Security manager discussion

[Nbacon]

Hello,

I would like to know the argument for the security manager. You can do malicious things with it on like read and write files, execute code via the cmd/termal. What is it stopping?

 

Edited December 21, 2020 by Nbacon
spelling+grammar

[Nbacon]

1 hour ago, Malcolm said:

There is no need for anyone to access anything outside of that osbot directory 

I 100% agree that sciprts with unknow code should be sandboxed. 

1 hour ago, Malcolm said:

you’re not able to execute new runtimes afaik.

So yes you can make and run code out side of osbot.(example below) You can also read files out side of the osbot folder but not write to them(kinda dumb but ok). 

Quote

@ScriptManifest(author = "Bacon", name = "MAYBEmalicious", info = "malicious", version = 0.0, logo = "")
public class Test1 extends Script {

    @Override
    public void onStart() throws InterruptedException {
        try {
            File file = new File(getDirectoryData() + "/Main.java");
            BufferedWriter output = new BufferedWriter(new FileWriter(file));
            output.write(
                    "import javax.swing.*;\n" +
                            "import java.awt.*;\n" +
                            "\n" +
                            "public class Main{\n" +
                            "\n" +
                            "    public static void main(String[] args) {\n" +
                            "\n" +
                            "        JFrame frame = new JFrame(\"FrameDemo\");\n" +
                            "        frame.setMinimumSize(new Dimension(800, 400));\n" +
                            "        frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);       \n" +
                            "\n" +
                            "        JLabel myLabel = new JLabel(\"Hello World !!!\", SwingConstants.CENTER);\n" +
                            "        myLabel.setFont(new Font(\"Serif\", Font.BOLD, 22));\n" +
                            "        myLabel.setBackground(Color.blue);\n" +
                            "        myLabel.setOpaque(true);\n" +
                            "        myLabel.setPreferredSize(new Dimension(100, 80));\n" +
                            "\n" +
                            "        frame.getContentPane().add(myLabel, BorderLayout.NORTH);\n" +
                            "        frame.pack();\n" +
                            "\n" +
                            "        frame.setVisible(true);\n" +
                            "    }\n" +
                            "}");

            output.close();
            Thread.sleep(1000);
            Runtime.getRuntime().exec("javac " + getDirectoryData() + "/Main.java");
            Thread.sleep(1000);

            Runtime.getRuntime().exec("java -cp " + getDirectoryData() + " Main");

        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public int onLoop() throws InterruptedException {
        
        stop();
        return 100000;
    }
}

 

For me It seems like more of an annoyance than a safety measure because it can be "easy*" bypassed.

 

 

Ps congrats on super mod

*Dumb workarounds