|
ConditionalCompilationComments
Conditional compilation may allow disabling of runtime checks.
Attack-Vector Reported by futurama Conditional compilation may allow disabling of runtime checks.EffectUnsanitized code can be embedded in comments, and conditional compilation might disable runtime assertions. BackgroundIE contains a non-standard javascript extension that embeds code in comments. According to http://msdn2.microsoft.com/en-us/library/121hztk3.aspx Conditional compilation allows the use of new JScript language features without sacrificing compatibility with older versions that do not support the features. Conditional compilation is activated by using the @cc_on statement, or using an @if or @set statement. Some typical uses for conditional compilation include using new features in JScript, embedding debugging support into a script, and tracing code execution. Always place conditional compilation code in comments, so that hosts (like Netscape Navigator) that do not understand conditional compilation will ignore it. Here is an example. According to http://devedge-temp.mozilla.org/viewsource/2003/venkman/01/index_en.html The //@JSD_EVAL command will insert a breakpoint which is set to execute the script that follows without stopping and without logging the result. AssumptionsRewritten source code includes comments without sanitizing them to remove conditioal compilation code OR verified code allows comments with conditional compilation commands OR conditional compilation is supported outside comments without being rewritten into equivalent javascript control structures. VersionsIE, Firefox w/ Venkman Example/*@cc_on @*/ /*@if (1) alert(document.cookie) @end @*/ //@JSD_EVAL alert(document.cookie); And CC can change tokenization arbitrarily far from the CC directive. x /*@cc_on =*/ ++ /a/i.x is interpreted as x = ++((new RegExp('a', 'i')).x)by IE's JScript interpreter but as (x++) / a / (i.x) on other interpreters. | |
► Sign in to add a comment
It's safest to disallow all /*@, //@, and also any cases where there are characters within these sequences that are potentially stripped before lexical parsing -- not just the obvious //@cc_on, etc.
Note that these extensions are not ES3-compliant (because ES3 requires that the comment is ignored).
Quite right. Our rendering is done via com.google.caja.parser.ParseTreeNode?.render which will never output a comment.
The SideBySideRenderer?, which tries to ease debugging via a 2-column view of the original source code next to the cajoled output does render comments, replaces '@' and some other codepoints with the replacement codepoint U+FFFD.
Good. The reason I pointed this out explicitly is that I think this wiki is trying to enumerate attacks against "safe Javascript" variants in general, not just Caja. Other variants might not do rewriting, or might do only minimal rewriting, with the goal of outputting readable code that includes comments.
Why replace '@' with U+FFFD in the SideBySideRenderer?? (Not that it's very important, because you're not going to execute that view.)
I asked "Why replace '@' with U+FFFD in the SideBySideRenderer??"
Never mind, silly question. It should be possible to cut-and-paste code from that view without it having weaknesses that would not be present in the normal rendering.
I wrote: "This restriction on comments does not seem to be in the Caja spec (dated January 15 2008), BTW."
Doh. Because it is not a restriction on the input Caja and Cajita languages, only on the output of rewriting.
David-Sarah, I agree that this wiki is not caja specific. I'll add something to assumptions to make it clear that verifiers can also suffer from this.