[x3d-public] script security
Andreas Plesch
andreasplesch at gmail.com
Sun Oct 18 06:41:44 PDT 2020
I added SFRotation as a Proxy to a Quaternion target to get the
ScriptEvents example working:
https://raw.githack.com/andreasplesch/x3dom/7cc55c8a98ffac62cc273d7b1fb0fa92ac7ebacd/test/regression-suite/test/cases/x3dscript/ScriptEvents.html
It should be possible to add SFRotation to x3dom.fields in a separate PR
independent of X3DScript progress.
I think it should be possible to use Proxies for output fields of scripts.
The targets would be the actual field objects of the script node, and there
would be a set trap which invokes sending the event. Worth a try.
Scripts in Prototype do not work yet. I think it is because the custom
script node fields are not available yet when the protoinstance is
constructed.
-Andreas
---on the phone---
On Sat, Oct 17, 2020, 1:25 PM Andreas Plesch <andreasplesch at gmail.com>
wrote:
> I tried another simple x3d script, a simple bouncer, in x_ite:
>
>
> https://gist.githack.com/andreasplesch/8ded7b7ffb598a63c44318f5810b260d/raw/63c673c9bc177c9ad64a3e5a1ad9bd6f7180921a/safe.html
>
> https://gist.github.com/andreasplesch/8ded7b7ffb598a63c44318f5810b260d#file-bouncersafe-x3d
>
> It required adding initialization of given field values, as variables
> in the script. The script node has the fields, with their values, so I
> am now passing the script node itself to the function which evaluates
> the script. This way the node and its fields become available to the
> script. Here is the working example:
>
>
> https://raw.githack.com/andreasplesch/x3dom/695821820e34b8a6571b9fec722337735e632468/test/regression-suite/test/cases/x3dscript/Bouncer.html
>
> In dev tools you can drill down to see X3DScript.js, or look at my
> "fields" branch.
>
> It also turned out that watching for changes in output fields is not
> workable and somewhat wrong, so currently just all output fields fire
> events each time a script set function (an input event) is called.
> Perhaps it is necessary to use a Proxy, or setters which then can fire
> events.
>
> Generally, this would be my approach to scripts, their fields and
> routing events. Please feel free to take whatever you find useful.
> There would be lots to do, for example, creating a translation between
> official SAI functions and x3dom sai like functions. For example
> SFVec3f[0] is SFVec3f.x in x3dom. Browser.print is
> x3dom.debug.logWarning and so on. The translation could be included in
> each script. A more difficult part is to figure out how to deal with
> SFNode, MFNode fields.
>
> With regards to security, it may be worthwhile to just scan the script
> for "document" or "window" and refuse to evaluate. But of course this
> would not be a real solution. I think adding explicit opt in to allow
> execution of scripts somehow may be an option. Perhaps just by
> offering a separate version of x3dom, from a less well known location
> or even on request.
>
> Cheers, -Andreas
>
> On Sat, Oct 17, 2020 at 7:48 AM Andreas Plesch <andreasplesch at gmail.com>
> wrote:
> >
> > Hi John,
> >
> > since I had started to sketch some answers I went ahead and implemented
> a rough draft of a X3DScript node for x3dom.
> >
> > Here is the basic spec. example working with the node:
> >
> >
> https://raw.githack.com/andreasplesch/x3dom/4cf1ec31736109e67d7b44aa1afb8fc8133f8cb6/test/regression-suite/test/cases/x3dscript/TouchSensorIsOverEventECMAScript.html
> >
> > Here is the implementation:
> >
> >
> https://github.com/andreasplesch/x3dom/blob/fields/src/nodes/Scripting/X3DScript.js
> >
> > I am using "X3DScript" for now because it is less confusing. It should
> be possible to switch to Script type='app/x3dscript' at some point.
> >
> > It turns out that in html documents CDATA sections get converted into
> comments. This is great since it lets one use any character ( except for
> -->) in the script. So I am looking for converted comments under the script
> node for the script source. I did not look into xhtml but xml should be
> easier.
> >
> > Since MDN also recommends Function over eval, I tried to go this way and
> could figure out an (unsafe) solution using wrappers to maintain the
> internal context of the script. I think the same approach may be possible
> for x_ite as well.
> >
> > I use the nice x_ite approach to get access to the functions in the
> script, by returning references to the functions.
> >
> > Unlike x_ite I am trying not to use with() since it is not recommended.
> Instead I add lots of helpers to the script source in a preamble, I think
> like you do. For output fields x_ite is also using with() and getters and
> setters. For now, I am trying to avoid with() and just compare output field
> values before and after a script set function gets called, from a route. If
> there is a change, an event is fired.
> >
> > There is no attempt to deal with XFNode field values. This will be
> tricky. I did not test anything other than the simple example but other
> simple examples may start to work as well, perhaps with some adjustments to
> how SAI is used. Gears will need SFRotation which may be easy to add to the
> preamble.
> >
> > Cheers, -Andreasq
> > ---on the phone---
> >
> >
> > On Thu, Oct 15, 2020 at 10:31 PM John Carlson <yottzumm at gmail.com>
> wrote:
> > >
> > >
> > >
> > > On Thu, Oct 15, 2020 at 9:25 PM John Carlson <yottzumm at gmail.com>
> wrote:
> > >>
> > >> What I am searching for is:
> > >>
> > >> 1. How to add Script related routes to X3DOM
> > >
> > >
> > > Once I set up Script and fields, this is done automatically with
> setupTree?
> > >
> > >>
> > >> 2. How to hook in Proto IS statements found in Scripts.
> > >
> > >
> > > Not sure how to do that yet.
> > >>
> > >> 3. How to modify any Script code to support parsing and the above.
> > >
> > >
> > > adding any functions, declaring variables, etc.
> > >>
> > >>
> > >> On Thu, Oct 15, 2020 at 9:15 PM John Carlson <yottzumm at gmail.com>
> wrote:
> > >>>
> > >>> Something like
> > >>>
> > >>> fromNode.setupRoute(fromField, toNode, toField);
> > >>>
> > >>> ? That's only for routes? What about events?
> > >>>
> > >>> John
> > >>>
> > >>>
> > >>> On Thu, Oct 15, 2020 at 8:42 PM John Carlson <yottzumm at gmail.com>
> wrote:
> > >>>>
> > >>>>
> > >>>>>> Use the set_xfield functions on field_changed (xfield).
> > >>>>>
> > >>>>>
> > >>>>> Not implemented. Is this new code? Where would I put it under
> Scripting/? Can you provide a short example?
> > >>>>>>
> > >>>>>>
> > >>>>>> Post messages for all _changed fields as given in the field def.
> > >>>>>> Somehow deal with SFNode fields.
> > >>>>>>
> > >>>>>>
> > >>>>
> > >>>> There is sample code under Script.js:
> > >>>>
> https://github.com/coderextreme/X3DJSONLD/blob/master/src/main/node/Script.js#L346
> > >>>>
> > >>>> Below:
> > >>>> ====================================================================
> > >>>> doRoute(mypackage, fromNode, fromField, toNode, toField,
> log, set, changed, selector, url) {
> > >>>> var fromScript = mypackage.find(fromNode);
> > >>>> var toScript = mypackage.find(toNode);
> > >>>> // only add routes with scripts involved
> > >>>> if (typeof fromScript !== 'undefined' || typeof
> toScript !== 'undefined') {
> > >>>> var from =
> this.nodeUtil(selector)+fromNode+"','"+fromField+"')";
> > >>>> if (typeof fromScript !== 'undefined') {
> > >>>> from = 'typeof
> '+this.useX3DJSON('Obj', selector, url,
> fromScript.name)+'.'+fromField+changed+' === "function" ?
> '+this.useX3DJSON('Obj', selector, url, fromScript.name) +
> '.'+fromField+changed+'() : '+this.useX3DJSON('Obj', selector, url,
> fromScript.name) + '.'+fromField;
> > >>>> }
> > >>>> var to =
> this.nodeUtil(selector)+toNode+"','"+toField+"',";
> > >>>> if (typeof toScript !== 'undefined') {
> > >>>> to = this.useX3DJSON('Obj',
> selector, url, toScript.name) + '.'+set+toField+'(';
> > >>>> }
> > >>>> if (typeof fromScript !== 'undefined' &&
> typeof toScript !== 'undefined') {
> > >>>> log.log(" if
> ("+this.useX3DJSON('Obj', selector, url, toScript.name)+" && "+from+") {");
> > >>>> }
> > >>>> log.log("
> "+to+from+", __eventTime);");
> > >>>> if (typeof fromScript !== 'undefined' &&
> typeof toScript !== 'undefined') {
> > >>>> log.log(" }");
> > >>>> }
> > >>>> }
> > >>>> }
> > >>>>
> > >>>>
> ====================================================================
> > >>>>
> >
> >
>
>
> --
> Andreas Plesch
> Waltham, MA 02453
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20201018/0439cbdf/attachment-0001.html>
More information about the x3d-public
mailing list