[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-librejs] Non triviality criterion
|
From: |
Cathal Garvey |
|
Subject: |
Re: [Bug-librejs] Non triviality criterion |
|
Date: |
Sun, 01 Oct 2017 21:12:52 +0100 |
|
User-agent: |
K-9 Mail for Android |
How does LibreJS deal with heavily obfuscated JavaScript, where identifiers
like "eval" and "window" can be accessed and indexed using only characters like
[]{}+ etc.?
Probably a regex rule that simply finds runs of these characters would catch
most, but the root problem of malicious obfuscation is probably only solvable
with access to the compiled bytecode, or by being able to hook attribute access.
Perhaps it's possible, before pageload, to shadow these attributes and
intercept them if untrusted code accesses them? Maybe librejs already does
this.. Or maybe you can't shadow `window` and `eval`..
On 1 October 2017 17:03:13 GMT+01:00, Nathan Nichols <address@hidden> wrote:
>>We consider modification of the document non-trivial. There shouldn't
>be
>>much that javascript could do that we would consider trivial, for
>>anything else a free software license would be required.
>
>I see.
>
>Can you give me a general idea about the preferred way for me to go
>about
>implementing these rules?
>
>>Using regexps to check for the existence of non-trivial actions (such
>as
>>using ajax or calling eval) can filter many scripts quickly, so it is
>a
>>good way to speed the test up. But it is not sufficient.
>
>If you believe that this system I came up with can be used as a first
>pass
>to filter out scripts quickly, can you help me understand what would be
>needed in addition to what is already guaranteed by this first pass?
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.