Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find a way to prevent malicious code execution #6

Open
zyrolasting opened this issue Sep 11, 2019 · 0 comments
Open

Find a way to prevent malicious code execution #6

zyrolasting opened this issue Sep 11, 2019 · 0 comments

Comments

@zyrolasting
Copy link
Contributor

zyrolasting commented Sep 11, 2019
edited
Loading

I know this is a prototype but it looks like the current state allows the client to execute arbitrary code. A <textarea>'s content is sent right to (dynamic-require) under the assumption the code is scribble code.

If I were writing this I would either:

  1. Force use of a harmless, strict subset of scribble and replace the #lang line on each submission to use this subset. Forbid use of Racket from within Scribble, or at least forbid access to ports, threads, file-system checks, etc.
  2. Allow the full power of Racket (since scribble already does), but never execute what users submit right off. The code would be funneled into a sandbox VM (Vagrant?) off any sensitive network and be subject to human editorial review.
@zyrolasting zyrolasting changed the title Find a way to prevent malicious code Find a way to prevent malicious code execution Sep 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zyrolasting