Comments (11)
I see. Pre-parsing should be done before ParameterizedFunctions.jl then, since one place where ParameterizedFunctions is expanding is actually to make it easier to use user-defined functions (which of course runs counter to this)
from diffeqonlineserver.
It seems like you have setup input sanitation. Are you looking to do more or is this complete?
from diffeqonlineserver.
Right now the user can execute arbitrary code on the server, we're only preventing them from defining new functions (not sure that even helps at all). I think we need to look at the parsed diff eq and vars and throw an error if any function not on a whitelist is called.
from diffeqonlineserver.
Maybe this is a good list to whitelist from?
https://github.com/johnmyleswhite/Calculus.jl/blob/master/src/differentiate.jl#L116-L186
from diffeqonlineserver.
Some people on the Gitter took it for a spin... to say the least. One thing that they found is that we need to also get rid of any control flow blocks:
2017-01-16T06:23:06.655428+00:00 app[web.1]: Diff equ: begin # none, line 2:
2017-01-16T06:23:06.655457+00:00 app[web.1]: dx = a * x - b * x * y # none, line 3:
2017-01-16T06:23:06.728152+00:00 app[web.1]: dy = -c * y + d * x * y + while true # none, line 3:
2017-01-16T06:23:06.728212+00:00 app[web.1]: end
2017-01-16T06:23:06.728266+00:00 app[web.1]: end
from diffeqonlineserver.
from diffeqonlineserver.
Right now the user can execute arbitrary code on the server, we're only preventing them from defining new functions (not sure that even helps at all).
that is not taking into account one line func deffinitions, I guess you are looking for the functionkeyword
from diffeqonlineserver.
that is not taking into account one line func definitions
Please see: #7.
from diffeqonlineserver.
Looks good. We should now probably expand the parsing to every Julia keyword for any kind of block. Is there a list somewhere?
from diffeqonlineserver.
I think we're good on this. At least, everything I tried doesn't work anymore. Of course, there may be something I missed which we can deal with as its own case.
from diffeqonlineserver.
I think it looks good for the main expression. I'm going to move things around a bit to make sure that vars
and similar also get the same sanitation.
from diffeqonlineserver.
Related Issues (8)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from diffeqonlineserver.