How can I parse a Javascript file and get all the variables used?
I am collecting a lot of Javascript code from untrustworthy people and need to integrate it into my project. As well as untrusted, I would like to check if he is doing something nasty.
My main problem is the variables the code is using. To check that everything is in order, I would like to analyze the whole code and check the name of the variables. For example, all variables are included in window.sandboxedVariables
.
Is it possible to parse the Javascript code (in any language, but preferably Javascript or bash) and get a list of all the variables? Can you do the same with imported libraries?
Can I do this with Uglify? I read the API documentation a bit and didn't find anything specific.
Many thanks!
source to share
You can use Mozilla Rhino . It is a JavaScript engine written in Java.
You can find an example here, similar to what you are trying to do:
http://ramkulkarni.com/blog/parsing-javascript-code-using-mozilla-rhino/
source to share
Assuming you are talking about global variables, you can do the following:
- clone object
window
- load / run untrusted script
- compare object
window
with cloned - move all newly recruited items to
window.sandboxedVariables
However, this will not work if the untrustworthy script overrides one of the existing properties (variables) window
.
source to share
It is impossible to write an algorithm that validates untrusted JavaScript code. You can parse it, you can sandbox it and analyze its actions. But you can never be sure that you have defined everything that it might do, or any variable that it might use when you run it in your real environment.
If you don't trust it, either only run it in a secure sandbox or don't use it.
source to share