stackoom
  简体   繁体   中英

How secure or insecure is this JavaScript code if run on the server (nodeJS)?

 原文  2015-06-01 18:37:12       javascript/ node.js/ security/ eval/ code-injection

Question

Curious as to what unforeseen issues this type of code might present, if executed on the server. Or if there are any non eval alternatives. 

var a = {b:1, c:2, d:3, e:[1,2,3]};
(function(path) { return eval('this'+path) }).call(a, '.e[2]');

1 answers

solution1
 1  2015-06-01 19:45:59

Given that path is a static value ( ".e[2]" ) and a does not have any malicious accessors or so, there is nothing insecure here except that it's totally unnecessary.

However, if path does come from a client or some other untrusted source, then passing it to eval is the worst thing you can do. It can do everything that JS code can do in node - and that is enough to harm you severely.

And yes, there are tons of non-eval alternatives .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How To Reach Local Insecure (HTTP) Server From A Secure (HTTPS) Page How secure is compiled JavaScript code? Javascript: How to secure your code How to organize build, server, client and shared JavaScript code with NodeJS How to run a javascript before server code is run MVC2 Detect broken lock icon (mixed secure/insecure content) from Javascript Run Javascript function in background of NodeJS server How can I run JavaScript code at server side Java code? How can I view a web application with insecure and secure requests in Chrome? Secure Javascript code
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM