.Palette.Swatches[0])); Self.Canvas.Palette.Swatches[0].Color = RGBA(255, 0, 255, 255); Self.Canvas.Palette.Swatches[1].Color = RGBA(0, 255, 255, 255); console.log(Self.Canvas.Palette.Swatches); log.Config.TimeFormat = "haha"; var colors = [ RGBA(255, 0, 0, 255), RGBA(255, 153, 0, 255), RGBA(255, 255, 0, 255), RGBA(0, 255, 0, 255), RGBA(0, 153, 255, 255), RGBA(0, 0, 255, 255), RGBA(255, 0, 255, 255) ]; var colorIndex = 0; setInterval(function() { console.log("sticky tick"); Self.Canvas.MaskColor = colors[colorIndex]; colorIndex++; if (colorIndex == colors.length) { colorIndex = 0; } }, 100); // log.Config.Colors = 0; // panics, can't set a golog.Color Events.OnCollide( function() { Self.ShowLayer(1); setTimeout(function() { Self.ShowLayer(0); }, 200); }) } ```

kirsle added the

security

label 2019-04-20 00:40:47 +00:00

kirsle added this to the First Beta Release MVP milestone 2020-04-19 21:38:54 +00:00

kirsle commented

2020-04-22 06:57:15 +00:00

Fixed in 38614ee280

Fixed in 38614ee2807cfc59dcc48299702e2f96bd640afd

kirsle closed this issue

2020-04-22 06:57:21 +00:00

Sign in to join this conversation.