search

realXtend / tundra

realXtend Tundra SDK, a 3D virtual world application platform.
www.realxtend.org
Apache License 2.0
84 stars 70 forks source link

Rewrite the script execution security mechanism. #363

Open juj opened 12 years ago

juj commented 12 years ago

Currently, the whitelist/blacklist mechanism implemented in JavascriptInstance.cpp is based on a 'gut feeling' without real auditing to security, and e.g. issue #341 escapes this blacklist. To allow more comprehensive options for managing client-side safety, rewrite the script execution logic as follows:

  1. By default, executing all scripts from external asset storages is disabled. Scripts from the local system are allowed to run.
  2. Then, add a command line parameter --allow_external_scripts which takes one of the values 0,1,2 or 3, with the meaning:
    • 0: Do not execute scripts from external trusted asset storages.
    • 1: Allow execution of scripts from trusted asset storages, but do not allow any script extensions to be imported in them.
    • 2: Allow execution of scripts from trusted asset storages, but only allow them to utilize the whitelisted script extensions.
    • 3: Allow execution of scripts from trusted asset storages, with all script extensions enabled.
  3. Then, add a command line parameter --allow_untrusted_scripts which takes one of the values 0,1,2 or 3, with the same meanings as above, but these apply to scripts from untrusted sources.
  4. Then, rework the script asset request mechanism in EC_Script to NOT request a script asset if the execution of that script is disabled altogether. (to avoid it ending up in the asset cache, which enables a potential untrust source if an attacker somehow manages to tamper with the cache)
jonnenauha commented 12 years ago

What would be a default for lets say viewer-browser.xml that is usually used when starting a login from a web portal.

All scripts that show anything visible or offers some functionality to the end user must at least have qt.core and qt.gui. I understand the white and blacklists are quite bad but how would any worlds really have any funtionality without some extension? I assume the 1 option would be default as it is now, trusted storages can use the whitelisted extensions and classes?

juj commented 12 years ago

For untrusted storages 0, for trusted storages 2. Also an option would be to allow the user to specify the level of trust when choosing to trust a storage.