none
Security Problem in Small Basic RRS feed

  • General discussion

  • The best way to get some ideas of what You can do in Small Basic is to download some programs from Small Basic's repository (using the Import button).

    Most of us after that, DOESN'T look through the code, just runs it.

    Is there any protection against File.DeleteFile() or File.DeleteDirectory() functions that could run in the background?

    What about browsing content and sending it though Network.GetWebPageContents() and appending the data to GET paramethers?

    Sunday, August 1, 2010 1:24 PM

All replies

  • AFAIK there's no such protection but smallbasic code is really easy to interpret. Just look into imported code before you run it. Do you "get some ideas" by running code or by reading it?

    If you are still unsure just  right click imported code and do some searches for "file." and "network." occurences. You can also run imported app using silverlight applet on smallbasic repository website.

    BTW do you know another programming languages with such protection?


    Grzesio
    Sunday, August 1, 2010 1:32 PM
  • I thought the File.* command were commented, or is that just the write ones?

    I think all commands that access the file system or the network should automatically be commented out and instead of putting the line of text above the line it should stick it at the top. This way when people download files with possibly dangerous code they can see right away that there are commented out lines.

    And Grzegorz comment on name other programming languages, thats kind of irrelevant, this is aimed at complete beginners and chances are if they do download a program its as an example to help them learn something and not entirely sure exactly whats going on but they want to run it then work out how it works. 

    Sunday, August 1, 2010 4:14 PM
  • Think this: Every program you run in your computer can do same things than those functions and much more like send all your passwords to Internet.

    You just must read all code before you build it.

     


    Sorry My Bad English
    Sunday, August 1, 2010 6:02 PM
  • Think this: Every program you run in your computer can do same things than those functions and much more like send all your passwords to Internet.

    You just must read all code before you build it.

     


    Sorry My Bad English

    But you don't normally build them... 

    And also the fact is if it comes from a reputable company or recognized FOSS project then you are more likely to trust it (and can read it if its open source), whereas if its a random segment of code posted on the internet its completely different.

    Monday, August 2, 2010 2:58 PM
  • _TubbZ_ wrote: I think all commands that access the file system or the network should automatically be commented out and instead of putting the line of text above the line it should stick it at the top. This way when people download files with possibly dangerous code they can see right away that there are commented out lines.

    Give a example? I don't understand what You mean.
    • Edited by Jacob Brown Monday, August 2, 2010 5:19 PM Spelling
    Monday, August 2, 2010 5:17 PM
  • Oskariok: You just must read all code before you build it.

    For heaven's sake, some apps have over 1 thousands statements!!!

    ------------------------------------------------------------------

    If I used a wrong idiomatic compound, sorry for my English.

    Monday, August 2, 2010 5:26 PM
  • Jacob,

    All File & Network access APIs are automatically commented out when you publish/import.  This addresses your security concern.  You would have to explicitly uncomment them before running them. 

     

    Wednesday, August 4, 2010 5:27 PM
    Moderator