Jump to content

Execute from var?


Recommended Posts

I tell you what would be ace, a way to run dynamically created code within the current process.

Pseudo 

$str = "For $i = 0 To 10" & @CRLF
$str &= "   ConsoleWrite($i & @LF)" & @CRLF
$str &= "Next"

Execute($str)

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites

Not so sure, a function is already defined you see.

I think that such a feature would open up a massive security vulnerability within any application written with this type of function. What you're talking about is some kind of simulator or with a lot more complexity a more-or-less  rudimentary compiler.

Link to comment
Share on other sites

Not really, There is already close to this functionality in /AutoItExecuteScript.

You can dynamically create script and run it, just not from string.

I don't think running code from a string poses any more a security vulnerability than running script from file.

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites

Not really, There is already close to this functionality in /AutoItExecuteScript.

You can dynamically create script and run it, just not from string.

I don't think running code from a string poses any more a security vulnerability than running script from file.

 

Agree or not, with a function like Execute($string) where $string can be any code you're opening up your software to huge security vulnerability.

Such a function would need some form of validation of $string for security purposes, to remove any potentially malicious code, but of course there is a high chance of the sanitation process completely breaking the code in $string.

Whilst it sounds like a good idea, its absolutely not. We already have programs that do just that - execute code from strings - e.g. SciTe, but its a purpose written application that serves as a code editor. Unless you're writing some custom code that only your app can read and it interprets the special language into AutoIt functionality, Execute($string) is a pretty bad idea.

But that's my 2c, who knows maybe I'm completely wrong, I just don't see how it would NOT be a huge security vulnerability. 

Link to comment
Share on other sites

Out of curiosity (because I'm not locked in to my opinion that there are no more security concerns), what is your reasoning that there are any security vulnerabilities with such functionality?

My reasoning is this.

$str = "For $i = 0 To 10" & @CRLF
$str &= "   ConsoleWrite($i & @LF)" & @CRLF
$str &= "Next"

FileWrite("dynamic.au3", $str)
Run(@AutoItExe & ' /AutoIt3ExecuteScript dynamic.au3')

Would be the same as the psuedo

$str = "For $i = 0 To 10" & @CRLF
$str &= "   ConsoleWrite($i & @LF)" & @CRLF
$str &= "Next"

Execute($str)

If it were possible, and I wanted to run malicious code.

I only see a gain, in that no temp file is needed, and any code return values could be useful in the running script.

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites

Well, executing unknown code is by definition a major security hole and one should never allow a user to input code and run that without SERIOUS safeguards. Not even if the dev himself is the only one inputting code. Copypaste is just too damn dangerous.

Having said that, it's very well possible anyway with the execute function, TS is just doing it wrong :)

First:

$a = "fileread"
$f = Execute ('$a ("test.txt")') 

... will literally try to run the command $a ("test.txt"). "$a" is not a command. This is a command:

$a = "fileread"
$f = Execute ($a & '("test.txt")')

That will work fine, as long as test.txt is readable. If it doesn't, see if "test.txt" is in the working directory and/or supply a full path.

Again, I implore you in the strongest possible terms (I learned that from Tom Lennox in 24) to NOT allow any script to blindly execute code that you cannot predict, like code from an external file or -even worse- from user input. Even if you as the dev yourself will be the only one ever using it. Murphy says it's guaranteed to bite you in the ass at some point in the future, and in the worst way possible. But you can, easily :)

Edited by SadBunny

Roses are FF0000, violets are 0000FF... All my base are belong to you.

Link to comment
Share on other sites

My point is, it is already possible to do that, as I showed above, so whether Execute() and or /AutoIt3ExecuteScript are security risks or not, no extra security risks would be introduced.

 

I guess I'm missing something... You seemed to think that it wasn't possible to run code from a string/variable and wrote pseudocode. I showed it is possible. You asked what extra security risks would be introduced, I showed that they're already there :) What did I miss?

Roses are FF0000, violets are 0000FF... All my base are belong to you.

Link to comment
Share on other sites

Oh wait, your pseudocode doesn't run like that indeed. I get it now.

I focused on TS's code, which didn't run correctly for another reason than the reason why yours isn't working :) My apologies for the misunderstanding.

Anyway, TS can actually run the generated code he wants to run if he formulates that string correctly.

Roses are FF0000, violets are 0000FF... All my base are belong to you.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...