Eval() and Secuirty – how to disable and change the behaviour of standard Ring functions

Hello

Sometimes when you use eval() you need to run the code in a secure environment where you can disable some functions, add new functions and change the behavior of some functions

The next example demonstrates how to do that where we disable the system() function when we execute code entered by the user

oApp = new App
While true
See nl+”Code:> ” give cCode
oApp {
Try
eval(cCode)
Catch
See cCatchError
Done
}
End
# Here we can use the system() function again
System(“cls”)
Class App
Func System cCmd
See “Sorry, You Can’t use the system() function!”+nl

The user can pass this security wall using the next code

test(“test”) func test x system(“cls”)

The first idea to avoid executing system() from function defined by the user is to define the system() function as global function before executing the code using eval()

While true
See nl+”Code:> “


Give cCode
Try

eval(cCode)
Catch
See cCatchError
Done
End
Func System cCmd
See “Sorry, You Can’t use the system() function!”+nl

 

Another solution is to filter the input from the user
Never try to do this, You can’t imagine how the user can pass your filter using a well crafted code
(1) Ring is not case sensitive
(2) The language is not space sensitive, the user can type System (“cls”)
(3) Eval() can be executed from eval(), the user can merge character to get the function name Eval( “SYS” + “TEM” + “(‘cls’)” )
(4) Character can be generated using the ASCII code and the function char()

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s