Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Consider switching to whitelist of available globals in js snippets #2122

Closed
ofpiyush opened this issue Dec 10, 2020 · 3 comments
Closed

[Feature] Consider switching to whitelist of available globals in js snippets #2122

ofpiyush opened this issue Dec 10, 2020 · 3 comments
Assignees
@hetunandu
Labels
Enhancement New feature or request Frontend This label marks the issue or pull request to reference client code

Comments

@ofpiyush
Copy link
Contributor

Summary

Switch to a white list of things a dev is allowed to write within their snippets.

Motivation

Right now we blacklist things we do not want people to have access to during eval.

From a security perspective, it's a race against stable and experimental browser features that are available and are made available within the webworker.

Additional Context

Check entire list of features available today 

caches
cancelAnimationFrame
close
crossOriginIsolated
crypto
fonts
indexedDB
location
name
navigator
onerror
onlanguagechange
onmessage
onmessageerror
onrejectionhandled
onunhandledrejection
origin
performance
postMessage
requestAnimationFrame
self
trustedTypes
webkitRequestFileSystem
webkitRequestFileSystemSync
webkitResolveLocalFileSystemSyncURL
webkitResolveLocalFileSystemURL
_
Infinity
AbortController
AbortSignal
AggregateError
Array
ArrayBuffer
Atomics
BackgroundFetchManager
BackgroundFetchRecord
BackgroundFetchRegistration
BarcodeDetector
BigInt
BigInt64Array
BigUint64Array
Blob
Boolean
BroadcastChannel
ByteLengthQueuingStrategy
CSSSkewX
CSSSkewY
Cache
CacheStorage
CanvasGradient
CanvasPattern
CloseEvent
CompressionStream
CountQueuingStrategy
Crypto
CryptoKey
CustomEvent
DOMException
DOMMatrix
DOMMatrixReadOnly
DOMPoint
DOMPointReadOnly
DOMQuad
DOMRect
DOMRectReadOnly
DOMStringList
DataView
Date
DecompressionStream
DedicatedWorkerGlobalScope
Error
ErrorEvent
EvalError
Event
EventSource
EventTarget
File
FileList
FileReader
FileReaderSync
FileSystemDirectoryHandle
FileSystemFileHandle
FileSystemHandle
FileSystemWritableFileStream
FinalizationRegistry
Float32Array
Float64Array
FontFace
FormData
Function
Headers
IDBCursor
IDBCursorWithValue
IDBDatabase
IDBFactory
IDBIndex
IDBKeyRange
IDBObjectStore
IDBOpenDBRequest
IDBRequest
IDBTransaction
IDBVersionChangeEvent
ImageBitmap
ImageBitmapRenderingContext
ImageData
Int8Array
Int16Array
Int32Array
Intl
JSON
Lock
LockManager
Map
Math
MediaCapabilities
MessageChannel
MessageEvent
MessagePort
NaN
NavigationPreloadManager
NetworkInformation
Notification
Number
Object
OffscreenCanvas
OffscreenCanvasRenderingContext2D
Path2D
PaymentInstruments
Performance
PerformanceEntry
PerformanceMark
PerformanceMeasure
PerformanceObserver
PerformanceObserverEntryList
PerformanceResourceTiming
PerformanceServerTiming
PeriodicSyncManager
PermissionStatus
Permissions
ProgressEvent
Promise
PromiseRejectionEvent
Proxy
PushManager
PushSubscription
PushSubscriptionOptions
RangeError
ReadableStream
ReadableStreamDefaultReader
ReferenceError
Reflect
RegExp
ReportingObserver
Request
Response
SecurityPolicyViolationEvent
ServiceWorkerRegistration
Set
SharedArrayBuffer
StorageManager
String
SubtleCrypto
Symbol
SyncManager
SyntaxError
TextDecoder
TextDecoderStream
TextEncoder
TextEncoderStream
TextMetrics
TransformStream
TrustedTypePolicyFactory
TypeError
URIError
URL
URLSearchParams
USB
USBAlternateInterface
USBConfiguration
USBConnectionEvent
USBDevice
USBEndpoint
USBInTransferResult
USBInterface
USBIsochronousInTransferPacket
USBIsochronousInTransferResult
USBIsochronousOutTransferPacket
USBIsochronousOutTransferResult
USBOutTransferResult
Uint8Array
Uint8ClampedArray
Uint16Array
Uint32Array
UserActivation
WeakMap
WeakRef
WeakSet
WebAssembly
WebGL2RenderingContext
WebGLActiveInfo
WebGLBuffer
WebGLFramebuffer
WebGLProgram
WebGLQuery
WebGLRenderbuffer
WebGLRenderingContext
WebGLSampler
WebGLShader
WebGLShaderPrecisionFormat
WebGLSync
WebGLTexture
WebGLTransformFeedback
WebGLUniformLocation
WebGLVertexArrayObject
WebSocket
Worker
WorkerGlobalScope
WorkerLocation
WorkerNavigator
WritableStream
WritableStreamDefaultWriter
XMLHttpRequest
XMLHttpRequestEventTarget
XMLHttpRequestUpload
console
decodeURI
decodeURIComponent
encodeURI
encodeURIComponent
escape
eval
globalThis
isFinite
isNaN
parseFloat
parseInt
undefined
unescape

@ofpiyush ofpiyush added Enhancement New feature or request Frontend This label marks the issue or pull request to reference client code labels Dec 10, 2020
@Nikhil-Nandagopal
Copy link
Contributor

@ofpiyush against this because from a users perspective:
User: I'm using a feature that's not working as expected
Appsmith: Sorry we don't support that, please don't use it or use this workaround

User: I want to use this common js function
Appsmith: We'll add this in our next release please hang tight till then.

As a user I would prefer scenario 1 over 2

@ofpiyush
Copy link
Contributor Author

Is there a label that says, "Things to consider before allowing sharing of custom snippets/ widgets?"

@Nikhil-Nandagopal
Copy link
Contributor

@ofpiyush let's tag this issue in the custom widget issue so we don't miss it?

@ofpiyush ofpiyush mentioned this issue Dec 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hetunandu hetunandu

Labels
Enhancement New feature or request Frontend This label marks the issue or pull request to reference client code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ofpiyush @Nikhil-Nandagopal @hetunandu @appsmith-bot