Regarding security - the v8 engine only makes the javascript language, and its built-ins, available. AFAIK this is limited to a bunch of functions (like encodeURIComponent, eval) constructors like Date, Array, String, Regex etc. and some static container objects like JSON and Math.
It does not include things like XMLHttpRequest. This is offered by the global environment by virtually all browsers, but it's specific to the runtime - not the language. So v8 doesn't offer that unless you explicitly create it yourself. Same goes for other Web API's like File API.
arguments object: a global that presents a scriptable version of the UDF_ARGS* object passed to the UDF (at the C/C++ level)
console object: a global that provides methods that allows the user to write messages to the mysql error log
require function: a built-in function that lets the user load a javascript script file. The location from where script files may be loaded is controlled through a non-modifyable server variable defined by the js_daemon plugin. I do believe that currently this function may accept paths that can jailbreak the predfined location, so this certainly needs work to be made secure.
mysql object - basically just a namespace for mysql related scripting objects
mysql.client object: a mysql client in javascript that wraps around the libmysqlclient library. This defines a number of other objects and to represent objects from the mysql client lib in a javascripty way.
I can't think of any particular security issue, except for the one mentioned with the require function.
Please let me know if you have other concerns - It's entirely possible I am not overseeing the security impact in its totality.
Roland Bouman
added a comment - Hi Sergei,
thanks for creating this issue!
Regarding security - the v8 engine only makes the javascript language, and its built-ins, available. AFAIK this is limited to a bunch of functions (like encodeURIComponent, eval) constructors like Date, Array, String, Regex etc. and some static container objects like JSON and Math.
It does not include things like XMLHttpRequest. This is offered by the global environment by virtually all browsers, but it's specific to the runtime - not the language. So v8 doesn't offer that unless you explicitly create it yourself. Same goes for other Web API's like File API.
The mysqlv8udfs project I created also offers some builtins in the global object - that is so to say mysqlv8udf's runtime. These are documented here: https://github.com/rpbouman/mysqlv8udfs/wiki/Javascript-Runtime-Environment and can be summarized as:
arguments object: a global that presents a scriptable version of the UDF_ARGS* object passed to the UDF (at the C/C++ level)
console object: a global that provides methods that allows the user to write messages to the mysql error log
require function: a built-in function that lets the user load a javascript script file. The location from where script files may be loaded is controlled through a non-modifyable server variable defined by the js_daemon plugin. I do believe that currently this function may accept paths that can jailbreak the predfined location, so this certainly needs work to be made secure.
mysql object - basically just a namespace for mysql related scripting objects
mysql.client object: a mysql client in javascript that wraps around the libmysqlclient library. This defines a number of other objects and to represent objects from the mysql client lib in a javascripty way.
I can't think of any particular security issue, except for the one mentioned with the require function.
Please let me know if you have other concerns - It's entirely possible I am not overseeing the security impact in its totality.
Task
Minor
thought: security. one can do just anything from javascript, can we sandbox it somehow?