Secure sanitize GLSL user input?

Fennec · May 27, 2022, 4:13pm

When dealing with forms and data storage/redistribution the general motto is “Never trust user data”, I can easily find ways to sanitize HTML/CSS even how to deal with files (images, videos, PDF …) before storage and I would never accept raw Javascript (eval is evil), but there isn’t much resources concerning securing or sanitizing user GLSL input.

The only way I may think of is to treat it as a simple string (server side), test it with a ShaderMaterial (client side) if the compiler doesn’t throw any error the data is cool, otherwise, ban the user and blacklist the entire region of his IP

Is there other ways to deal with this kind of data, or am I just being too paranoid and should trust the browser built in security.

marquizzo · May 27, 2022, 5:05pm

What exactly are you concerned about? The GLSL program will either compile or it won’t. I don’t think there’s much room for malicious attacks via shaders, otherwise just opening any website could be a dangerous endeavor.

Your approach sounds like a good one. Accept the user input, run the shader and see if it compiles. If it does then you can upload it to the server. That’s the way https://www.shadertoy.com/ does it. If you want extra security, I guess you could compile it server-side in a headless browser so the users don’t circumvent your upload API.

Fennec · May 27, 2022, 5:17pm

That’s the way https://www.shadertoy.com/ does it

If that’s how shadertoy deal with its shaders, then i’m cool with it … Thanks!

Topic		Replies	Views
GLSL compiler raw input? Questions glsl , shaders , compiler	2	497	November 17, 2021
Adding a non semantic keyword in GLSL Discussion glsl	5	40	February 15, 2026
Using glslify with node.js live server? Questions glsl , shaders	6	1541	February 14, 2023
Etidou’s Shader Gallery Showcase glsl , blender , post-processing , threejs	2	3851	June 7, 2023
Linter for webgl inside jsx? Questions	1	241	June 29, 2023

Secure sanitize GLSL user input?

Related topics