Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Safe usage of eval() on server-sent JavaScript code

Tags:

javascript

node.js

websocket

I'm using Node.js and Socket.io. I've written an application which can send JavaScript snippets from the server and execute them on the client. The JavaScript is sent via Secure WebSocket (WSS), and the client has a listener which will execute any code passed to it via the server.

This short script demonstrates the principle: http://jsfiddle.net/KMURe/ and you can think of the onScript function as the socket listener.

Question

What security protocols can I put in place to make this transaction safe? Would a secure websocket channel make it difficult for a third party to act as a middle man (altering the code before it's sent to the client)?

Some Use Cases..

  • Dynamically assigned distributed computation.
  • Browser client can dynamically learn from the server.
  • Update browser behavior in unison.
like image 252
Jack Avatar asked May 07 '12 22:05

Jack

People also ask

Is it bad to use eval?

eval() Warning: Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval() .

When should you use eval JavaScript?

If, for your purpose, eval() is faster than manual interpretation, or makes your code simpler, or more clear... then you should use it. If neither, then you shouldn't. Simple as that. One such purpose might be to generate optimized code that would either be too long or too repetitive to write by hand.

What can I use instead of eval in JavaScript?

An alternative to eval is Function() . Just like eval() , Function() takes some expression as a string for execution, except, rather than outputting the result directly, it returns an anonymous function to you that you can call. `Function() is a faster and more secure alternative to eval().

Is eval deprecated?

Question : The 'eval' method within JavaScript / DemandwareScript is deprecated based on the potential security risks by using this method as it doesn't escape input parameters. Answer : You should use the 'new Function()' instead.

1 Answers

eval(), even if you have legit use, is just dangerous. You should avoid using it at all costs. use it with care.

However, if it's really needed, then you can use strict mode via "use strict" command. When eval() is executed in a strict function, the eval's content will not leak in the immediate scope. The code in an eval will be contained in eval() itself (as if it has it's own scope). In the demo, try removing the trailing x and eval() will return undefined.

But still, using eval() is dangerous. It's better if you find alternatives like JSON with custom string commands that will be parsed client-side.

like image 178
Joseph Avatar answered Oct 07 '22 08:10

Joseph
Sign in to Comment

Related questions

HTML5 Websockets Server Requirements
When document.readystate==complete is that the same when onload fires?
JavaScript event.currentTarget vs this
Interrupting/stop a CSS3 transition on the actual position/state
Adding elements as a string vs. createElement()
EventSource and basic http authentication
Can Google Maps/Places 'autocomplete' API be used via AJAX?
Can JavaScript be "unit testable" if wrapped in self-executing anonymous function
Fixed positioning an ad in IE
Editable javascript chart - interactively resize bars or pie sections
Get URL of resource that is drag-and-dropped on field
How to set Content-Length when sending POST request in NodeJS?
Any client side haml parser?
CoffeeScript-like language written in Python
Rightclicking on Div (infobox) is Disabled. How do I enable it
Canceling a Deferred Promise in jQuery
Why does /^(.+)+Q$/.test("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") take so long?
Stop a shift click from highlighting text
Inject local .js file into a webpage?
Why is my mongodb call so slow?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!