简体繁体 English

使用eval（）在JavaScript中执行用户输入的安全风险

[英]Security risks of using eval() to execute user input in JavaScript

原文 2009-10-30 17:07:04 1 7 javascript

I'm planning on throwing together a quick web page for my students to teach them about JavaScript programming. 我计划将一个快速的网页放在一起，让我的学生教给他们有关JavaScript编程的知识。 On this page, I'd like to give them a text box and allow them to run JavaScript so that they can see the dynamic nature of the language at work. 在此页面上，我想给他们一个文本框，并允许他们运行JavaScript，以便他们可以看到工作中语言的动态性质。 However, I'm well aware that using eval() on user input is usually a really bad idea. 但是，我很清楚，在用户输入上使用eval（）通常不是一个好主意。 What kind of security risks am I taking on by publishing a page like this? 发布这样的页面会给我带来什么样的安全风险？ What steps should I take to mitigate these risks? 我应采取哪些步骤来减轻这些风险？

7 个解决方案

The security risk you're taking, is that you're taking input from the user and running it in the context of a script on your site. 您面临的安全风险是，您正在接受用户的输入，并在您网站上的脚本上下文中运行它。 Imagine if you were a malicious cracker that for whatever reason had full access to modify the JavaScript running on a website. 想象一下，如果您是一个恶意破解者，则无论出于何种原因都拥有完全权限来修改网站上运行的JavaScript 。 You can do anything that JavaScript running on your domain would have the ability to do (including cookie stealing, XSS , drive-by malware, etc.). 您可以执行域上运行的JavaScript可以执行的任何操作（包括cookie窃取， XSS ，恶意软件驱赶等）。

The only thing you can realistically do to mitigate the risks is to not eval() user-provided content. 实际上，减轻风险的唯一方法是不要评估用户提供的内容。 Attempts to sanitise the input to only allow "safe" input are doomed to failure; 尝试清理输入内容以仅允许“安全”输入内容注定会失败。 it's almost impossible to define what counts as safe, and even harder to actually limit the script to that (given that the potential attacker has an interpreted language with which to disguise his intentions). 定义什么才是安全的几乎是不可能的，甚至很难将脚本实际限制为安全的（鉴于潜在的攻击者使用了一种可掩饰其意图的解释性语言）。

Mind you, if this is for educational purposes then one approach is just to make sure that all of the security holes don't matter. 请注意，如果这是出于教育目的，那么一种方法只是确保所有安全漏洞都无关紧要。 Bad JavaScript cannot destroy your server or steal money from your bank account (unless it's on your bank's web page of course). 错误的JavaScript无法破坏您的服务器或从您的银行帐户中窃取资金（当然，除非它在银行的网页上）。 If the site hosting the page has no cookies or sessions worth stealing, and students know it's just an educational resource, I don't think there would be anything to worry about. 如果托管该页面的站点没有cookie或值得窃取的会话，并且学生知道这只是一种教育资源，那么我认为没有什么可担心的。 Most of the attacks rely on accessing confidential information stored on your domain, or tricking domain visitors into giving up confidential information somehow ( phishing attacks or similar). 大多数攻击都依赖于访问存储在您域中的机密信息，或者欺骗域访问者以某种方式放弃机密信息（网络钓鱼攻击或类似攻击）。 For your purposes I think you'll be OK - just don't do it on a "real" website. 为了您的目的，我认为您会没事的-只是不要在“真实”的网站上这样做。

It will be running on their own machine. 它将在自己的计算机上运行。 Just don't let them save strings and send to other people -- also don't put the values in the URL via a GET (so that it can be emailed). 只是不要让他们保存字符串并发送给其他人-也不要通过GET将值放在URL中（以便可以通过电子邮件发送）。

If it's on a local "Throw-away" machine, then there is very little risk. 如果是在本地“抛弃式”计算机上，则风险很小。 Since everything is being run client-side, they can only harm themselves with JavaScript . 由于所有内容都在客户端运行，因此它们只能使用JavaScript伤害自己。 Worst case they could be opening Ajax connections, but that's not much more harmful than giving them a Firefox with the Tamper Data add-on. 最坏的情况是，他们可能会打开Ajax连接，但这并没有给他们提供带有Tamper Data插件的Firefox有害。

In short, there's very little risk (except performance-wise) of giving them free-reign with JavaScript except to the machine they are using, but it's still nothing they couldn't do themselves if crafty enough. 简而言之，除了在使用的机器上使用JavaScript之外，几乎没有任何风险（从性能角度而言），但是如果有足够的技巧，他们仍然无法做不到。 I'd recommend either having them run it on their own machines, or on a demo box that you can re-image at any time when it gets too laden with crap to continue running. 我建议要么让他们在自己的机器上运行它，要么在一个演示盒上，当它太烂而无法继续运行时，您可以在任何时候重新映像它们。

Now, giving them eval access to PHP /etc on the other hand would be a horrible, terrible idea. 现在，另一方面，让他们评估对PHP / etc的访问将是一个可怕的，可怕的想法。

I would recommend you to sandbox all the user input evaling, to prevent the evaluated code to access all of the global (window) object properties and methods. 我建议您将所有用户输入逃避沙箱化，以防止所评估的代码访问所有全局（窗口）对象属性和方法。

Give a look to the following resources: 看一下以下资源：

You could try using a JavaScript sandboxing library. 您可以尝试使用JavaScript沙箱库。 Dean Edward's solution Caja do not restrict code from accessing the current window or document. Dean Edward的解决方案Caja不会限制代码访问当前窗口或文档。 The JSandbox library fully sandboxes code execution using Web Worker Threads (you won't be able to use the DOM because of this) but it only works in browsers that support them. JSandbox库使用Web Worker Threads完全沙箱化了代码执行（因此，您将无法使用DOM），但它仅在支持它们的浏览器中起作用。

JSandbox is asynchronous so you will need to change your code to make use of callbacks if you choose to use it. JSandbox是异步的，因此如果您选择使用它，则需要更改代码以使用回调。

There is really no serious risk here. 这里确实没有严重的风险。 For example, open up firebug on this page and type in the console: eval("alert('hello');"); 例如，在此页面上打开firebug并在控制台中键入： eval("alert('hello');"); , problem? ，有问题吗？ Not really. 并不是的。

For demo purposes this is no big deal. 出于演示目的，这没什么大不了的。

Well what that means is that any code a user wants to execute on your form they can and under the authority of the domain your site is running under. 好的，这意味着用户想要并可以在您的网站所运行的域的权限下执行的任何代码都可以在您的表单上执行。

So if someone wants to execute code on a machine which is locked down, but trusts your site (eg would allow you to run active x controls, etc. etc.), that person would have the ability to do so by typing in the correct code an using your site to eval the script into the trusted space. 因此，如果某人想要在被锁定但仍信任您的站点的机器上执行代码（例如，将允许您运行活动的x控件等），则该人可以通过输入正确的密码来执行此操作。使用您的网站编写代码，以将脚本评估到受信任的空间。 Essentially, by doing this, you are certifying that anything which runs on that page is verified as safe to people who trust your domain. 本质上，通过这样做，您可以证明该页面上运行的所有内容都对信任您的域的人来说是安全的。 (Think trusted sites in IE etc.) （请考虑IE等中受信任的站点。）