[Security] There are still various ways to escape the eval limits

[Alan-Liang]

For example:

• Overriding onExit
• Escaping iframe

[pppery]

Overriding onExit
Should be fixed by #464 (which I wrote before seeing this issue, on general security grounds.)

[pppery]

FYI I personally think the bug you are exploiting in the "Overriding onExit" example is that you are allowed to close the startLevel function and run top level code at all, and not that you can then do nefarious things outside that function, but it's very unclear how much creativity of that sort should be allowed (this is a game focused on hacking the world after all) and how much should be forbidden.

[Alan-Liang]

Overriding onExit
Should be fixed by #464 (which I wrote before seeing this issue, on general security grounds.)

Not really... it still works: https://gist.github.com/Untrusted-Game/455bb325f49ddeb5c7dccda77f2709fd

[pppery]

#464 hasn't been merged yet. I'm unable to reproduce the "Overriding onExit" trick if I apply that patch locally and test your code (note that it silently fails: the game doesn't produce a validation error of any sort, but the onExit override doesn't do anything and you still need to have the computer to exit the level.)

[Alan-Liang]

I regret for not noticing that. 于 2020年7月17日 GMT+08:00 下午11:45:18, pppery <notifications@github.com> 写到:

…

#464 hasn't been merged yet. I'm unable to reproduce the "Overriding onExit" trick if I apply that patch locally and test your code (note that it silently fails: the game doesn't produce a validation error of any sort, but the `onExit` override doesn't do anything and you still need to have the computer to exit the level.) -- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: #465 (comment)