GatewayScript security

GatewayScript provides a unique set of considerations that affect programs and system security.

Program security is critical, especially when systems are connected to the Internet. The programming model has built-in security measures that help ensure strong protection from unauthorized use.

Global object protection

Scripts do not have direct access to the global object. Instead, scripts operate on a global proxy. It is impossible for one script to affect the execution of another or to modify the global state, causing the next transaction to run within an altered run time.

Prevention of certain extensions or modifications

The provided DataPower® modules use Object.seal and Object.freeze to prevent unwanted extension or modification, where appropriate. The provided DataPower scripts are in a protected directory. The scripts can be run, but they cannot be read or written.

Protection of the GatewayScript built-in object

The GatewayScript built-in object prototypes are frozen with Object.freeze by default. This prevents unwanted modification of existing property attributes and values, addition of new properties, or removal of existing properties of the GatewayScript built-in objects. When you need to manipulate the built-in object prototypes, you must disable the object prototype freeze by configuring GatewayScript settings.

On the condition that the built-in object prototypes are frozen, when you want to redefine an existing property of a user-defined object and the property is inherited from a GatewayScript built-in object, you must use Object.defineProperty() API.

For example, if you redefine the toString function of the lib object by assignment, you get the

"TypeError: Cannot assign to read only property 'toString' of lib
object"

error.

//Create the lib user-defined object
var lib = {};
lib.toString = function() { return "lib.toString"; }

The correct way is using Object.defineProperty() API.

//Create the lib user-defined object
var lib = {};
    Object.defineProperty(lib, 'toString', {
          value: function() { return "lib.toString"; }
    });

You can retrieve the list of properties that are inherited from built-in objects with the Object.getOwnPropertyNames(builtInObject.prototype).

Object.getOwnPropertyNames(Object.prototype);

Protection of critical code

The internal portions of GatewayScript programming process libraries on the DataPower Gateway. These libraries are protected from viewing in the debugger, which provides an extra layer of security.

Protection of code against SSCA vulnerabilities

By default, untrusted code mitigation is enabled to protect against Speculative Side-Channel Attacks (SSCA) vulnerabilities. You can disable this protection mechanism in the GatewayScript settings configuration.

Use of strict mode

Restricts ECMAScript syntax so that some silent errors are changed to throw errors, which helps with code optimization and prohibits questionable syntax.

No eval() function and no compilation from strings. The eval() function is disabled by default.

The eval() function is a JavaScript function, not a GatewayScript function. By not allowing the eval() function or compiling from strings, GatewayScript prevents injection attacks by preventing invocation of malicious scripts. However, some use cases require eval() for dynamic evaluation. The eval() function can be enabled in an isolated manner with the var://service/gatewayscript/enable-eval variable for a per-transaction enablement. This enablement does not affect other transaction, application domain, or system-wide function.

Limits to the urlopen() function

To access local files, the urlopen() function allows access to only the local: and store: directories.

Protection of flexible location references

The DataPower Gateway supports the use of dot dot (..) in a limited context to refer to the parent directory in a file path or a protocol URL. The .. structure is allowed in only the GatewayScript transform.xslt() and dp:gatewayscript() functions. In this context, only leading .. are resolved. In ../../c/../called.js, the .. specification after (to the right of) c/ is an error.