Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
7 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18eaffc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I'm missing something, but if you are going to eval (or use new Function, which is essentially the same, it parses arbitrary code) on data from an untrusted source, it doesn't matter what has been escaped?
It's not about SQL exploits, it's about parsing whatever text you add to that 'code' variable, which might contain malicious javascript.
18eaffc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
eval()
gives the executed code access to the current scope,new Function
does not. This has additional security and performance implications.18eaffc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I realise you don't get access to the current scope, but surely an attacker could send this:
And a more malicious attacker could probably use
child_process.spawn()
to open up a reverse shell back to their machine.18eaffc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please read lines 267 - 268 in the patch above.
18eaffc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand now. Although I still think it's probably best to steer clear of things like this where there is any possibility of getting code executed. Thanks for clearing up the issue.