├── README.md
├── badCode.js
├── examples
    ├── bad-eval
    │   ├── index.js
    │   └── package.json
    ├── dynamic-import-in-eval
    │   ├── README.md
    │   ├── index.js
    │   └── package.json
    └── wasm-import-js
    │   ├── README.md
    │   ├── add.js
    │   ├── add.wasm
    │   ├── add.wat
    │   ├── index.js
    │   └── package.json
└── shared
    ├── https-loader.js
    └── package.json


/README.md:
--------------------------------------------------------------------------------
1 | # bad-javascript
2 | Let's get some bad javascript examples.
3 | 


--------------------------------------------------------------------------------
/badCode.js:
--------------------------------------------------------------------------------
 1 | // bad - who cares about errors
 2 | exports.getUsers = (req, res) => {
 3 |   User.find({})
 4 |     .exec((err, data) => {
 5 |       res.send(data);
 6 |     });
 7 | };
 8 | module.exports = exports;
 9 | 
10 | // good - we care about errors
11 | exports.getUsers = (req, res) => {
12 |   User.find({})
13 |     .exec((err, data) => {
14 |       if (err) {
15 |         res.status(400).send(err);
16 |       } else {
17 |         res.send(data);
18 |       }
19 |     });
20 | };
21 | module.exports = exports;
22 | 
23 | // classic
24 | return isDisabled == false ? false : true;
25 | 
26 | // why trust typeof
27 | function clean(toClean, source) {
28 |   if (typeof (toClean) !== 'string') return true;
29 |   if (typeof (source) !== 'string') return true;
30 | 
31 |   return source.replace(toClean, String('CLEANED')).toString();
32 | }


--------------------------------------------------------------------------------
/examples/bad-eval/index.js:
--------------------------------------------------------------------------------
 1 | 
 2 | // Bless is an identity function purely to annotate string literals
 3 | // but without Polyscripting it allows the code to just keep working.
 4 | const bless = function(str) {
 5 |     return str;
 6 | }
 7 | 
 8 | const hidden_value = "The CEO's banking password is 'P@55w0rd'";
 9 | 
10 | try {
11 |     // safe string
12 |     eval(bless(`
13 |         console.log("I do only good things and you can read it.");
14 |     `));
15 | } catch (e) {
16 |     console.log("Safe string errored and not expected: ", e);
17 | }
18 | 
19 | 
20 | try {
21 |     // openly eval - can be validated and should work fine
22 |     const unsafeString = bless(`
23 |         console.log("I do only bad things, and you can read it clearly");
24 |     `);
25 | 
26 |     eval(unsafeString);
27 | } catch (e) {
28 |     console.log("Open import shouldn't fail, but it did: ", e);
29 | }
30 | 
31 | 
32 | try {
33 |     // mischievous unsafe string but imagine it was hidden much better.
34 |     const message = `"); console.log("I just did a VERY bad thing without the caller knowing. I accessed their hidden value: " + hidden_value); console.log("`;
35 | 
36 |     // Bless will not work when not applied over a single string literal (because otherwise it can bless things you don't see)
37 |     const unsafeString = bless(`console.log("` + message +  `");`);
38 | 
39 |     eval(unsafeString);
40 |     console.log("Injection should fail, when Polyscripted. It worked this time. Not expected. Are you Polyscripted?");
41 | } catch (e) {
42 | }
43 | 
44 | 
45 | // Now obvious question - how can you scramble a partial javascript string that cannot be completely resolved? 
46 | // That’s why symbol scrambling is the game-changer. The symbols .(){};  are unambiguous. 
47 | // They cannot be reassigned, or taken out of context. Scrambling them breaks even a single-shot function call.
48 | // This is the difference between "mangling" or "obfuscation", and Polyscripting (changing the language itself.)
49 | // The langauage has many context-free invariants which can be easily scrambled, tripping the attacker.
50 | try {
51 |     const message = `"); console.log("I just did a VERY bad thing without the caller knowing. I accessed their hidden value: " + hidden_value); console.log("`;
52 | 
53 |     // In this case, the blessed parts will be polyscripted, but the message won't be - and injection will fail (only if polyscripting is applied)
54 |     const unsafeString = bless(`console.log("`) + message +  bless(`");`);
55 | 
56 |     eval(unsafeString);
57 |     console.log("Injection should fail, when Polyscripted. It worked this time. Not expected. Are you Polyscripted?");
58 | } catch (e) {
59 | }


--------------------------------------------------------------------------------
/examples/bad-eval/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "bad-eval",
 3 |   "version": "1.0.0",
 4 |   "description": "",
 5 |   "main": "index.js",
 6 |   "scripts": {
 7 |     "test": "echo \"Error: no test specified\" && exit 1"
 8 |   },
 9 |   "author": "",
10 |   "license": "ISC",
11 |   "dependencies": {
12 |     "bless-javascript": "^1.0.0"
13 |   }
14 | }
15 | 


--------------------------------------------------------------------------------
/examples/dynamic-import-in-eval/README.md:
--------------------------------------------------------------------------------
1 | # dynamic-import-in-eval
2 | 
3 | This example requires at least Node v12.10.0.
4 | 
5 | * Run `npm i` or `yarn`
6 | * Run `npm test` or `yarn test`
7 | 


--------------------------------------------------------------------------------
/examples/dynamic-import-in-eval/index.js:
--------------------------------------------------------------------------------
1 | eval(`(async () => {
2 |   const { default:_ } = await import <!--
3 |   (
4 |     //
5 |     'https://unpkg.com/lodash-es@4.17.15/lodash.js'
6 |     /**/
7 |   )
8 |   console.log(_.VERSION)
9 | })()`)


--------------------------------------------------------------------------------
/examples/dynamic-import-in-eval/package.json:
--------------------------------------------------------------------------------
1 | {
2 |   "name": "dynamic-import-in-eval",
3 |   "type": "module",
4 |   "private": true,
5 |   "scripts": {
6 |     "test": "node --experimental-modules --es-module-specifier-resolution=node --experimental-loader ../../shared/https-loader.js ./"
7 |   }
8 | }
9 | 


--------------------------------------------------------------------------------
/examples/wasm-import-js/README.md:
--------------------------------------------------------------------------------
1 | # wasm-import-js
2 | 
3 | This example requires at least Node v12.10.0.
4 | 
5 | * Run `npm i` or `yarn`
6 | * Run `npm test` or `yarn test`
7 | 


--------------------------------------------------------------------------------
/examples/wasm-import-js/add.js:
--------------------------------------------------------------------------------
1 | export const add = (a, b) => a + b
2 | 


--------------------------------------------------------------------------------
/examples/wasm-import-js/add.wasm:
--------------------------------------------------------------------------------
1 |  asm   ``./add.jsadd   add default 
2 |         A
3 | j 7name add_i32addadd_10     p0p1 p0


--------------------------------------------------------------------------------
/examples/wasm-import-js/add.wat:
--------------------------------------------------------------------------------
 1 | ;; source of add.wasm
 2 | 
 3 | (module
 4 |   (import "./add.js" "add" (func $add_i32 (param i32 i32) (result i32)))
 5 | 
 6 |   (func $add (param $p0 i32) (param $p1 i32) (result i32)
 7 |     get_local $p0
 8 |     get_local $p1
 9 |     call $add_i32)
10 | 
11 |   (func $add_10 (param $p0 i32) (result i32)
12 |     get_local $p0
13 |     i32.const 10
14 |     i32.add)
15 | 
16 |   (export "add" (func $add))
17 |   (export "default" (func $add_10)))
18 | 


--------------------------------------------------------------------------------
/examples/wasm-import-js/index.js:
--------------------------------------------------------------------------------
1 | import { add, default as add10 } from 'https://rawcdn.githack.com/standard-things/esm/511d672ae13e8bee13ba19bd7fdc2a3206c9d7d7/test/fixture/wasm/add.wasm'
2 | import { log } from 'console'
3 | 
4 | log(`${add(1,2)} and ${add10(2)}`)


--------------------------------------------------------------------------------
/examples/wasm-import-js/package.json:
--------------------------------------------------------------------------------
1 | {
2 |   "name": "wasm-import-js",
3 |   "type": "module",
4 |   "private": true,
5 |   "scripts": {
6 |     "test": "node --experimental-modules --experimental-wasm-modules --es-module-specifier-resolution=node --experimental-loader ../../shared/https-loader.js ./"
7 |   }
8 | }
9 | 


--------------------------------------------------------------------------------
/shared/https-loader.js:
--------------------------------------------------------------------------------
 1 | import { builtinModules } from 'module'
 2 | import { extname } from 'path'
 3 | import https from 'https'
 4 | 
 5 | const JS_MEDIA_TYPE = 'text/javascript'
 6 | const dataToFileURLMap = new Map
 7 | const extToMediaTypeMap = new Map([
 8 |   ['.js', JS_MEDIA_TYPE],
 9 |   ['.json', 'application/json'],
10 |   ['.mjs', JS_MEDIA_TYPE],
11 |   ['.wasm', 'application/wasm']
12 | ])
13 | 
14 | const get = (options) => {
15 |   return new Promise((resolve, reject) => {
16 |     https
17 |       .get(options, (response) => {
18 |         const { statusCode } = response
19 | 
20 |         if (statusCode === 200) {
21 |           const data = []
22 | 
23 |           response
24 |             .on('data', (chunk) => { 
25 |               data.push(chunk) 
26 |             })
27 |             .on('end', () => {
28 |               const buffer = Buffer.concat(data)
29 |               const { pathname } = typeof options === 'string'
30 |                 ? new URL(options)
31 |                 : options
32 | 
33 |               if (typeof pathname === 'string' &&
34 |                   extname(pathname) === '.wasm') {
35 |                 resolve(buffer)
36 |               } else {
37 |                 resolve(buffer.toString('utf8'))
38 |               }
39 |             })
40 |         } else {
41 |           reject(new Error(`Request failed. Status code: ${statusCode}`))
42 |         }
43 |       })
44 |       .on('error', reject)
45 |   })
46 | }
47 | 
48 | export async function resolve(specifier, parentModuleURL, defaultResolver) {
49 |   if (! builtinModules.includes(specifier)) {
50 |     parentModuleURL = dataToFileURLMap.get(parentModuleURL) || parentModuleURL
51 |     let rawSpecifier = specifier
52 |     
53 |     try {
54 |       const url = new URL(specifier, parentModuleURL)
55 | 
56 |       if (url.protocol === 'https:') {
57 |         const body = await get(url)
58 |         const encoded = Buffer.from(body).toString('base64')
59 |         const mediaType = extToMediaTypeMap.get(extname(url.pathname)) || JS_MEDIA_TYPE
60 | 
61 |         rawSpecifier = url.href 
62 |         specifier = `data:${mediaType};base64,${encoded}`
63 |         dataToFileURLMap.set(specifier, rawSpecifier)
64 |       }
65 |     } catch {
66 |       const error = new Error(`Cannot find module ${rawSpecifier} imported from ${parentModuleURL}`)
67 |       error.code = 'ERR_MODULE_NOT_FOUND'
68 |       throw error
69 |     }
70 |   }
71 | 
72 |   return defaultResolver(specifier, parentModuleURL)
73 | }
74 | 


--------------------------------------------------------------------------------
/shared/package.json:
--------------------------------------------------------------------------------
1 | {
2 |   "name": "shared",
3 |   "type": "module",
4 |   "private": true
5 | }
6 | 


--------------------------------------------------------------------------------