From 2de388ab3b9c425fb4bdb34ce6d225769e590ed4 Mon Sep 17 00:00:00 2001 From: Kasen IO Date: Mon, 9 Dec 2019 01:20:04 -0500 Subject: [PATCH 1/2] Fixes bug where empty "" whitespace allows all scripts. --- libraries/script-engine/src/ScriptEngine.cpp | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libraries/script-engine/src/ScriptEngine.cpp b/libraries/script-engine/src/ScriptEngine.cpp index 2ffe4d1dd3..47a417026c 100644 --- a/libraries/script-engine/src/ScriptEngine.cpp +++ b/libraries/script-engine/src/ScriptEngine.cpp @@ -2363,24 +2363,23 @@ void ScriptEngine::entityScriptContentAvailable(const EntityItemID& entityID, co } } else { - // IF YOU FUCK UP, DELETE FROM HERE TO... - QList safeURLS = { "https://FAKEURL.t43wt4g4g44FAKE" }; - safeURLS += qEnvironmentVariable("EXTRA_WHITELIST").split(QRegExp("\\s*,\\s*"), QString::SkipEmptyParts); + // ENTITY SCRIPT WHITELIST STARTS HERE + QList safeURLS = { "" }; + safeURLS += qEnvironmentVariable("EXTRA_WHITELIST").trimmed().split(QRegExp("\\s*,\\s*"), QString::SkipEmptyParts); // PULL SAFEURLS FROM INTERFACE.JSON Settings QVariant raw = Setting::Handle("private/settingsSafeURLS").get(); - QStringList settingsSafeURLS = raw.toString().split(QRegExp("\\s*[,\r\n]+\\s*")); + QStringList settingsSafeURLS = raw.toString().trimmed().split(QRegExp("\\s*[,\r\n]+\\s*"), QString::SkipEmptyParts); safeURLS += settingsSafeURLS; // END PULL SAFEURLS FROM INTERFACE.JSON Settings bool isInWhitelist = false; // assume unsafe for (const auto& str : safeURLS) { - // qDebug() << "CHECKING" << entityID.toString() << scriptOrURL << "AGAINST" << str; qCDebug(scriptengine) << "Script URL: " << scriptOrURL << "TESTING AGAINST" << str << "RESULTS IN" << scriptOrURL.startsWith(str); - if (scriptOrURL.startsWith(str)) { + if (!str.isEmpty() && scriptOrURL.startsWith(str)) { isInWhitelist = true; qCDebug(scriptengine) << "Script approved."; break; // bail early since we found a match @@ -2410,7 +2409,7 @@ void ScriptEngine::entityScriptContentAvailable(const EntityItemID& entityID, co exception = testConstructor; } } - // DELETE UP TO HERE, THEN UNCOMMENT BELOW. + // ENTITY SCRIPT WHITELIST ENDS HERE, uncomment below for original full disabling. // qDebug() << "(disabled entity script)" << entityID.toString() << scriptOrURL; // exception = makeError("UNSAFE_ENTITY_SCRIPTS == 0"); From 3e6660b63325d568beec3f1ae2cf65fd706010c6 Mon Sep 17 00:00:00 2001 From: Kasen IO Date: Mon, 9 Dec 2019 08:30:02 -0500 Subject: [PATCH 2/2] Updated whitelist debugs for clarity in dev log --- libraries/script-engine/src/ScriptEngine.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libraries/script-engine/src/ScriptEngine.cpp b/libraries/script-engine/src/ScriptEngine.cpp index 47a417026c..482bde9fd4 100644 --- a/libraries/script-engine/src/ScriptEngine.cpp +++ b/libraries/script-engine/src/ScriptEngine.cpp @@ -2364,6 +2364,7 @@ void ScriptEngine::entityScriptContentAvailable(const EntityItemID& entityID, co } else { // ENTITY SCRIPT WHITELIST STARTS HERE + QString whitelistPrefix = "[WHITELIST ENTITY SCRIPTS]"; QList safeURLS = { "" }; safeURLS += qEnvironmentVariable("EXTRA_WHITELIST").trimmed().split(QRegExp("\\s*,\\s*"), QString::SkipEmptyParts); @@ -2377,16 +2378,16 @@ void ScriptEngine::entityScriptContentAvailable(const EntityItemID& entityID, co bool isInWhitelist = false; // assume unsafe for (const auto& str : safeURLS) { - qCDebug(scriptengine) << "Script URL: " << scriptOrURL << "TESTING AGAINST" << str << "RESULTS IN" + qCDebug(scriptengine) << whitelistPrefix << "Script URL: " << scriptOrURL << "TESTING AGAINST" << str << "RESULTS IN" << scriptOrURL.startsWith(str); if (!str.isEmpty() && scriptOrURL.startsWith(str)) { isInWhitelist = true; - qCDebug(scriptengine) << "Script approved."; + qCDebug(scriptengine) << whitelistPrefix << "Script approved."; break; // bail early since we found a match } } if (!isInWhitelist) { - qCDebug(scriptengine) << "(disabled entity script)" << entityID.toString() << scriptOrURL; + qCDebug(scriptengine) << whitelistPrefix << "(disabled entity script)" << entityID.toString() << scriptOrURL; exception = makeError("UNSAFE_ENTITY_SCRIPTS == 0"); } else { QTimer timeout;