#!/usr/bin/python2 import jsparser, re, sys, types, getopt import cgi import cgitb print 'Content-type: text/html\n\n' cgitb.enable() RESERVED_WORDLIST = ['document', 'window', 'alert', 'console', '$', 'jQuery', 'xmlhttp', 'eval', 'XMLHttpRequest', 'String', 'this'] form = cgi.FieldStorage() opt_v = False if 'script' not in form: print '

script not found

' sys.exit(1) else: print 'loading %d bytes' % len(form['script'].value) test = jsparser.parse(form['script'].value) ITERATION_BLOCKS = ['expression', 'body', 'block', 'initializer', 'condition', 'thenPart', 'elsePart', 'tryBlock', 'catchClauses', 'varDecls'] def security_checks(v): if opt_v: print 'this is the type: %s at line number %s' % (v.type, v.lineno) if opt_v: print 'this is the value: %s at line number %s' % (v.value, v.lineno) if v.type == 'IDENTIFIER' and v.value in RESERVED_WORDLIST: print '(MY) ERROR reserved word "%s" used in assignment at line number %s' % (v.value, v.lineno) sys.exit(1) if v.type == 'STRING': print '(MY) ERROR illegal type "%s" used at line number %s' % (v.type, v.lineno) sys.exit(1) if v.type == 'PLUS': for a,b in enumerate(v): if b.type == 'ARRAY_INIT': print '(MY) ERROR illegal use of arrays to cast strings at %s' % v.lineno sys.exit(1) def traverse(tree, rec_level = 1): if opt_v: print 'test_script(tree,%d)' % rec_level security_checks(tree) for i, v in enumerate(tree): test_script(v, rec_level + 1) for block in ITERATION_BLOCKS: if hasattr(tree, block): b = getattr(tree, block) try: if opt_v: print ' this is the expression type: %s ' % getattr(b, 'type') except Exception as e: sys.stderr.write('this was the error %s ' % e) continue try: for i, v in enumerate(b): test_script(v, rec_level + 1) except Exception as e: sys.stderr.write('this was the error %s ' % e) continue if opt_v: print 'test_script(tree,%d) end' % rec_level traverse(test)