top of page
Search
Writer's pictureCaden Armstrong

Malicious FeatureScripts

As a consulting developer, a common question that I face is one of security, and its a question you should always be asking outside consultants and developers.


But that question doesn't come up with FeatureScript...because malicious FeatureScripts aren't really possible.


FeatureScript has an open source code - all of the Onshape standard features can be viewed by anyone. But its still a walled garden. Only Onshape can update the FeatureScript language, and the language is very limited compared to other programming languages. The list of things that FeatureScript can't do is pretty long, and frustrates some newer developers.


  • You can't make web requests

  • You can't export data

  • You can't look at any Onshape data beyond the current context of the part studio model

  • You can't make permanent changes to the document (history and rollback are never affected)


And that's why FeatureScript is secure, and a Feature can always be trusted.


If FeatureScript could export files, a Feature could create a malicious payload. If it could make web requests and access your data, your data could be stolen. If data in Onshape could be permanently modified, you could have malicious data loss. Compared to other scripting languages, this is very limiting, but FeatureScript does exactly what it needs to do - and nothing more.


FeatureScript being secure is great because it removes barriers for me to work with companies, it makes the development process simpler, and adds to the overall speedy delivery time that is only possible with Onshape.


But what's the worst I could do?

While talking about how secure FeatureScript is, its also helpful to talk about a worst case scenario. How could I be malicious? I enjoy brainstorming novel ideas, putting my white hacker hat on, and digging into what is possible. So here are some ideas I came up with for malicious features.


When I develop custom features for customers, I always give them all of the source code and ownership of it. So these would be found pretty easily.


Idea 1: Long Regen Time

An infinitely running FeatureScript is not possible. FeatureScript runtime is capped at 10 minutes. But a feature that takes 10 minutes really sucks. I find they can cause some weird things to happen in a document, and you also lose 10 minutes waiting for it to load so you can remove the feature. So worst case - you waste 10 minutes, maybe 20 if they run it twice.


Idea 2: A Randomly Misfunctioning Feature The title of my autobiography

Write a really cool feature that people want to use - and then add some random errors. This falls under "time waster" category. Every 1 in 100 feature users will see an error and waste time trying to figure out why. But what are they going to do? Contact the developer and waste my time.


Idea 3: Caden was here Also the title of my autobiography

Make a feature that modifies the model - but also adds some hidden geometry. For the past decade whenever I visit my parent's house I've been hiding sticky notes with "Caden was here" written on them. They don't use Onshape, but there's no reason my psychological torture can't make the leap. The feature could do what the user is expecting, but also hiding a teeny tiny "Caden was here" at a size that wouldn't easily be found.


Changes to a model aren't permanent, so when the hidden message is found, it can be easily undone. The worst case I can imagine is someone not finding it and sending it to be prototyped on a 3d printer. Brings up a fun question: would your company's design review find this?



Idea 4: Embed a malicious link

I've seen a few FeatureScript developers include links to their company's website in the UI of a feature. I don't like this, it clogs up the dialog. But, you could include a malicious link through this. Its a bit weak since you can't do a hyper link, and the user can see the entirety of the link. A common trick is to have a similar domain to the expected one. Ex SmartBenchSoftware.com vs SmartBenchSoftvvare.com. Remember, only click links from sources you trust.


Conclusion

FeatureScript is really hard to do evil things with, which is great. When you find that perfect custom feature, you can be confident that you aren't compromising your company's data.

47 views1 comment

Recent Posts

See All

1 Comment


Kevin Cowles
Kevin Cowles
Nov 11

This was a fun one, good stuff Caden!

Like
bottom of page