RunPage tech overview: JS Sandboxing

In this post I will explain how RunPage runs the sandboxed Javascript code in your browser.

How the sandboxing works

It achieves sandboxing by running the provided code inside a dedicated Web Worker. The worker first instantiates a constructor of Async function using the following code.

const AsyncFunction = Object.getPrototypeOf(async function(){}).constructor;

This constructor is used to a create an async function with the script-block code as the function body, and executed as below.

try {
    const f = new AsyncFunction("globalThis", "api", "\"use strict\";\n" + scriptBlockCode);
    result = f(SharedGlobal, Api);
} catch (e) {
    // Report script error
}

SharedGlobal is the globalThis object using which script-blocks on a page can share objects among themselves. Api provides access to all the apis provided by RunPage.

The worker is instantiated when the page is executed. The same worker instance is used for all script blocks on the page and is disposed when the execution is complete. So for every run a new worker instance is created and disposed-off immediately. This ensures so memory leak persists from one run to another and the states are properly reset on every run.

The use of worker also ensures that there is no DOM access, however other browser apis like fetch etc. are available.

The main thread which initiates the worker, works by passing code of each script-block to the worker one-by-one. When the code of first script-block is executed and the main thread gets the output then only it sends the code of next script-block for execution. This means on error the main thread can terminate the process then and there and skip the rest of the script-blocks. Also this allows the main thread to set a time limit for each script-block execution. If it does not hear from the worker within the set time it can destroy the worker, effectively killing that run.

Finally the use of worker ensures that the UI is not frozen while the script-block codes are running.

Challenges with the implementation

The biggest challenge is passing data between the main thread and worker. The browser auto serializes objects when passing between these two domains. However, few objects cannot be serialized like functions which have captured a scope, etc. So many complex objects are converted into JSON before sending across the domains.

Some apis provided by RunPage allow access to other blocks on the page, like file selector, input and table blocks. These actually require access to those blocks’ DOMs. The api on the worker side does this by passing instruction messages to corresponding “server” code living on the main thread. The code on the main thread access the DOM and gets appropriate data from them and passes them back to the worker.

There is one more challenge which I have not been able to solve yet. It is reporting clear precise error. Right now the stack trace is captured and presented as output to the page user but the stack trace includes code lines from the worker and hence could be confusing to end-user. Also it does not report clearly which exact line and column in the code in the script-block ran into error. Fortunately the code can still be debugged by putting a debugger statement in the script-block code and opening the browser console. The browser will correctly pause at that point and full browser debugging facility can be used.

Introducing RunPage

RunPage is a Jupyter-like portal. If are not familiar with Jupyter, then that is a server which allows you to create documents with embedded Python codes. The documents can contain normal document stuff intermixed with Python codes. The Python codes have the ability to render directly onto the document. RunPage these documents are referred to as pages.

Difference with Jupyter

The first biggest difference is that RunPage allows you to embed Javascript codes instead of Python. Although technically Jupyter can be used to run any kind of language codes, depending on the “kernel”, but all those codes are run on server-side. In case of RunPage they all run in a “sandboxed” environment inside your own browser. So no roundtrip to server is involved which makes it faster and secure. RunPage also allows you to embed file selector in your page, which you can reference in your JS code. These selected files (excel, text, etc. files) can then be processed using APIs provided by RunPage right in your browser without uploading them to server for processing.

RunPage also provides a proper block editor, so that the article writing process is as frictionless as possible.

RunPage is a fully hosted solution with concepts of teams and sharing between teams and to public. The provided APIs are designed to be simple and intuitive. For example, unlike Jupyter the last statement in the code-block are not automatically rendered as output on the document. In RunPage each code-block (referred to as script-block in RunPage) behaves like an Async function body. So only items which are returned from that function get rendered on the page. In fact it renders an array as series of multiple outputs.

Head over to run.applegrew.com for a free account.

Downloading Certified Copy of your sale deed in Telangana

If you received a SMS from Telangana registration department, similar to the one below :-

Please collect your Document No:____, year:____ Dated _______ From SRO xxxxxx,Telangana between 10:30AM and 05:00PM on any working day. Visit website registration.telangana.gov.in to download Certified Copy of document using your registered Mobile No. and Security Code: xxxxxx. In case of any issues please call IGRS Helpdesk no. 18005994788

Then the first thing you would want to do is download the certified copy. As per instructions here you need to goto registration.telangana.gov.in then click on Certified Copy button there.

Get certified copy of your registered document like Sale Deed.

After this you will be required to create an account and login there. Which is big pain in the a*s. Here I will give you a way to bypass all that.

Below is a simple form, just click that and it will take you to the Telangana government’s portal where you need to provide your mobile number (where you received the above SMS) and the Security Code sent to you in that SMS. Clicking the below button will launch the government’s portal in a new tab.

If you are still reading, means that you have not clicked above and are worried about possible hacks stealing your passwords. These worries are very real and hence I will explain here what is going on in the button above. You can also inspect the button’s code in your browser as well.

<html>
<head>
   <title>Signed Copy Download Launcher</title>
</head>
<body>
   <form action="https://registration.telangana.gov.in/TGCertCopiesClient/LoginServlet" method="POST" target="_blank">
      <input type="hidden" name="ccType" value="CITIZEN" />
      <input type="submit" value="Go" />
   </form>
</body>
</html>

The code is simple. It just makes a POST call wit ccType=CITIZEN as form data. You can also save the above code as html page and click the button there.

Unable to login to registration.telangana.gov.in because of not receiving OTP SMS

registration.telangana.gov.in is a one stop shop to search for all registered documents. Anyone who has bought a property or wants to buy one, this is an excellent portal provided by the State Government to check for encumbrance and other details about the property.

The problem

To access these functions you need to register here, which you did; and after that when you try to login you are presented with a form where you need to enter OTP which you will get from SMS sent to your phone. However, the SMS never arrives. You click on – Resent OTP, and still nothing, no SMS. You call up the toll free helpline which is there on the portal’s header, and they ask you to clear browser history and retry. You do that diligently, inside your mind you know that it will do noting to help you. Anyway, you follow the instructions and retry and still the same issue. – If this is what happened to you as well, read on….

After some clicking around I figured that if I tried using the “Forgot password” functionality then that too sends OTP via SMS and there the SMS is actually delivered!

The solution

When you login and you are confronted with that OTP form then open another browser tab and open https://registration.telangana.gov.in/citizen_forgot_pwd.htm. Enter your email or mobile number. This will send a OTP SMS now. Instead of putting it there use that OTP on your post login form, and it will now successfully validate! Yeah!

What is your effective income tax rate?

In India the Income tax calculation is quite complicated. There are different slabs with varying percentages, then surcharges, education and health cess etc. Do you know what is the cumulative effect of all these various percentages on your net income?

Effective income tax rate is the percentage value of your final tax amount by your net taxable income after all deductions. This gives a clear picture of what percentage of your income is going to the government.

Effective Tax Rate = (Total Tax / Net Taxable Income) x 100

This analysis is not only a fun way to feel proud or… maybe sad. This also useful to make decisions like should I take home loan or pay it out of pocket? Yup sometimes taking loan is actually more economical!

First let us look at the tax amounts for taxable income ranging from zero to 5Cr, in FY 2020-2021.

See the Pen Effective Income Tax rate by Nirupam (@applegrew) on CodePen.

Next let’s look at the effective tax rate for zero to 6Cr net taxable income range. (In both the graphs the blue line is when the “new-regime” tax slab is used, and the orange line for “old regime”). The comparison for both the regimes are here – Deep dive into new tax regime of Budget 2020.

See the Pen Effective Income Tax rate by Nirupam (@applegrew) on CodePen.

In the above graph the first cliff comes at 50L mark, then at 1Cr (which is mentioned as 10M on the graph), lastly at 2Cr mark. At 2Cr the effective tax rate is whooping 43%!

Scenario: Home loan vs paying out of pocket

Now let us say you are earning 1.5Cr a year. You want to buy a 2Cr worth house (inclusive of all fees). You are able to save 1Cr a year. So that means you can pretty much pay for the house out of pocket in two years. Also since house is under construction which will need next 3years to actually complete. In this case we will talk in context of two different situations.

You take a home loan 1.6Cr for at 7.2% for 20years. Let’s use our calculator from Calculating Amortisation Schedule of your loans. You will need to pay back total 3,02,34,176 over the course of 20years. (Plus some processing fees, which would be small in comparison here). So your total expenditure would be 3.02Cr + 40L (out of pocket) = 3.42Cr.

Instead let’s say you paid for the full amount out of pocket then the cost of house would had be exact 2Cr.

However, in the case where you took loan, if you had invested the 1.6Cr amount in Mutual Funds, which typically returns about 12%; you would have got 12.3Cr at the end of 18years! (Assuming it took two year to accumulate 1.6Cr after all expenses.) Even if you invest in the safest MFs like Liquid funds which gives a typical return of 5% you would have got 3.85Cr at the end of 18yrs. 3.85-3.42 = 43L. Means you got the house practically for free with 43L to spare. OR more than 8Cr to spare in former case.

Not only that you would save on taxes due to deductions due to home loan under 80C and section 24.

LIC what were you thinking? Cracking LIC e-Policy doc password!

Long long ago I created a Gmail account for my (now) late grandfather. It seems someone else who shares the same name as my grandfather has provided and continues to provide that email as his own. Over the years I have been receiving random emails addressed to that person. I can tell they are not addressed to my grandfather since the contents in no way relate to my grandfather and he has been dead for a long time. I still have access to that email, so it very possible that the other person is some old fellow who does not quite understand emails.

Anyway fast forward to today. I received mail from LIC for the purchase of e-policy; addressed to that person. Below is the screenshot of that email.

Email screenshot with sensitive infos redacted

The email has two attachments. The second is general terms and condition but the first one is actual policy document. It is password protected. Which is a joke and the whole point for this post.

The section in red box are the rules for the password. The password is the policy number followed by date of birth in DDMM format (note no year is needed). The nine-digit policy number is provided in clear in the subject of the email and also in the names of the two attachments! The remaining part is just figuring out DDMM. That is it!

I then wrote the following Java code.

import com.lowagie.text.exceptions.BadPasswordException;
import com.lowagie.text.pdf.PdfReader;
import com.lowagie.text.pdf.parser.PdfTextExtractor;

import java.io.IOException;

public class Main {
    static final String READ_PDF = "/Path/to_password_protected_policy_doc.pdf";

    public static void main(String[] args) {
        PdfReader pdfreader = null;
        int m = 1;
        int d = 1;
        while (m <= 12) {
            String password = "<policy number here>";
            if (d < 10) {
                password += "0" + d;
            } else {
                password += d;
            }
            if (m < 10) {
                password += "0" + m;
            } else {
                password += m;
            }
            try {
                pdfreader = new PdfReader(READ_PDF, password.getBytes());
                
                // get pages in PDF - Not really needed
                int pages = pdfreader.getNumberOfPages();
                PdfTextExtractor pdfTextExtractor = new PdfTextExtractor(pdfreader);
                // Iterate through pages to read content
                for (int i = 1; i <= pages; i++) {
                    // Extract content of each page
                    String contentOfPage = pdfTextExtractor.getTextFromPage(i, true);
                    System.out.println(contentOfPage);
                }

                System.out.println("THE PASSWORD IS: " + password);
                break;
            } catch (BadPasswordException bp) {
                System.err.println("bad password: " + password);
            } catch (IOException e) {
                e.printStackTrace();
                break;
            } finally {
                if (pdfreader != null) {
                    pdfreader.close();
                }
            }
            if (d >= 31) {
                d = 1;
                m++;
            } else {
                d++;
            }
        }
    }
}

In the code above I did not even bother to check if the month really has 30 or 28 days. That really does not matter since invalid combinations will not yield a valid password. So it just wastes some time.

However, it took few milli seconds to get the right password. LIC get your acts together. This is sad. Such a large organisation with such a weak security posture is alarming.