Secure sanitize GLSL user input?

Questions
, ,
1

When dealing with forms and data storage/redistribution the general motto is “Never trust user data”, I can easily find ways to sanitize HTML/CSS even how to deal with files (images, videos, PDF …) before storage and I would never accept raw Javascript (eval is evil), but there isn’t much resources concerning securing or sanitizing user GLSL input.

The only way I may think of is to treat it as a simple string (server side), test it with a ShaderMaterial (client side) if the compiler doesn’t throw any error the data is cool, otherwise, ban the user and blacklist the entire region of his IP :sunglasses:

Is there other ways to deal with this kind of data, or am I just being too paranoid and should trust the browser built in security.

2

What exactly are you concerned about? The GLSL program will either compile or it won’t. I don’t think there’s much room for malicious attacks via shaders, otherwise just opening any website could be a dangerous endeavor.

Your approach sounds like a good one. Accept the user input, run the shader and see if it compiles. If it does then you can upload it to the server. That’s the way https://www.shadertoy.com/ does it. If you want extra security, I guess you could compile it server-side in a headless browser so the users don’t circumvent your upload API.

2 Likes
3

That’s the way https://www.shadertoy.com/ does it

If that’s how shadertoy deal with its shaders, then i’m cool with it … Thanks!