Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Clarify on eval usage

  • Loading branch information...
commit 18eaffc07cd8c9d440627a8ca301c5b9abb4ecaf 1 parent 4680b21
Felix Geisendörfer authored October 08, 2012

Showing 1 changed file with 7 additions and 1 deletion. Show diff stats Hide diff stats

  1. 8  README.md
8  README.md
Source Rendered
@@ -234,7 +234,7 @@ solving the same problem as me:
234 234
 * big switch statements = bad
235 235
 * function calls are *really* cheap
236 236
 * buffering / concatenating buffers is ok
237  
-* eval is awesome
  237
+* eval is awesome (when using its twin `new Function()`, `eval()` itself sucks)
238 238
 
239 239
 Here is the eval example:
240 240
 
@@ -261,6 +261,12 @@ code += '};\n';
261 261
 var parseRow = new Function('columns', 'parser', code);
262 262
 ```
263 263
 
  264
+This optimization turned out to be a huge success, and it's what allowed my
  265
+new parser to gain another 20% of performance after being very fast already.
  266
+
  267
+Of course this could turn into a security problem, but that can be easily fixed
  268
+by escaping the `column.name` properly.
  269
+
264 270
 ### Data analysis
265 271
 
266 272
 The next thing you should do is analyze your data. And for the love of god,

5 notes on commit 18eaffc

Dan Palmer

Maybe I'm missing something, but if you are going to eval (or use new Function, which is essentially the same, it parses arbitrary code) on data from an untrusted source, it doesn't matter what has been escaped?

It's not about SQL exploits, it's about parsing whatever text you add to that 'code' variable, which might contain malicious javascript.

Felix Geisendörfer
Owner

eval() gives the executed code access to the current scope, new Function does not. This has additional security and performance implications.

Dan Palmer

Ok, I realise you don't get access to the current scope, but surely an attacker could send this:

while (true) {}

And a more malicious attacker could probably use child_process.spawn() to open up a reverse shell back to their machine.

Felix Geisendörfer
Owner

Ok, I realise you don't get access to the current scope, but surely an attacker could send this:

Please read lines 267 - 268 in the patch above.

Dan Palmer

I understand now. Although I still think it's probably best to steer clear of things like this where there is any possibility of getting code executed. Thanks for clearing up the issue.

Please sign in to comment.
Something went wrong with that request. Please try again.