Going through a bunch of JavaScript I do not trust and it has a ton of web address comments like citations but likely some bad stuff in there too. What could be swapped with the address to instead act as a local tripwire or trap?
Just a mild curiosity for scripting stuff.
You must log in or register to comment.
I’m not really understanding what it is you are concerned about.
If it’s that the Javascript might be malicious, then a browser should be able to sandbox it. IIRC — and you probably want to confirm this, if you’re actively concerned — the Firefox security model is that if you open a file locally, it has local access, but if you open it from a webserver, it doesn’t. Like, Javascript running in your browser downloaded from a web server shouldn’t have local filesystem access.
If you want to examine some code, but don’t want the code to phone home in some way, I’d remember that at least DNS is probably also a potential side channel. I’d maybe run the stuff in a VM without network access, if I were concerned about that.
I’m in the process of dismantling software I will never trust or update again and coming across all kinds of sketchy stuff. There is this Python program called Sentry_SDK that is very concerning. Along with several others. It appears to be packaged with most offline AI stuff and is some of the most authoritarian nonsense I have seen. I have air gapped the computer and do not have a package installed like prettier to maybe make the JavaScript readable, and it is enormous. There are many pages that are in the 10k lines plus range.
I already found a place in the back end that is trying to send packets with major obfuscation. The process is preloaded as listening, with every measure taken to prevent discovery of its origin. So that is fun too. I will likely reformat and start over after I have had my fun and saved what I wish to save.
Do you have an example of what you have and what you want?
Assuming it is a quoted string for simplicity.
..."http://foo.bar/"...
$ sed -i 's/\/.*\"/injection/g'That is flawed in practicality, but gets the point across and will result in
http:injection. It would take more convoluted escapes to replace the ‘//’.I was thinking there has to be a way to use the address like a printf like situation. However someone tries to use an address, it just hits a local trip wire. Pass that to anything you don’t want to connect on the internet. It is super lazy and hacky, but I don’t really care. I use an external firewall device with DNS whitelist, so I block everything anyways. Flagging stuff just makes it easy to say something to others that might benefit.
