Fix dynamic code execution in safe mode

[patryk4815]

Hi. I found a "Function" workaround and now in safe mode we can execute dynamic code like as "eval".
I think it is security vuln and need CVE?

Function("){return 1337})//", "return this")();

BTW Why function arguments are not sanitized? It just concatenate string.

[drsm]

@patryk4815

nice catch!

but unlikely exploitable, 'cause in order to do this, the stuff before the function body should came from non-trusted source.

there is only an ability to forge an intentionally malicious configuration that bypass a code execution restriction.

[drsm]

BTW, it would be nice to document that in "non-safe" mode it's up to the caller to sanitize inputs.

[xeioex]

Hi @patryk4815,

Thanks for the patch, will be committed.

I think it is security vuln and need CVE?

This is bug but not a security vulnerability, because in njs threat model the code is a part of nginx configuration, and the configuration is expected to be a trusted source (it also contains certificates, for example).

[xeioex]

@patryk4815

BTW Why function arguments are not sanitized? It just concatenate string.

Mostly because dynamic execution methods like eval() and Function() are not expected to be used in njs at all.
Their support is limited, and was added to increase test262 coverage of other functionality.