如果此JavaScript代码在服务器(nodeJS)上运行,其安全性或安全性如何?
[英]How secure or insecure is this JavaScript code if run on the server (nodeJS)?
问题描述
Curious as to what unforeseen issues this type of code might present, if executed on the server. 
如果在服务器上执行,这种类型的代码可能会出现什么无法预料的问题,对此感到好奇。 Or if there are any non eval alternatives. 或者,如果有任何非eval替代方案。
var a = {b:1, c:2, d:3, e:[1,2,3]};
(function(path) { return eval('this'+path) }).call(a, '.e[2]');
1 个解决方案
解决方案1
1 2015-06-01 19:45:59
Given that path is a static value ( ".e[2]" ) and a does not have any malicious accessors or so, there is nothing insecure here except that it's totally unnecessary. 给定path是一个静态值( ".e[2]" )并且a没有任何恶意访问者,那么这里没有什么不安全的地方,除了完全没有必要。
However, if path does come from a client or some other untrusted source, then passing it to eval is the worst thing you can do. 但是,如果path确实来自客户端或其他不受信任的来源,那么将path传递给eval是您最糟糕的事情。 It can do everything that JS code can do in node - and that is enough to harm you severely. 它可以完成JS代码在节点中可以做的所有事情-足以严重伤害您。
And yes, there are tons of non-eval alternatives . 是的,有许多非评估的替代方案 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.