Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need better sanitization of inputs #6

Closed
amellnik opened this issue Jan 14, 2017 · 11 comments
Closed

Need better sanitization of inputs #6

amellnik opened this issue Jan 14, 2017 · 11 comments
Assignees
@amellnik
Milestone
1.0

Comments

@amellnik
Copy link
Contributor

Sending a system of equations like

dx = a*x - b*x*y + println("meh")
dy = -c*y + d*x*y

does print 'meh' on the server before throwing any errors at the moment...
@amellnik amellnik added this to the 1.0 milestone Jan 14, 2017
@amellnik amellnik self-assigned this Jan 14, 2017
@ChrisRackauckas
Copy link
Member

I see. Pre-parsing should be done before ParameterizedFunctions.jl then, since one place where ParameterizedFunctions is expanding is actually to make it easier to use user-defined functions (which of course runs counter to this)

@ChrisRackauckas ChrisRackauckas mentioned this issue Jan 14, 2017
Closed
9 tasks
@ChrisRackauckas
Copy link
Member

It seems like you have setup input sanitation. Are you looking to do more or is this complete?

@amellnik
Copy link
Contributor Author

Right now the user can execute arbitrary code on the server, we're only preventing them from defining new functions (not sure that even helps at all). I think we need to look at the parsed diff eq and vars and throw an error if any function not on a whitelist is called.

@ChrisRackauckas
Copy link
Member

Maybe this is a good list to whitelist from?

https://github.com/johnmyleswhite/Calculus.jl/blob/master/src/differentiate.jl#L116-L186

@ChrisRackauckas
Copy link
Member

Some people on the Gitter took it for a spin... to say the least. One thing that they found is that we need to also get rid of any control flow blocks:

2017-01-16T06:23:06.655428+00:00 app[web.1]: Diff equ: begin  # none, line 2:
2017-01-16T06:23:06.655457+00:00 app[web.1]:     dx = a * x - b * x * y # none, line 3:
2017-01-16T06:23:06.728152+00:00 app[web.1]:     dy = -c * y + d * x * y + while true # none, line 3:
2017-01-16T06:23:06.728212+00:00 app[web.1]:             end
2017-01-16T06:23:06.728266+00:00 app[web.1]: end

@amellnik
Copy link
Contributor Author

amellnik commented Jan 16, 2017 via email

@ChrisRackauckas
Copy link
Member

Right now the user can execute arbitrary code on the server, we're only preventing them from defining new functions (not sure that even helps at all).

that is not taking into account one line func deffinitions, I guess you are looking for the functionkeyword

@Ismael-VC

@Ismael-VC
Copy link
Contributor

that is not taking into account one line func definitions

Please see: #7.

@ChrisRackauckas
Copy link
Member

ChrisRackauckas commented Jan 16, 2017
edited
Loading

Looks good. We should now probably expand the parsing to every Julia keyword for any kind of block. Is there a list somewhere?

@ChrisRackauckas
Copy link
Member

I think we're good on this. At least, everything I tried doesn't work anymore. Of course, there may be something I missed which we can deal with as its own case.

@amellnik
Copy link
Contributor Author

I think it looks good for the main expression. I'm going to move things around a bit to make sure that vars and similar also get the same sanitation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amellnik amellnik

Labels
None yet
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
3 participants
@ChrisRackauckas @Ismael-VC @amellnik