Skip to content
This repository has been archived by the owner on Jan 16, 2020. It is now read-only.

Unsafe use of eval #23

Closed
cristianstaicu opened this issue Apr 8, 2016 · 2 comments
Closed

Unsafe use of eval #23

cristianstaicu opened this issue Apr 8, 2016 · 2 comments

Comments

@cristianstaicu
Copy link

The following use of eval in lib/drivers/search/pouch.js is dangerous:

if (typeof opts.collection === 'string') {
        opts.filter = "function filter (doc) {return doc.type === '" + opts.collection + "'}";
      }
      else {
        opts.filter =  "function filter (doc) {";

        opts.filter += opts.collection.map(function (c) {
          return "if (doc.type === '" + c + "') {return true;}";
        }).join('\n');

        opts.filter += "return false;}";
      }
      eval(opts.filter);

An attacker can use a malicious payload instead of a valid collection name to inject arbitrary commands. I suggest one of the following options: refactoring out eval, use adhoc regex validation or use a heavyweight sanitization package like
https://www.npmjs.com/package/eval-sanitizer

@notduncansmith
Copy link
Owner

Hey Cristian, thanks for the report, and self-promotion tip. Will get on this soon. In the meantime, PouchDB is not the recommended driver for production.

@notduncansmith
Copy link
Owner

Just came back to this and remembered that PouchDB's search driver is unfinished. Closing this for now.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants