Jint: Do not add system namespace by default clr is allowed

Created on 3 Sep 2015 · 3Comments · Source: sebastienros/jint

in Engine.cs:

if (Options.IsClrAllowed())
    {
        Global.FastAddProperty("System", new NamespaceReference(this, "System"), false, false, false);
        Global.FastAddProperty("importNamespace", new ClrFunctionInstance(this, (thisObj, arguments) =>
        {
            return new NamespaceReference(this, TypeConverter.ToString(arguments.At(0)));}), false, false, false);
        }
    }

removing the first call to add system namespace by default will allow exposing custom CLR types without actually exposing the system namespace and everything else that comes with it.

Source

hnafar

Most helpful comment

Are there plans to add an API for whitelisted access. I for one have and see many use cases where giving access to javascript code to the entire system namespace would be a bad idea for security as well as just preventing users from doing terrible things on accident.

This workaround is a bit of a wart and it would be nice if there were an AllowAssembly or AllowClass api that gave the javascript code access to specific whitelisted .Net libraries and/or Classes.

zaphar on 11 Jan 2016

👍4

All 3 comments

As a workaround, I am currently allowing CLR and then unsetting System variable:

var e =  new Jint.Engine(options =>
{
    options.AllowClr(typeof(Foo.Class1).Assembly);
});
e.Global.Properties.Remove("System");

hnafar on 3 Sep 2015

I understand the concern but at the same time AllowClr is opt-in and I think that for most usages of this call you'd want System to be available. Glad you found a way to mitigate it.

sebastienros on 11 Sep 2015

This workaround is a bit of a wart and it would be nice if there were an AllowAssembly or AllowClass api that gave the javascript code access to specific whitelisted .Net libraries and/or Classes.

zaphar on 11 Jan 2016

👍4

Was this page helpful?

0 / 5 - 0 ratings