InsideReCaptcha
dukpy
InsideReCaptcha | dukpy | |
---|---|---|
5 | 4 | |
1,002 | 452 | |
- | - | |
0.0 | 5.7 | |
about 5 years ago | about 2 months ago | |
Python | JavaScript | |
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
InsideReCaptcha
-
Discussion Thread
Google: implements an entire obfuscated VM with its own bytecode inside Javascript for their CAPTCHAs so that people cannot cheat it
-
YouTube-dl has a JavaScript interpreter written in 870 lines of Python
While they likely wouldn't do a zero-day, their JS files, particularly for automated captchas, do push the boundaries of whatever JS engine they're executed inside. See https://github.com/neuroradiology/InsideReCaptcha#the-analys... and note that this analysis is 8 years old. While there's minimal risk if you're either using a full-fledged modern JS engine or a limited-subset interpreter like the OP, an older or non-optimized spec-compliant JS engine might hit pathological performance cases and result in you DOSing yourself.
- Why you can't secure a React Native (or any frontend) application
-
Get DCR onto a faucet by voting on this strawpoll for Autofaucet
So people voting for DCR are not allowed to protect their privacy with VPNs, must reveal their real IP address, and must allow proprietary, obfuscated, sophisticated Google reCAPTCHA to fingerprint the heck out of their devices.
- Installed new UDM Pro; Google thinks we are robots now
dukpy
- YouTube-dl has a JavaScript interpreter written in 870 lines of Python
-
Python is in the browser. No idea if this will lead to chaos or harmony...
oh good, maybe we can now use python's javascript interpreter in browsers https://github.com/amol-/dukpy
-
Web Browser Engineering
I was interested to see that this uses the DukPy wrapper around Duktape for the JavaScript interpreter: https://browser.engineering/scripts.html
This made me start digging into whether this was considered a "safe" way of executing untrusted JavaScript in a sandbox.
its not completely clear to me if DukPy currently attempts safe evaluation - it's missing options for setting time or memory limits on executed code for example: https://github.com/amol-/dukpy
There's a QuickJS Python wrapper here which offers those limits: https://github.com/PetterS/quickjs
I'm pretty paranoid though any time it comes to security and dependencies written in C, so I'd love to see a Python wrapper around a JavaScript engine that has safe sandbox execution as a key goal plus an extensive track record to back it up!
-
My friend thought that 1 is a string in Python
I didn't write it, but here you go. Thanks to the fact that you can pass Python arguments to the JavaScript function, it will nicely cast them for you (via JSON) and make them behave per a Javascript object, which can then do some funsies to make it act like a string.
What are some alternatives?
quickjs - Thin Python wrapper of https://bellard.org/quickjs/
libv8-node - Package libv8 from Node
jsx-control-statements - Neater If and For for React JSX
PyMiniRacer - PyMiniRacer is a V8 bridge in Python.
prettier - Prettier is an opinionated code formatter.
pyodide - Pyodide is a Python distribution for the browser and Node.js based on WebAssembly
vado - A demo web browser engine written in Haskell
binjs-ref - Reference implementation for the JavaScript Binary AST format
vscode-powertools - A swiss army knife with lots of tools, extensions and (scriptable) enhancements for Visual Studio Code.
babel-plugin-react-html-attrs - Babel plugin which transforms HTML and SVG attributes on JSX host elements into React-compatible attributes