Skip to content

Commit

Permalink
Rm unnecessary security, fix test gist link (#33)
Browse files Browse the repository at this point in the history 
Don't limit auto-evaluated gists in access to js/*, people will click on links anyway, not checking for `&unlimited`.

Fix the test gist link to work also when not running at root.
  • Loading branch information
@holyjak
holyjak authored Oct 3, 2023
1 parent d1c7698 commit a91d51f
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 33 deletions.
37 changes: 12 additions & 25 deletions playground/src/playground.cljs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,27 +59,21 @@
#'sci.configs.reagent.reagent-dom-server/config
#'sci.configs.tonsky.datascript/config])

(defn make-ctx [{:keys [limited?]}]
(def sci-ctx
(->> all-configs
(map deref)
(reduce
sci/merge-opts
(sci/init (if limited?
{}
{:classes {'js js/globalThis :allow :all}
:js-libs {"react" react
"react-dom" react-dom}})))))

(def sci-ctx (make-ctx nil))
(def limited-sci-ctx (make-ctx {:limited? true}))
(sci/init {:classes {'js js/globalThis :allow :all}
:js-libs {"react" react
"react-dom" react-dom}}))))

(defn eval-code
([code] (eval-code code nil))
([code {:keys [limited?]}]
(try (sci/eval-string* (if limited? limited-sci-ctx sci-ctx) code)
([code]
(try (sci/eval-string* sci-ctx code)
(catch :default e
(try (js/console.log "Evaluation failed:" (ex-message e)
(some-> e ex-data clj->js))
(some-> e ex-data clj->js))
(catch :default _))
{::error (str (.-message e)) :data (ex-data e)}))))

Expand Down Expand Up @@ -195,18 +189,11 @@
(do
(set! (.-textContent code-el) "Loading gist...")
(-> (async-fetch-gist gist-id)
(p/then #(do
(let [unlimited? (->> js/document .-location .-search
(re-find #"[?&]unlimited(\W|$)")
second)
res (eval-code % (when-not unlimited? {:limited? true}))]
(println "Initial evaluation => " res)
(when (::error res)
(set! (.-textContent (js/document.getElementById "app"))
(str "Auto-evaluating the gist failed. Notice that auto-eval lacks some libs"
" and access to js/*, unless you included `&unlimited` in the URL."
" Cause: "
(::error res)))))
(p/then #(let [res (eval-code %)]
(println "Initial evaluation => " res)
(when (::error res)
(set! (.-textContent (js/document.getElementById "app"))
(str "Auto-evaluating the gist failed. Cause: " (::error res))))
(bind-editor! code-el %)))
(p/catch #(set! (.-textContent code-el) (str "Loading gist FAILED: " %)))))
(bind-editor! code-el code)))
Expand Down
11 changes: 3 additions & 8 deletions playground/www/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,17 +39,12 @@ <h1>SCI Playground</h1>

<h4 id="gist-info">Auto-evaluation GitHub gists</h4>
<p>You can automatically load and evaluate a <a href="https://gist.github.com/discover">gist</a>
by appending <code>?gist=GIST-ID</code> to the URL. All clj* files from the gist are loaded
by appending <code>?gist=GIST-ID</code> to the URL. All clj* files from the gist are loaded
into the editor in the order of their names and evaluated automatically. You can
<a href="/?gist=5ff187847756263be17d7c4c19f978b5">try our test gist (by clicking here)</a>.
</p>
<p>
Notice that for security reasons, auto-evaluated gists lack access to <code>js/*</code>
and some JS libs, unless you include <code>&amp;unlimited</code> in the URL.
This is not true when you evaluate them manually.
<a href="?gist=5ff187847756263be17d7c4c19f978b5">try our test gist (by clicking here)</a>.
</p>
<p>BEWARE: Evaluating code from a random source is dangerous, even though SCI does its best to sandbox
scripts.
scripts. The scripts have access to <code>js/{document, window, ...}</code>.
</p>
</body>
<script src="js/playground.js"></script>
Expand Down

0 comments on commit a91d51f

Please sign in to comment.