Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I safely "eval" user code in a webpage?

I'm working on a webapp to teach programming concepts. Webpages have some text about a programming concept, then let the user type in javascript code into a text editor window to try to answer a programming problem. When the user clicks "submit", I analyse the text they've typed to see if they have solved the problem. For example, I ask them to "write a function named f that adds three to its argument".

Here's what I'm doing to analyse the user's text:

  1. Run JSLint on the text with strict settings, in particular without assuming browser or console functions.
  2. If there are any errors, show the errors and stop.
  3. eval(usertext);
  4. Loop through conditions for passing the assignment, eval(condition). An example condition is "f(1)===4". Conditions come from trusted source.
  5. Show passing/failing conditions.

My questions: is this good enough to prevent security problems? What else can I do to be paranoid? Is there a better way to do what I want?

In case it is relevant my application is on Google App Engine with Python backend, uses JQuery, has individual user accounts.

like image 706
Nathan Whitehead Avatar asked Jul 15 '11 23:07

Nathan Whitehead


People also ask

What is a safe alternative to using eval ()?

An alternative to eval is Function() . Just like eval() , Function() takes some expression as a string for execution, except, rather than outputting the result directly, it returns an anonymous function to you that you can call. `Function() is a faster and more secure alternative to eval().

How can eval be harmful?

eval() is a dangerous function, which executes the code it's passed with the privileges of the caller. If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage / extension.

Why JSON eval is not recommended for use?

Your server could be compromised and the data source could be tampered with.

What is eval in HTML?

Definition and Usage The eval() method evaluates or executes an argument. If the argument is an expression, eval() evaluates the expression. If the argument is one or more JavaScript statements, eval() executes the statements.


2 Answers

So from what I can tell if you are eval'ing a user's input only for them, this isn't a security problem. Only if their input is eval'd for other users you have a problem.

Eval'ing a user's input is no worse than them viewing source, looking at HTTP headers, using Firebug to inspect JavaScript objects, etc. They already have access to everything.

That being said if you do need to secure their code, check out Google Caja http://code.google.com/p/google-caja/

like image 71
Ryan Doherty Avatar answered Oct 11 '22 14:10

Ryan Doherty


This is a trick question. There is no secure way to eval() user's code on your website.

like image 26
AlienWebguy Avatar answered Oct 11 '22 15:10

AlienWebguy