This repository was archived by the owner on Jan 16, 2020. It is now read-only.
This repository was archived by the owner on Jan 16, 2020. It is now read-only.
Unsafe use of eval #23
Closed
Description
The following use of eval in lib/drivers/search/pouch.js is dangerous:
if (typeof opts.collection === 'string') {
opts.filter = "function filter (doc) {return doc.type === '" + opts.collection + "'}";
}
else {
opts.filter = "function filter (doc) {";
opts.filter += opts.collection.map(function (c) {
return "if (doc.type === '" + c + "') {return true;}";
}).join('\n');
opts.filter += "return false;}";
}
eval(opts.filter);An attacker can use a malicious payload instead of a valid collection name to inject arbitrary commands. I suggest one of the following options: refactoring out eval, use adhoc regex validation or use a heavyweight sanitization package like
https://www.npmjs.com/package/eval-sanitizer
Metadata
Metadata
Assignees
Labels
No labels