User input for math evaluation

[danbulant]

I'm using mathjs for my discord bot, and one of the bot lists denied the bot due to mathjs not being secure for user input. They didn't provide any other information. I then moved to use the public API instead.

Now I'm thinking about moving back into mathjs, so I could make use of contexts and similar. What do I need to do to make sure the user input is safe to evaluate? The only thing I can think of is to prevent overloading. I did something similar before, so something like just creating a separate worker with limited access to system resources and with execution timeout should be enough.

I'm evaluating user input on server (node). If the input just crashes the process, it's fine, but it can't access anything outside of it's scope (so it can't crash the whole system, access files or similar).

[josdejong]

When allowing custom user input with calculations like you can do with mathjs, you can indeed easily crash a server. There is written something about security aspects here: https://mathjs.org/docs/expressions/security.html

[cshaa]

Time for shameless self-promotion! I am the maintainter of filtrex, a minimalistic user expression parser with emphasis on security. It allows you to add whatever functions you like to the environment, therefore you could have something like:

import { compileExpression } from 'filtrex'
import * as math from 'mathjs'

const options = { extraFunctions: math };

function executeUserExpression(expr) {
  const fn = compileExpression(expr, options);
  return fn();
}

executeUserExpression( `norm(subtract([1,2], [5,-8]))` )
// 10.77

In a real-life code, you'd want to cherry-pick the methods from math after checking that they're safe, you wouldn't blindly include all of them. (For example you don't want math.parse.) Right now, filtrex doesn't support the fancy things like operator overloading, but I have plans to support them in the future (in fact, if you wanted to make a PR for this, it would be awesome).

Compared to mathjs's parse, filtrex is very limited. But it's very safe 😁️

[josdejong]

Nice, thanks for sharing :)

What makes filtrex safe, or how is it more safe than mathjs? Do you have any ideas to improve the safety of mathjs?

[cshaa]

Tbh I haven't had the time to properly learn how the mathjs's parser works, I've prioritized other parts of the library for now 😁️ Therefore I can't say with certainty that filtrex is safer than mathjs. However, I'm quite certain it's very safe, because it's a tiny little library with few moving parts and I've spent a lot of time trying to break it. It seems to me that mathjs with so much advanced functionality has much larger attack surface, so there are more opportunities for security exploits.

That said, I'm looking forward when I finally have the time to look into math.parse in more detail. Maybe I'll learn that I was wrong and it's in fact very safe 😄️

[josdejong]

👍 I think you're right, less functionality means a smaller attack surface.