I'm looking for some solution of next problem: Now i'm developing an Rails app. I want to have possibility to code in Ruby at browser and then execute that code in my Rails app.
Are there some ready solutions?
UPD:
what about code highlighting?
what about Native Client?
https://github.com/codegram/rack-webconsole
Or you could simply pass the Ruby code to the server via post and call eval eval(CODE).
You should note that especially the second way is very insecure since it gives the executing code complete access to your system.
If this really has to be done "Locking Ruby in the Safe" could help secure it.
EDIT:
For syntax highlighting take a look at Code Mirror and ACE. Both are decent source code editors with ruby support.
There aren't really any real-world deployable solutions for this yet, but you might look at text/x-ruby as a proof of concept.
There's also the Cloud9 IDE which functions as a browser-based IDE, and will persist code back to your server to be run.
eval is what you are looking for. A user enters Ruby-code, which gets POSTed to your rails app. Inside your controller you will need to eval the submitted Ruby code.
But. You probably don't want this. If there really seems to be a need to evaluate and run user submitted code, you most probably will need to re-think the need for that feature. This is almost impossible to make secure. And even when you secure it from certain users, it can be exploited trough XSS; which can actually take over a server in no-time trough this "feature".
Related
Hi I'm new to dynamic web dev. I've searched this site but couldn't find anything similar.
I want to implement a password checker, for robustness and length etc. Fairly conventional. The thing is, I have 2 options: 1. embed javascript inside an HTML. 2. embed javascript inside a jsp file.
With a little preliminary research it seems that most people recommend the former, that is to go with HTML. I wanna know why? I could be completely wrong, in that case I also wanna know why?
The "how" isn't all that important, but "why".
Edit: I know this question is full of flaws (for example JSP and HTML aren't mutually exclusive) but please indulge me a little bit and tell me which scheme is more appropriate, if I want to get things done front end, in a user's browser.
Edit#2 : Sorry I did not provide any bg information: I am working on a larger project and password checker is just a part of it, the project itself is a dynamic web project relies predominantly on java, serverlet.
As you state you are new to dynamic web dev. JSP is a server side programming language Just like PHP and others. If you want to confirm password, you can use ajax to check for a match from your database and if match was found create a session and redirect your user to the logged in page. If i misunderstood your question, please try to be clear enough.
Depends on your use-case. In some cases, just the front-end is enough. In many, I would say both is better.
By putting it in the front-end/client-side (the "HTML"), you create a more user-friendly approach, since you can rapidly and continuously evaluate the users' input and give them feedback.
If the application doesn't need to be particularly robust from a security perspective, this can be plenty.
The downside of HTML only validation of any user input is that it can easily be bypassed. As a programmer, I could figure out what its doing and easily bypass any and all client-side protects. Users can also wholesale just disable JavaScript, so if your site works without JavaScript in general, they won't get any validation. This is why "security" on the client side is never a thing. Never trust the client.
Implementing it only on the back-end/server-side ("JSP"), you can lock down the security since the end-user can't bypass any of your validation. It must match the rules you set forth.
The downside to server-side is that you must send the data to the server to be analyzed, then wait for a response. While this may be fast, its still much slower than client-side.
By doing it in both, you get the best of both worlds. You get the rapid feedback for the end-user without having to send any data to the server, and you get the full protections of making sure it is properly validated on the server-side.
The downside to this of course is you have to double-up on your code, so its more effort. That's why you want to weight the pros and cons in your particular case, as there isn't a single "best" answer.
If the HTML is enough for you - why should you use .jsp?
You need .jsp for creating dynamic content and it's gonna be compiled as Servlet - do you actually need Servlet in this case?
If security is not a big concern then HTML + javascript should be fine. It will be responsive amd lead to better user experience.
If this is an external facing application on the web then as mentioned in some of the other answers go with Jsp approach.
Why should I use angular.js or other like js frameworks when I know they are not secured.
What I mean by security is:
All the code is written in pure javascript. The javascript can be edited in devtools or firebug. Something like form submission can be easily manipulated. Even if I try to do server side validations for all the http requests, I end up doing double the work.
How can I effectively use angularjs keeping above in mind?
Thanks.
All client side code is susceptible to modification. For that reason you don't put anything that needs to be secure into the client code. The client code should define the view elements for the end user and give them an easy means to communicate with the server. Regarding security 99% of this needs to be handled server side by appropriately protecting the data that is sensitive. In terms of server to client communication you need to use SSL. Angular has some things built in to help with security see $sce and ngSanitize but IMHO your back-end should be safe because anyone can re-write a front end or use a command line tool to send various curl requests at the server until something gives. The client code really has no need to contain anything proprietary outside of the client code itself if that's your concern you can use obfuscation tools but ultimately even compiled code can be decompiled or disassembled .
You should always do both client and server-side validation. No matter what library you're using, this is required. It shouldn't be seen as "double" the work. It's just "the work".
Even if you weren't using Angular (or another Javascript library), I could still use devtools to make a request via Javascript to your server - it still needs to handle it.
If you're worried about code security, you can use an obfuscation/minification tool.
Of course you should use minification js tool for your client side code if you worried about its logic. But keep in ming this:
Do not keep service info (like many id`s and etc.) on client
And always use both type of validation in dangerous places
Use crypto/tokens
I'm working on a mvc application (applies to any website though) and was wondering is it ok to leave exposed jquery and javascript in a view? In other words when i run the program and right click and view source I can see all my jquery and javascript. Is that safe and ok? Is there a way to hide all of that so users can't see that? Thanks for any tips.
There is no way of hiding javascript completely from the user. JavaScript is a client side technology. It executes in the browser. If the browser can execute the script, it can also show it to the user.
You can use JavaScript obfuscator software to make the code harder to read, but you can never hide it completely. See http://www.javascriptobfuscator.com/default.aspx for an online example of this.
JQuery and other libraries are also publicy available so there is no harm in the user being able to access it. There is nothing secret about them.
If you have secrets in the code that you want to protect, you should think about putting the affected code on the server if possible instead of doing the processing on the client.
To make it harder for the interested spy to read you can put your scripts inside .js files and obfuscate them. See How can I obfuscate (protect) JavaScript? for more information.
Javascript is is executed on the client, so no there's not really anything you can do to hide it from the client. All you can really do is make it more difficult for a user to read through your code via obfuscation.
What your are looking for is Obfuscation.
There are very different opinions on why you should or shouldn't use it with Javascript.
See How can I obfuscate (protect) JavaScript?
Nope, you cannot hide your JS - remember that the JS is client side scripting and has to be executable at the client which implies that the browser must have access to it. And when the browser has access to it - the user can see it as well :)
Hiding isn't possible, all your JavaScript is needed client side to make your website functional. However you can obfuscate you JavaScript, in other words make in more ugly so nobody can really understand your code, but the browser will.
To obfuscate you javascript code take a look at:
UglifyJS JavaScript minification
hey you can do one thing onload call an action of server side through Ajax call into by returning javascript it will never show in your view source but it can be visible by firebug but its a way to sequre your javascript protuct from others to use it in a easy way i have done it one of my project even by this method you can hide your html too
There's no way to hide it. Anyway there's no reason to do it. If you want to obfuscate Javascript code, you can find software (obfuscators) that make your code more difficult to understand (for a human) and so called minifiers that make your code smaller.
This is a live example of such tools :
http://closure-compiler.appspot.com/home
I know some of you just feel it is as a completely wrong question but I have a few requirements of such kind that's why I am asking this question. I understand that javascript is downloaded by the browser on client side so it's very difficult to hide that.
So now i have a game code completely written in jquery and i want that the user is not able to see the complete code because:
The owner of the games doesn't want to show the game code to the user.
If a clever user reads the code carefully then he/she might be able to solve the puzzle(it's a puzzle game).
So, is it good enough to use google closure compiler or yui compressor to make the code unreadable & secure for the above requirements?
If you think that it's not possible to do this in the situation then please suggest me any other way of doing this. Do I need to completely rewrite the game code into a server side language then convert it to js using some tool?
Javascript is a client language, for that, you will always need to show the code to the user.
What you can do is compress and minified...
same thing as all Javascript Frameworks outthere, check this original version and compare with the minified and compressed version
This is not a perfect solution in any way, just one option: you may fetch the actual javascript code from the server via AJAX requests and make them runnable, eg. by eval()-ing them.
This will still not hide the code completely, but this makes the source invisible in the source code itself.
By the way obfuscating the source is an other practice to make the code unreadable.
I would suggest not having the entire game in js (i.e. download to the client). No matter what you do to obfuscate the code someone will figure it out and post about it. Put all the game logic and puzzles on the server side with rpc calls of some type. This can be something simple as a php script that you send ajax messages to that checks if a solution increment is correct. The php script would then look up the answer and return a response. Of course it doesn't have to be php, use whatever server side tech you are knowledgeable in.
I have got a particular requirement where some critical algorithms have to be handled in the client-side script and it got to be secured. Using javascript will just expose the algorithm. I am currently evaluating ways to secure the algorithm on the client script. Appreciate any suggestions and alternative approaches.
One option I am thinking about is to download a small applet to the local PC, get the calculations done in it and update the results back. Before deciding on this, I want to know if a client script itself can be made secure coz that would be much easier.
Thanks in advance!
You CANNOT secure anything on a client PC.
Everything you are doing client-side is crackable and spuffable.
That's the PC of the client. It will be doing anything the client has requested it to do.
Script is not secure, also what level of security do you need? If you download anything to the client the client will be able to look at the algorithim. Of course if you download a native dll, then decompiling it will be harder, the question is if this is good enough.
That an important thing most people miss when evaluating security nothing is trully 100% secure. Because your server admin could go in and steal the binaries off your server. And if your using third party hosting who knows who has access to the server.
The idea is to raise the bar. Do you want to prevent the average script kiddie? Obfuscate it, make it hard for them to understand the gain of understanding the algorithim might not justify the pain in trying to understand it.
The best that you can probally do is keep the algorithim on the server and expose it via a web service.
Everything that the end-user is controlling to 100% may be tampered with, and this is especially true with JavaScript that is so easily exposed.
You are going down the wrong path. You need to rethink your approach.
You could build a web-service containing the critical algorithm and call it from javascript.
Bottom line is, if someone wants your logic ... they will get it unless it is server-side and they never obtain it in any way.
What you want is a Javascript obfuscator
Nothing on the client side can be totally "secure".
Anything you make them download will have to be run on the client PC, and so can be analysed. If you have them download an applet or a native executable, it will still contain machine instructions that can be analysed at the very least to an assembly level.
Is there no way you can have the client upload the data to your server instead and perform the calculation on the server side?
It it's client-side, then it's not secure. Anything with critical security concerns should be done on the server.
An NPAPI plugin will execute on the client-side and make reverse-engineering much more difficult.... but of course a determined hacker will be able to reach-through...
Theoretically (and I mean this is a Comp.Sci. sense) this is possible. The cryptographical technique is known as "fully homomorphic encryption". For now, the method isn't practical yet. There are no compilers available that are able to transform your algorithm in its equivalent secure form.