String matching for restrictions is probably a never-ending war.

AlexNisnevich / untrusted

A meta-JavaScript adventure game by Alex Nisnevich and Greg Shuflin.

http://alex.nisnevich.com/untrusted/

4.57k stars 708 forks source link

String matching for restrictions is probably a never-ending war. #113

Open danfuzz opened 10 years ago

danfuzz commented 10 years ago

E.g.:

var sto = this/*hrm*/['set'+'Timeout'];

as part of this level 20 solution: https://gist.github.com/anonymous/07b0a167716daf122813

pppery commented 5 years ago

This is definitely true. I have a complete rewrite of the security planned that would fix this and a bunch of other bugs, that I might post at some point.

pppery commented 5 years ago

The first part of that rewrite is #442