Allow C++ scripting inside my GUI program

[Frederick Virchanza Gotham]

I've written a GUI program for desktop PC's that acts as a 'man in the middle', it intercepts traffic and modifies it before forwarding it.

I was thinking it would be cool to allow the user to write some C++ code in a text box in my GUI application to describe a text filter, so for example they could write in the text box:

[begin text box]
cmd.erase(0u,2u);
cmd.insert(0u,"invert_");
reply.erase(reply.find(':'));
return true;
[end text box]

I would then take this code and surround it in a function, like this:

[begin code]
bool ProcessExchange(string &cmd, string &reply)
{
cmd.erase(0u,2u);
cmd.insert(0u,"invert_");
reply.erase(reply.find(':'));
return true;
}
[end code]

The next thing I would do is include every C++ header file, from <any> to <bitset> to <chrono> all the way to <utility> <variant> <version>. I count that there's 107 of them when you include the C one's like <cstdlib> <cstring>. So then it would look like this:

[begin code]
#include <any>
#include <bitset>
#include <chrono>
...
#include <utility>
#include <variant>
#include <version>

bool ProcessExchange(string &cmd, string &reply)
{
cmd.erase(0u,2u);
cmd.insert(0u,"invert_");
reply.erase(reply.find(':'));
return true;
}
[end code]

So then I would compile this translation unit to a dynamic shared library, e.g. "custom_filter.dll" on MS-Windows or "libcustom_filter.so" on Linux/Mac. Then I would load this library into my program using "LoadLibrary" or "dlopen". I would compile the library with "-fsanitize" to make sure it dies as soon as there's a memory access violation.

So the question is how can I make it as safe as possible? First thing to watch out for would be the user closing the body of the function and then opening a new function, like this:

[begin text box]
} // This closes the 'Process' function

bool MyFunc(void);

bool const my_global_var = MyFunc();

bool MyFunc(void)
{
// Do something else in here
[end text box]

So I would have to make sure that all the curly brackets are paired up properly. Another thing is of course that I'd have to watch out for:

[begin text box]
std::system("format d: /y");
[end text box]

To prevent this, I think I'd use macroes, something like:

[begin code]
#include <cstdlib>
#define system /* nothing */
[end code]

I'd have to make a finite list of the 'dangerous' functions, stuff like std::remove, or using an std::ofstream to bulldoze a file.

If I code this then it would mean that in the future, anyone could use my man in the middle program to do very complex processing on the traffic.

[Öö Tiib]

If you mechanically compose executable code, script or request from
whatever user entered text then you have made your software as deliberate
target of code injection attacks. That can be viewed as sabotage by whatever
organisation you code for. So if you do it for yourself then you should be as
harsh you only can with yourself. ;)

[Frederick Virchanza Gotham]

On Tuesday, December 20, 2022 at 6:13:59 PM UTC, Öö Tiib wrote:

> If you mechanically compose executable code, script or request from
> whatever user entered text then you have made your software as deliberate
> target of code injection attacks. That can be viewed as sabotage by whatever
> organisation you code for. So if you do it for yourself then you should be as
> harsh you only can with yourself. ;)

They can't include their own header files nor link with their own libraries so the damage they can do is limited to what can be achieved with the C++ standard library. So I just need to make a list of stuff to outlaw:
system,remove,ifstream,ofstream,etc.
And then devise a way to prevent these things from being accessed, perhaps by using preprocessor macroes.

[Paavo Helde]

20.12.2022 20:01 Frederick Virchanza Gotham kirjutas:
>
> I've written a GUI program for desktop PC's that acts as a 'man in the middle', it intercepts traffic and modifies it before forwarding it.
>
> I was thinking it would be cool to allow the user to write some C++ code in a text box in my GUI application to describe a text filter,
>

> So then I would compile this translation unit to a dynamic shared library, e.g. "custom_filter.dll" on MS-Windows or "libcustom_filter.so" on Linux/Mac. Then I would load this library into my program using "LoadLibrary" or "dlopen". I would compile the library with "-fsanitize" to make sure it dies as soon as there's a memory access violation.

You only get memory access violation if the program attempts to write
into non-mapped memory. Nothing prevents it to just write over your own
vital data structures in your own program. Suggesting to run it as a
separate process, not as a shared library.

>
> So the question is how can I make it as safe as possible?

You don't need to do any anything. If this is a desktop app, only the
desktop user can enter code pieces, and they can delete their files or
format their drives easily without the help of your program. You just
need to take care the compiled code runs with the same privileges than
the user has.

If your program has a web interface and untrusted remote users can enter
code, you are screwed anyway. There is no way to sanitize or sandbox a
piece of general C++ code, so there is no point to bother. If you really
want to do this, compile and run the program in a short-living docker
container, or something like that.

[Öö Tiib]

Don't be naive. Windows metafile .wmf file is considered vector graphics
file that only IE does display. But Windows is actually treating its contents
as arguments to GDI API calls. Note, just arguments to graphic API. I
think after that the GDI dll was debugged by skyscraper of MS developers
and the flow of patches continued to this century. All kind of
attacks were possible just by victim clicking a link in IE under
Windows 2000 leading to page that did show "a .wmf picture" carefully
prepared.

[Louis Krupp]

On 12/20/2022 11:01 AM, Frederick Virchanza Gotham wrote:
> I've written a GUI program for desktop PC's that acts as a 'man in the
> middle', it intercepts traffic and modifies it before forwarding it.
>
> I was thinking it would be cool to allow the user to write some C++
> code in a text box in my GUI application to describe a text filter, so
> for example they could write in the text box:
>
> [begin text box]
> cmd.erase(0u,2u);
> cmd.insert(0u,"invert_");
> reply.erase(reply.find(':'));
> return true;
> [end text box]
>
> I would then take this code and surround it in a function, like this:
>
> [begin code]
> bool ProcessExchange(string &cmd, string &reply)
> {
> cmd.erase(0u,2u);
> cmd.insert(0u,"invert_");
> reply.erase(reply.find(':'));
> return true;
> }
> [end code]
>
>

<snip>

To quote Shakespeare, who knew a thing or two about trusting people too
much and then living with the consequences:

"... that way madness lies ..."

Louis