Skip to content
This repository was archived by the owner on Jan 16, 2020. It is now read-only.
This repository was archived by the owner on Jan 16, 2020. It is now read-only.

Unsafe use of eval #23

Closed
Closed
@cristianstaicu

Description

@cristianstaicu

The following use of eval in lib/drivers/search/pouch.js is dangerous:

if (typeof opts.collection === 'string') {
        opts.filter = "function filter (doc) {return doc.type === '" + opts.collection + "'}";
      }
      else {
        opts.filter =  "function filter (doc) {";

        opts.filter += opts.collection.map(function (c) {
          return "if (doc.type === '" + c + "') {return true;}";
        }).join('\n');

        opts.filter += "return false;}";
      }
      eval(opts.filter);

An attacker can use a malicious payload instead of a valid collection name to inject arbitrary commands. I suggest one of the following options: refactoring out eval, use adhoc regex validation or use a heavyweight sanitization package like
https://www.npmjs.com/package/eval-sanitizer

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions