Restrict methods accessible from javascript on python objects
Reported by Richard Boulton | June 11th, 2009 @ 07:47 AM | in Version 0.1.0
Currently, if I expose a python object to javascript, all methods and properties of that object can be called from javascript. This will often allow the javascript code to access pretty much any python object (for example, you can often get a long way by starting with the module property).
It would be really nice to have some sort of restriction on the properties which can be accessed from javascript. I discussed this on email a little with Paul Davis, who mentioned that the original python-spidermonkey had simply made it such that any attribute starting with an underscore was off-limits from javascript. This would at least allow custom objects to be constructed which are safe to be exposed to javascript (ie, don't allow untrusted javascript to break out of the sandbox), but is a bit limiting.
I suggested that a nice approach might be to be able to register a callback (presumably, this would be registered on the Context), which would be called whenever javascript tried to access any attribute of a python object, would be passed the object and the name of the attribute, and would return True or False, to indicate whether the javascript should be allowed to access the attribute. Alternatively, the callback could simply raise an exception if the access was not allowed (which the javascript would be able to catch and handle appropriately).
I took a look at the code to attempt making a patch, but got somewhat lost rather quickly. If anyone can point me at the right part of the source code, I'd be happy to have another go at this, though. :)
Comments and changes to this ticket
-
Paul J. Davis June 12th, 2009 @ 11:10 AM
- State changed from new to open
- Tag set to python, wrapping
- Milestone set to Version 0.1.0
Richard,
Sorry it took me so long to respond to this. I had it on the todo list and then lost the list. :/
The parts of the code that you'd need to look at are the bits in spidermonkey/context.c where the global handler is registered and consulted for attributes. This would be a good example of how to add the infrastructure for having a access handler. Once you have that registration working, it should only be a matter of adding checks before python objects are consulted which should be semi-localized to spidermonkey/context.c:get_prop and spidermonkey/pyobject.c:js_get_prop
Let me know if you need anything else.
-
Richard Boulton June 13th, 2009 @ 11:14 PM
- no changes were found...
-
Richard Boulton June 13th, 2009 @ 11:14 PM
I've put together an initial implementation of this, thanks to your hints, and it just about works, I think!
It needs more testing, and a bit of an audit to check if this catches everything, but it feels like a nice approach for this.
-
Paul J. Davis June 14th, 2009 @ 01:00 AM
That looks right in line with what I was thinking. I've just read through the diff so I might be missing bits, but it looks like a call to check_key_access is missing in context.c when grabbing data from the global handler.
I'll go through this more thoroughly tomorrow and get it committed. Thanks for your help.
Paul
-
Richard Boulton June 14th, 2009 @ 09:42 AM
I assume you're referring to adding a check somewhere in context.c:get_prop() - around line 95, just before PyObject_GetItem. That's probably a good idea, yes.
I've tried implementing this, but am currently getting a segfault from my effort. My code's in my fork at http://github.com/rboulton/python-spidermonkey/tree/master , in case it's of any help to you (I'm going out now, so won't be able to look at it any further for a while).
-
Paul J. Davis June 14th, 2009 @ 07:43 PM
- State changed from open to resolved
Forgot to do the state update in the commit. Filtering access should now work:
http://github.com/davisp/python-spidermonkey/commit/e8e69e9f5644907...
I uploaded a 0.0.7 version to PyPi in case people prefer that.
Thanks for the patch Richard.
-
Richard Boulton June 15th, 2009 @ 02:57 AM
Excellent - your updated patch all looks good here. Thanks for tidying up (lots!) and applying so quickly. :)
-
Paul J. Davis June 15th, 2009 @ 08:22 AM
No problem. If you have time, try and think of more tests. I get the feeling I'm missing edge cases but I'm lacking the creativity to figure out what they might be.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Python/JavaScript bridge module, making use of Mozilla's spidermonkey JavaScript implementation. Allows implementation of JavaScript classes, objects and functions in Python, and evaluation and calling of JavaScript scripts and functions respectively. Borrows heavily from Claes Jacobssen's Javascript Perl module, in turn based on Mozilla's 'PerlConnect' Perl binding.