1

We have an app that sits behind a firewall and behind a CAS authentication layer. It has a feature that allows users with a special role to customize the way the app works by writing JavaScript functions that get inserted into the application at runtime, and which can be fired by events such as button clicks and page load and the like. (The JS is not "eval"'d - it is written into the page server-side.)

Needless to say, this feature raises security concerns!

Are there recommendations beyond what's being done already to secure this, that is beyond a) firewall, b) robust authentication and c) authorization.

EDIT: In response to questions in comments: 1. Does the injected code become part of the application, or it is executed as an independent application (separated context)? Yes, it becomes a part of the application. It currently gets inserted, server-side, into a script tag.

  1. Does inserted JavaScript run on clients' browsers other than the original writer? Yes. It gets persisted, and then gets inserted into all future requests.

(The application can be thought of as an "engine" for building custom applications against a generic backend data store which is accessed by RESTful calls. Each custom application can have its own set of custom these JavaScripts)

Improve this question
2
  • Does the injected code become part of the application, or it is executed as an independent application (separated context)? Commented Aug 3, 2016 at 15:15
  • Does inserted JavaScript run on clients' browsers other than the original writer? Commented Aug 3, 2016 at 15:16

1 Answer 1

Reset to default
3

You really shouldn't just accept arbitrary JavaScript. Ideally, what should happen is that you tokenize whatever JavaScript is sent and ensure that every token is valid JavaScript, first and foremost (this should apply in all below scenarios).

After that, you should verify that whatever JavaScript is sent does not access sensitive information.

That last part may be extremely difficult or even impossible to verify in obfuscated code, and you may need to consider that no matter how much verification you do, this is an inherently unsafe practice. As long as you understand that, below are some suggestions for making this process a little safer than it normally is:

  • As @FDavidov has mentioned, you could also restrict the JavaScript from running as part of the application and sandbox it in a separate context much like Stack Snippets do.

  • Another option is to restrict the JavaScript to a predefined whitelist of functions (some of which you may have implemented) and globals. Do not allow it to interact directly with DOM or globals except of course primitives, control flow, and user-defined function definitions. This method does have some success depending on how robustly enforced the whitelist is. Here is an example that uses this method in combination with the method below.

  • Alternatively, if this is possible with what you had in mind, do not allow the code to run on anyone's machine other than the original author of the code. This would basically be moving a Userscript-like functionality into the application proper (which I honestly don't see the point), but it would definitely be safer than allowing it to run on any client's browser.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you Patrick. I am inheriting the app. We've talked about some of these approaches, though a lot of scripts have been written already and they do all the things you point out should be avoided! Your response is going to be very helpful in charting a future course, however, so thank you!
@blogofsongs no problem. It seems based on your edit that the second bullet point will be most helpful for your particular case. Make sure that your whitelist doesn't include things like Object and String as allowing custom JavaScript to modify the behavior of those constructors will most likely render your whitelist unenforceable. You might also mention to your team that modifying globals to be unconfigurable before loading the custom JavaScript might come at a cost of performance, and may not be very full-proof either.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.