sanitized eval with Caja

56 views
Skip to first unread message

Yehonathan Sharvit

unread,
Jan 7, 2019, 10:32:15 AM1/7/19
to Google Caja Discuss
Hello Caja folks,

I'd like to allow users to eval javascript code snippets on my website.
But eval is too dangerous.

I was thinking of using Caja to provide a sanitized version of eval.

Is it possible with caja to evaluate dynamic code snippets provided by users?
If yes, how?

Thanks,
Yehonathan

Mike Stay

unread,
Jan 7, 2019, 11:19:26 AM1/7/19
to Google Caja Discuss
Yes, this is what Caja was designed to do. You may not need all of
Caja, though. Can you tell us more about what you'd like to allow
them to do?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Mike Stay - meta...@gmail.com
http://math.ucr.edu/~mike
https://reperiendi.wordpress.com

Mark Miller

unread,
Jan 7, 2019, 2:51:54 PM1/7/19
to Google Caja Discuss
Hi Yehonathan,

From your description, I suspect you want the SES library at https://github.com/Agoric/SES rather than Caja.

Caja contains the original-SES, which still works fine, but mostly supports only the features from EcmaScript 5 with a few select elements of EcmaScript 6.

SES is built on modern JavaScript and supports modern JavaScript --- including all of the EcmaScript 2018 standard. It is also much faster than the original-SES in Caja. SES is a joint effort of Agoric and Salesforce. Unlike Caja, SES runs everywhere modern JavaScript runs, including both browser and Node. See

OTOH, Caja contains Domado, which is a taming of the browser and DOM APIs, so that you can give your untrusted code access to a subtree of you DOM tree. We expect to reproduce this functionality eventually on modern SES but, currently, we are not treating it as urgent. If you need Domado functionality in order to use SES rather than Caja, please let us know.


  Cheers,
  --MarkM

Mark Miller

unread,
Jan 7, 2019, 2:59:09 PM1/7/19
to Google Caja Discuss, SES Strategy, fr...@googlegroups.com, cap-...@googlegroups.com, Discussion of E and other capability languages
We have set up a Discourse site at https://ocapjs.org/ for discussing object-capabilities (ocaps) for JavaScript. I suggest that further discussion on this topic should move there.


--
  Cheers,
  --MarkM

Yehonathan Sharvit

unread,
Jan 7, 2019, 4:53:35 PM1/7/19
to google-ca...@googlegroups.com, SES Strategy, fr...@googlegroups.com, cap-...@googlegroups.com, Discussion of E and other capability languages
My use case is Klipse, a javascript plugin that allows interactive code snippets to be embedded on a web page.
I'd like to all blog platforms liks medium or dev.to to integrate with Klipse.
My concern is that a malicious blog writer will write a malicious code snippet and use Klipse to evaluate the code snippet on the browser of blog readers.

I am looking of a way to sanitize the evaluation function that Klipse uses to evaluate the code snippets.

Could I use SES for the purpose of Klipse?

Please let me know if you need further clarifications.

Mark Miller

unread,
Jan 7, 2019, 5:16:07 PM1/7/19
to Google Caja Discuss
Yes, SES is exactly the right tool for that purpose. As you have questions or feedback, please file issues at https://github.com/Agoric/SES or post to https://ocapjs.org

Good luck with this project, and thanks!

Yehonathan Sharvit

unread,
Jan 8, 2019, 1:54:20 PM1/8/19
to Google Caja Discuss
Can you provide a standalone js file of SES and what should be the function to call in order to achieve a sanitized eval?
Hi Yehonathan,
> To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.



--
Mike Stay - meta...@gmail.com
http://math.ucr.edu/~mike
https://reperiendi.wordpress.com

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
  Cheers,
  --MarkM


--
  Cheers,
  --MarkM

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-discuss+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
  Cheers,
  --MarkM

Mark Miller

unread,
Jan 8, 2019, 2:35:35 PM1/8/19
to Google Caja Discuss, Yehonathan Sharvit, Brian Warner
Hi Yehonathan,

Brian Warner just posted a response at 

Please let's continue the discussion there. Thanks!



Hi Yehonathan,
> To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.



--
Mike Stay - meta...@gmail.com
http://math.ucr.edu/~mike
https://reperiendi.wordpress.com

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
  Cheers,
  --MarkM


--
  Cheers,
  --MarkM

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
  Cheers,
  --MarkM

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
  Cheers,
  --MarkM

Yehonathan Sharvit

unread,
Jan 10, 2019, 3:12:39 AM1/10/19
to Mark Miller, Google Caja Discuss, Brian Warner
Sounds good!

Yehonathan Sharvit

unread,
Jan 11, 2019, 12:42:56 AM1/11/19
to Mark Miller, Google Caja Discuss, Brian Warner
The forum seems to be less responsive than the google group.
I am posting my question again here:

Still under development: do not use for production systems yet, there are known security holes that need to be closed.

Are the current security holes in SES relevant to the Klipse use case?

Mike Stay

unread,
Jan 11, 2019, 10:12:16 AM1/11/19
to Google Caja Discuss, Mark Miller, Brian Warner
Also, is caja-discuss-undisclosed still the place to learn about the
security holes, or is there a new mailing list for those?

Kevin Reid

unread,
Jan 11, 2019, 12:17:23 PM1/11/19
to Google Caja Discuss, Mark Miller, Brian Warner
On Fri, Jan 11, 2019 at 7:12 AM Mike Stay <meta...@gmail.com> wrote:
Also, is caja-discuss-undisclosed still the place to learn about the
security holes, or is there a new mailing list for those?

If you want to follow vulnerability information then google-caja-discuss contains all the public announcements.

I haven't recently been sending information on not-yet-patched vulnerabilities to caja-discuss-undisclosed. Due to lack of any 'outside' participation in development, it hasn't seemed particularly useful to make the information available.

Yehonathan Sharvit

unread,
Jan 13, 2019, 8:21:10 AM1/13/19
to Google Caja Discuss, Mark Miller, Brian Warner
Can you please send a link to the public announcements about the security holes in Caja?

--

Yehonathan Sharvit

unread,
Jan 13, 2019, 8:22:12 AM1/13/19
to Google Caja Discuss, Mark Miller, Brian Warner
Or maybe send in private to me vie...@gmail.com
I really need to understand if it makes sense to integrate SES with Klipse.

Kevin Reid

unread,
Jan 13, 2019, 1:35:15 PM1/13/19
to Google Caja Discuss
On Sun, Jan 13, 2019 at 5:21 AM Yehonathan Sharvit <vie...@gmail.com> wrote:
Can you please send a link to the public announcements about the security holes in Caja?

The announcements are cataloged at https://github.com/google/caja/wiki/SecurityAdvisories.

Mark Miller

unread,
Jan 13, 2019, 2:45:22 PM1/13/19
to Google Caja Discuss
Hi Yehonathan,

I have gone through the public issues at https://github.com/Agoric/SES/issues , filed an additional one, and classified all of them. I labeled three as "security bugs". One closed and two still open. The open ones are certainly fatal for SES's security goals. You should look at them though to determine whether they are fatal for Klipse.





--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
  Cheers,
  --MarkM
Reply all
Reply to author
Forward
0 new messages