[MDEV-8828] javascript v8 udfs Created: 2015-09-23  Updated: 2015-11-02

Status: Open
Project: MariaDB Server
Component/s: None
Fix Version/s: None

Type: Task Priority: Minor
Reporter: Sergei Golubchik Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 2
Labels: None

Issue Links:
Duplicate
duplicates MDEV-6328 Request: mysqlv8udfs Closed

 Description   

look at, consider, and (optionally) accept and integrate Javascript UDFs of Roland Bouman

 Comments   
Comment by Sergei Golubchik [ 2015-09-23 ]

thought: security. one can do just anything from javascript, can we sandbox it somehow?

Comment by Roland Bouman [ 2015-09-23 ]

Hi Sergei,

thanks for creating this issue!

Regarding security - the v8 engine only makes the javascript language, and its built-ins, available. AFAIK this is limited to a bunch of functions (like encodeURIComponent, eval) constructors like Date, Array, String, Regex etc. and some static container objects like JSON and Math.

It does not include things like XMLHttpRequest. This is offered by the global environment by virtually all browsers, but it's specific to the runtime - not the language. So v8 doesn't offer that unless you explicitly create it yourself. Same goes for other Web API's like File API.

The mysqlv8udfs project I created also offers some builtins in the global object - that is so to say mysqlv8udf's runtime. These are documented here: https://github.com/rpbouman/mysqlv8udfs/wiki/Javascript-Runtime-Environment and can be summarized as:

  • arguments object: a global that presents a scriptable version of the UDF_ARGS* object passed to the UDF (at the C/C++ level)
  • console object: a global that provides methods that allows the user to write messages to the mysql error log
  • require function: a built-in function that lets the user load a javascript script file. The location from where script files may be loaded is controlled through a non-modifyable server variable defined by the js_daemon plugin. I do believe that currently this function may accept paths that can jailbreak the predfined location, so this certainly needs work to be made secure.
  • mysql object - basically just a namespace for mysql related scripting objects
  • mysql.client object: a mysql client in javascript that wraps around the libmysqlclient library. This defines a number of other objects and to represent objects from the mysql client lib in a javascripty way.

I can't think of any particular security issue, except for the one mentioned with the require function.

Please let me know if you have other concerns - It's entirely possible I am not overseeing the security impact in its totality.

Generated at Thu Feb 08 07:30:06 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.