Silly question: running (non-ash) code?

N

neminem

New member
So I'm trying to create a fairly simple bot, and I just realized, rather than having to rewrite all the login code that mafia has in my choice of language, and then all the kmail parsing and sending code that zlib provides, I could just use mafia and zlib, and ash script it. Except then I realized, ash scripting is unlikely to have any way of generating md5 hashes*, which, there's no reason it should have that ability, but I don't know that mafia has any way of running code outside of itself, either? I would be happy either for a way to run native (Java?) code in a block (like the way you can write c++ code and drop into assembly), or a way to run an external executable that I compiled myself, passing in an argument, then waiting for it to return. (That one would be nicer, and probably easier, too.)

I bet the answer is a simple no, but I thought I would check, cause now I'm curious.

Relatedly, I know there's a command to read a url - is there any equivalent command to just read a text file on your hard drive? (As a simple string, that is, rather than needing to be in a particular map format.)

* if I'm wrong about that, I'd be happy to hear that, too.
 
roippi

roippi

Developer
This feels like one of those Hola Projects™.

Mafia can interface with external programs in a limited sense. You can specify an external editor program to use with the "edit" command - which you could probably take over for this use.
 
N

neminem

New member
bleary said:
A while back, I was playing with embedding Python into Mafia, and I had some luck. Something along these lines might be what you're looking for: http://kolmafia.us/showthread.php?8444-embedding-Jython
Click to expand...
That's a whole new frame, running code separate from ash, looks like. Granted, I suppose that would take care of being logged in, but what I'd like to be able to do is interface external code into the middle of an existing ash script. Jython wouldn't be my first choice of language, but I would be willing to accept it; looks like it'd probably work only peripherally related to yours, to get your Jython code invokable from an ash script (passing in ash variables and everything)...

I'm not entirely sure what you're referring to, roippi? If there was already an ash script that invoked an external command, it sounds like it probably wouldn't be that hard to make it more generic (I don't mind compiling my own modified source, I just don't know a huge amount of Java, so I'd rather not have to go writing large swaths of new Mafia code for the purpose.) But I didn't see one...
 
Veracity

Veracity

Developer
Staff member
The old (current) (pre-https) KoL login sequence uses MD5, so we have an implementation built-in. I imagine it could be provided to ASH. That's just string -> string, right? Or would it be (hex byte) string -> (hex byte) string? Show me some code of how you would use it.
 
N

neminem

New member
Veracity said:
The old (current) (pre-https) KoL login sequence uses MD5, so we have an implementation built-in. I imagine it could be provided to ASH.
Click to expand...
Well, I checked, and that was a lie, I'm actually being asked for an SH1 hash, not MD5 :p. But anyway, I suppose regardless if exposing a new ash command for myself that takes a string and returns a string isn't that hard, I could probably figure out how to just do that instead (see also: asking the right question.) I'm sure Java has an SH1 implementation I could import; it's probably needlessly verbose, but still.

I would just be sent a kmail with a particular command, would SH1 the sender's username with a salt and send them back the result. So string->string is fine.

Half of this thread was just curiosity, anyway. Seemed like a neat thing to know how to do, if you could. ;)
 
holatuwol

holatuwol

Developer
I avoided giving ASH unrestricted access to that kind of stuff in the past, because that can be viewed as a giant gaping security hole, but we can consider things on a case-by-case basis.

That being said, if you need an example of Java code, we have the thread dump / heap dump commands that invoke system executables and read the output into a String.
 
N

neminem

New member
holatuwol said:
I avoided giving ASH unrestricted access to that kind of stuff in the past, because that can be viewed as a giant gaping security hole
Click to expand...
That makes some sense.

The more I think about it, the more it makes sense to me that the easiest way would probably be just to look at how to add a new command, and add any I need for myself in my own private mafia version (it's just a bot, it doesn't need to be distributed). I'll look for those commands if I need an example. Thanks!
 
H

heeheehee

Developer
Staff member
Alternative: copy sample implementations for said functions into ASH? I might do that later if I get bored.
 
matt.chugg

matt.chugg

Moderator
Some out of the box thinking, if you have a local webserver, or server you trust... (ie, not the one in the example!) obviously its not ideal!

PHP: 
<?php //md5.php
    if (isset($_REQUEST["input"]) && $_REQUEST["input"] != "") {
        echo(md5($_REQUEST[input]));
    }
?>

Code: 
> ashq print(visit_url("http://mattchugg.com/kolmafia/md5.php?input=password"));

5f4dcc3b5aa765d61d8327deb882cf99
 
Last edited:
matt.chugg

matt.chugg

Moderator
During a minor motivation peak, I created a patch to add a to_md5( string string ) function to ash, its probably completely unacceptable since as we all know my java coding isn't great.

I borrowed the actual md5 functionality from a post on stackoverflow, it does work, and gives me the correct hashes (or at least hashes that match the php md5 function!)

Feel free to tell me whats wrong with it so I can learn!

Code: 
> ashq print(to_md5("password"))

5f4dcc3b5aa765d61d8327deb882cf99


Looks like you need SHA1 hash instead anyway, but the implimentation should be similar. in fact the ash function could be modified to be to_hash( string stringtohash, string hashtype )
 

Attachments

  • md5.patch
    1.9 KB · Views: 47
matt.chugg

matt.chugg

Moderator
neminem said:
Relatedly, I know there's a command to read a url - is there any equivalent command to just read a text file on your hard drive? (As a simple string, that is, rather than needing to be in a particular map format.)
Click to expand...

visit_url({relayhost}:{relayport}/test.txt) will read a text file from the relay folder if the relay browser is running.

several problems (actually making this unusable, but possibly fixable or usable if someone wanted to make a read_file() ash function):

the relay browser needs to be running
the relayhost and relay port arn't available to ash that i'm aware of.
 
N

neminem

New member
Hehe. I totally wasn't expecting this much activity from this thread. Fun, though.

Dang, adding a new ash function is that easy? Alright, you can consider this thread closed, that is a perfectly workable solution that's been pretty much handholded for me, which I'm not complaining about too much (I could've figured that much out myself, once it was pointed out, but on the flip side, I'm pretty lazy.)

Your web server idea is amusing - the server I'm running this bot on is also running apache, but I figured the best way to not accidentally introduce any security holes through my total inexperience with server-side scripting was just not enable any apache scripting modules at all, so at the moment it doesn't do anything but send people files they request.

On the other hand, that does bring up a good point that I might be able to visit_url a text file that way, using just regular localhost, not through the relay browser. Silly, but would probably work.

Thanks, Matt!
 
matt.chugg

matt.chugg

Moderator
neminem said:
Hehe. I totally wasn't expecting this much activity from this thread. Fun, though.

Dang, adding a new ash function is that easy? Alright, you can consider this thread closed, that is a perfectly workable solution that's been pretty much handholded for me, which I'm not complaining about too much (I could've figured that much out myself, once it was pointed out, but on the flip side, I'm pretty lazy.)
Click to expand...

I didn't realise it would be that easy either, probably means i've done it wrong, but it does seem to work for me

Your web server idea is amusing - the server I'm running this bot on is also running apache, but I figured the best way to not accidentally introduce any security holes through my total inexperience with server-side scripting was just not enable any apache scripting modules at all, so at the moment it doesn't do anything but send people files they request.
Click to expand...

just remember that using a server DOES mean you are passing the un-hashed raw value in a query string in plain text, although passing to localhost does make it marginally safer, but not by any means at all completely safe.

On the other hand, that does bring up a good point that I might be able to visit_url a text file that way, using just regular localhost, not through the relay browser. Silly, but would probably work.
Click to expand...

Thanks, Matt!
Click to expand...

These are all workarounds really, veracity asked you how you would want to use an md5 function as there is an md5 implementation already in kolmafia from the old login, having an ash function would probably be the "proper" way to achieve this.
 
C

Catch-22

Active member
As I read page 1 I was thinking to myself "The easiest way to do this is using visit_url with a locally hosted PHP page" and that's what matt.chugg suggested on page 2 :)

You can secure a local web server pretty much to the point of it becoming almost as secure as piping data to and from any other program. You'd do that with strict web server access lists and running your web server as a user with very limited access rights.
 
N

neminem

New member
Hey, I just remembered, I totally forgot to thank you. Matt: your patch worked awesomely. I implemented the requested bot for the upcoming Otori week a couple weeks ago, I just forgot to say anything about it. Now I not only have an sha1 ash command, but also, know how to add any other ash commands I might need, and that it isn't really all that hard. So thanks!

And, yes, I know you -can- make a web server totally secure, I'm just not an expert in apache configuration, so for me personally, I figure the best way to make sure I don't accidentally let anyone run any scripts and sneak anything by, is just not let anyone run any scripts, even myself on localhost, cause there aren't any script-running mods installed. Seems like the easiest way. :p
 
xKiv

xKiv

Active member
You can make a web server totally secure by shutting it down. I don't think any other way will do justice to the "totally" part.
 
You must log in or register to reply here.
Top