Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

evalInSandbox security question

14 views
Skip to first unread message

Spock

unread,
Jan 4, 2010, 10:42:45 AM1/4/10
to
I've been tinkering with evalInSandbox, trying to figure out which
scenarios are unsafe. According to https://developer.mozilla.org/En/Components.utils.evalInSandbox,
pretty much any use of the return value of evalInSandbox, or
properties of the sandbox itself, is unsafe.

For example, the following code should invoke the toString function
and according to the wiki, should be a security risk (because
theoretically it lets the sandboxed code access the privileged
Components.classes):

var sandbox = Components.utils.Sandbox("http://www.example.com");
Components.utils.evalInSandbox("var j = ({toString: function()
{ return Components.classes; } });",sandbox);
alert(sandbox.j + ' moo');

However, when I try this on Firefox 3.5.6, I get a permission denied
error, which seems like the correct, safe behavior. So how come the
wiki page says it isn't? Has something changed recently in the
implementation of the sandbox to make it safer?

If anybody has an idea on when it is safe to use the return value /
sandbox properties and when it isn't, I'd appreciate the help.

Spock

Nickolay Ponomarev

unread,
Jan 5, 2010, 8:16:09 AM1/5/10
to dev-extensions
On Mon, Jan 4, 2010 at 6:42 PM, Spock <yair....@glydo.com> wrote:

> I've been tinkering with evalInSandbox, trying to figure out which
> scenarios are unsafe. According to
> https://developer.mozilla.org/En/Components.utils.evalInSandbox,
> pretty much any use of the return value of evalInSandbox, or
> properties of the sandbox itself, is unsafe.
>

Judging from the previous discussions on this topic, the fact that 386635 is
not fixed yet, and the text on the wiki page, I think yes, it's currently
unsafe.

(If you need the definitive answer, you should try getting it directly from
the core developers, who usually don't follow dev-extensions very closely.
mrbkap and bz usually answer these types of questions).

For example, the following code should invoke the toString function
> and according to the wiki, should be a security risk (because
> theoretically it lets the sandboxed code access the privileged
> Components.classes):
>

Note that the explanation of why it is unsafe is very hand-wavy and doesn't
offer a specific example of an exploit. It is usually the case that the
obvious attempts at privilege escalation are not working, but if you do
"unsafe" things, the ways to exploit it can be found.

You could look through the old security bugs to get a feel of how the
exploits look (e.g. bug 290908). The specific exploits that can be used with
recent versions of Firefox are not available to the public.

If anybody has an idea on when it is safe to use the return value /
> sandbox properties and when it isn't, I'd appreciate the help.
>

I think it would be more productive if you stated your use-case and asked
the gurus (see above) if it can be implemented securely.

Nickolay

John J. Barton

unread,
Jan 5, 2010, 12:36:24 PM1/5/10
to
Spock wrote:
...

> If anybody has an idea on when it is safe to use the return value /
> sandbox properties and when it isn't, I'd appreciate the help.

You'll also have to ponder how the answer depends on what you put into
the sandbox. After multiple attempts I concluded that the sandbox itself
is a bad idea. Only two people seem to understand it and I can't
understand their explanations. I think there is an alternative that
would be easier to analyze:
https://bugzilla.mozilla.org/show_bug.cgi?id=529474

jjb

0 new messages