InsideReCaptcha
Duktape
InsideReCaptcha | Duktape | |
---|---|---|
5 | 10 | |
1,002 | 5,842 | |
- | - | |
0.0 | 6.4 | |
over 5 years ago | 2 months ago | |
Python | JavaScript | |
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
InsideReCaptcha
-
Discussion Thread
Google: implements an entire obfuscated VM with its own bytecode inside Javascript for their CAPTCHAs so that people cannot cheat it
-
YouTube-dl has a JavaScript interpreter written in 870 lines of Python
While they likely wouldn't do a zero-day, their JS files, particularly for automated captchas, do push the boundaries of whatever JS engine they're executed inside. See https://github.com/neuroradiology/InsideReCaptcha#the-analys... and note that this analysis is 8 years old. While there's minimal risk if you're either using a full-fledged modern JS engine or a limited-subset interpreter like the OP, an older or non-optimized spec-compliant JS engine might hit pathological performance cases and result in you DOSing yourself.
- Why you can't secure a React Native (or any frontend) application
-
Get DCR onto a faucet by voting on this strawpoll for Autofaucet
So people voting for DCR are not allowed to protect their privacy with VPNs, must reveal their real IP address, and must allow proprietary, obfuscated, sophisticated Google reCAPTCHA to fingerprint the heck out of their devices.
- Installed new UDM Pro; Google thinks we are robots now
Duktape
- Roll your own JavaScript runtime, pt. 3
-
How to Create a Modern C Project with CMake and Conan
Im my projects I search for single file libs.(like https://github.com/svaarala/duktape etc...)
-
Is there anyway to bypass the limit of rand()?
Use lrand48(), or better, implement a high-quality RNG like PCG or splitmix64.
-
Libgrapheme: A simple freestanding C99 library for Unicode
You can also refer to the Unicode routines of other small JS engines[1,2], those don’t use ICU either, although the implementations are mercilessly size-optimized (to put it politely) and restricted to what the target JS version requires (e.g. casemapping but no normalization).
[1] https://github.com/bellard/quickjs/blob/master/libunicode.c
[2] https://github.com/svaarala/duktape/blob/master/src-input/du...
- Duktape
-
Nan Boxing
> memcpy from bytes to a NaN should work fine
Signaling NaNs are explicitly undefined in C11 F.2.1.: "This specification does not define the behavior of signaling NaNs." - and in practice may be "quieted" by conversion to Quiet NaNs, changing their bit patterns. Fast math optimization flags will also break the hell out of your code by assuming NaNs are impossible. I want to say there are more circumstances where optimizers and compiler generated code can butcher your NaN payloads, but I'd be working off recollected hearsay and I can't find a source, so don't quote me on that.
NaN boxing is common enough that, if you take the right precautions, a modern compiler should probably support it, maybe. NaN boxing is uncommon enough that, if your codebase needs to be sufficiently portable, you need an opt out for when it breaks. Let's review duktape's scars:
https://github.com/svaarala/duktape/blob/123d9426d5e5b36d5da...
https://github.com/svaarala/duktape/blob/5252b7a50611a3cb8bf...
https://github.com/svaarala/duktape/blob/224a0b89ca08a36e37e...
Note that "the right precautions" involve unions and proper integer types to avoid optimizer-invoked rewrites of the value and debugging when things go wrong, not simply YOLOing bytes into a double via memcpy. Note that debugging when it all goes terribly wrong can be quite painful. I've personally had the misfortune of being forced to debug duktape being built with fast math optimizatoins enabled on one "rare" platform + build configuration that wasn't caught by duktape's #if defined(__FAST_MATH__) checks linked above (wasn't Clang nor GCC, so go figure it didn't make the same #define)
-
YouTube-dl has a JavaScript interpreter written in 870 lines of Python
I was expecting this to be about Duktape <https://github.com/svaarala/duktape>, but heh, for sure no. I'd bet $1 there's no way youtube-dl would switch, but I wonder if yt-dlp would?
-
Optimizations Enabled by -ffast-Math
Fast math optimizations can break code like this by breaking isNaN.
I was porting a C++ project to a certain platform - and that platform enabled a -ffast-math equivalent by default in Release (but not Debug) builds! This broke duktape, a JS engine said project embedded, in some nasty and subtle ways. Instead of storing a number/pointer/??? (8 bytes) + type tag (4? bytes) for each dynamically typed JS value, duktape can bit-pack values into a single 8 byte "double" value by storing object/string handles as NaN values - this isn't an uncommon trick for dynamically typed scripting stuff:
https://github.com/svaarala/duktape/blob/c3722054ea4a4e50f48...
Naturally, the -ffast-math equivalent broke isNaN checks, which caused random object/string handles to be mistakenly reinterpreted as "numbers" - but only in Release builds, for this one particular platform, in one rarely taken branch, so neither QA nor CI caught it, leading to hours of manufacturing a repro case, stepping through an absurd amount of code, and then finally looking at the default build rules and facepalming.
Cursing the platform vendor under my breath, I overrode the defaults to align with the defaults of every other config x platform combination we already had: no fast math. If you want those optimizations, use SSE-friendly NaN-avoiding intrinsics - or, if you must use the compiler flags, ensure you do so consistently across build configs and platforms, perhaps limited to a few TUs or modules if possible. This allows you to have a chance at using your Debug builds to debug the resulting "optimizations".
-
Can C++ and JS be used together?
Sure. For example, DukTape is an implementation of Javascript designed to be embedded in other projects. Google's V8 Javascript engine (used in Chrome), can also be embedded, see Node.Js for example.
-
[AskJS] Do you use JavaScript on Microcontrollers? Which engine / interpreter?
- Duktape (4.8k stars)
What are some alternatives?
quickjs - Thin Python wrapper of https://bellard.org/quickjs/
V8 - The official mirror of the V8 Git repository
libv8-node - Package libv8 from Node
quickjs - Public repository of the QuickJS Javascript Engine.
PyMiniRacer - PyMiniRacer is a V8 bridge in Python.
Lua - Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.
jerryscript - Ultra-lightweight JavaScript engine for the Internet of Things.
ChaiScript - Embedded Scripting Language Designed for C++
SWIG - SWIG is a software development tool that connects programs written in C and C++ with a variety of high-level programming languages.
ChakraCore - ChakraCore is an open source Javascript engine with a C API. [Moved to: https://github.com/chakra-core/ChakraCore]
V7 - Embedded JavaScript engine for C/C++
Wren - The Wren Programming Language. Wren is a small, fast, class-based concurrent scripting language.