Security considerations #41
Description
Hi guys,
I am the developer of a PDF manipulation framework (Origami) and I'm currently trying to integrate Johnson into it.
My project is oriented on malicious PDF documents analysis for exploit analysts/writers. As many PDF exploits make use of embedded JavaScript code, being able to run the code in a clean and safe SpiderMonkey engine would be very nice.
I have started reimplementing the Adobe JavaScript API with Johnson, binding the calls to my PDF engine internals and it seems to work very nicely. However, I am running into one problem : the JavaScript code to be run is supposed to be totally untrusted, and as such it should not be possible to escape from the SpiderMonkey engine.
It is currently very easy to escape from JavaScript for two reasons:
- The Ruby Object namespace is directly included in the global scope.
- It is possible to make calls on internal Ruby methods from JavaScript.
For instance from JS:
js> Ruby.File.read("/etc/passwd")
If util is a defined Ruby Object accessible in JS scope:
js> util.send("system","/bin/sh")
Could it be possible that you introduce some sort of flag to prevent the Ruby Object namespace to be included in global ?
Maybe also introduce some checks so that only user-defined methods are accessible from JS ?
I am not very familiar with your code base, but I was thinking about including those security checks into JSLandProxy::send_with_possible_block and modifying Runtime#initialize.
Would that be OK for you?
Thanks,
Guillaume Delugré
Activity