Smart constraint for killer-script detection #2200
Unanswered
munichmule
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi guys,
In my scenario - pretty typical, I assume - I use JINT to execute custom user-written javascript in an ASP.NET app (request-scoped). So, it's crucial for me to forbid a user from running a killer script.
Of course, I checked all of the places below and more:
https://github.com/sebastienros/jint/blob/main/Jint/Constraints/MaxStatementsConstraint.cs
#14
#1823
The problem is, simple counting of statements doesn't help much, because it's impossible to end up on a reasonable numeric value. Say, 1 million of
i++is completely safe, while 1 million of interops orJSON.parse(...)isn't. Measuring wall time doesn't help either because interops can call http or database etc, and I don't want to stop execution when it waits for a while - only when it really runs infinitely or eats resources quickly.Unfortunately, dotnet doesn't offer tooling for per-request measurements like this, only per-process, which makes little sense for a multi-threaded web app: killing the whole app when a single request goes wild isn't an option.
I tried to wrap JINT execution with my own custom CPU/memory measurement - but not only it's a royal pain to make such a measurement work reliably across different platforms, it easily breaks when the script calls an interop dotnet method which goes through a dozen awaits internally, and then calls jint again from one of them - now on a completely new thread where it continues. Not totally impossible, but highly fragile.
Did anyone attempt to implement such a smart constraint to detect a killer-script? Share your ideas/solutions, please. Thanks!
Beta Was this translation helpful? Give feedback.
All reactions