0

I ended up looking at this question as I was using evals in my current piece of code.

Why is using the JavaScript eval function a bad idea?

When you have javascript code in the browser, you download the javascript as part of the HTML or as a separate file. The source code is there for anyone to look at and modify. I don't see how injection attacks via an eval() could be any worse than hacking at the source code and altering that to do what the attacker wants.

Can someone explain what I am missing? Or some scenario where an eval is dangerous, that couldn't (easily) be achieved by altering the source code.

Community
  • 1
  • 1
wobbily_col
  • 11,390
  • 12
  • 62
  • 86
  • 2
    Answer : "eval is evil" is mostly FUD. When you don't do something especially stupid (like evaling code whose origin isn't certain) there's no problem apart the fact it's slow and unconvenient. – Denys Séguret Sep 02 '13 at 12:59

3 Answers3

2

In the case of Javascript injection attacks, you're not worried about the browser user providing untrusted code. You're worried about code from other places. For instance, if you download data from a third-party site, and eval it, this code will be executed in the context of the user's page, and may be able to do bad things with the user's data. So you're trusting that third-party not to send you nefarious JS.

Of course, we often do this routinely -- many of us link to the Google or Microsoft CDNs to get jQuery and other libraries. These are well-known sites, and we choose to trust them to get the performance benefits. But as the sites become less trustworthy, you have to be more careful, and not just execute whatever they send you blindly.

To some extent, cross-site AJAX rules limit the damage that this third-party code can do. These browser changes were put in place precisely because XSS attacks were being performed, and sending user private data to the attackers. But eval still allows for some types of malware, so you have to be careful in using it.

Barmar
  • 741,623
  • 53
  • 500
  • 612
  • So can I assume that an eval on my own code is safe? – wobbily_col Sep 02 '13 at 13:13
  • @wobbily_col - even if it's safe, you should also consider other issues with it: debuggability, performance, memory usage. Eval will, in fact, invoke a compiler every time it runs. – kamituel Sep 02 '13 at 13:16
  • Yes, I have been considering those as well. It is not evaling anything complex. It just got me thinking about the security implications. – wobbily_col Sep 02 '13 at 13:48
  • When linking to resources on a CDN you should use the `integrity` attribute to make sure the linked file has hash you expect. – Fred Nov 03 '16 at 13:55
  • @Fred That protects you from someone hacking the CDN, but it doesn't protect you from the library author putting malicious code into the software. E.g. if the jQuery authors turn evil, we're in trouble. – Barmar Nov 03 '16 at 16:57
0

Even in a situation where you're certain that the string you're going to evaluate is trusted and safe, it's not always worth going with eval.

For example, if you'll ever want your webpage to be available on Mozilla Firefox OS as an application, eval will break it, as it's banned. See this page for details.

Similarly, simple use of eval will not work in Google Chrome Extensions, as per this doc.

And if you're not 100% positive on safety of the string you want to evaluate, you should avoid eval entirely.

kamituel
  • 34,606
  • 6
  • 81
  • 98
  • I can see that is another reason not to use it, but I am struggling to see the security implications, when an easily edited source file is available. – wobbily_col Sep 02 '13 at 13:10
0

Let's start from the potato example in the question you linked:

eval('document.' + potato + '.style.color = "red"');

Let's suppose you have an input field, called potato, in your site when you ask users to choose "body" or "forms[0]" and you use this input and the code above to change the color of the body or first form on the pages you deliver to other users (using a DB for example).

Now suppose a moderately evil user put this inside potato :

"title;alert('test');({style:{color:1}})"

Then what happens is an alert. But this could be worse, like a ajax call to server providing confidential content of the page.

As you can see, it's about the same kind of problem than SQL injections.

Of course, you have to be very stupid to do this, that is using user supplied strings and putting them in evaled strings on other computers on pages with sensitive content. That's why I argue that "eval is evil" is mostly annoying FUD.

But another important point is that eval is slow and most of the time useless as you can have better, cleaner, more maintainable solutions.

Eval isn't evil, but it's generally bad practice.

Denys Séguret
  • 372,613
  • 87
  • 782
  • 758
  • I still don't see how this is any more or less secure than taking the javascript source file and hacking at that to get the same result. – wobbily_col Sep 02 '13 at 13:09
  • 1
    The important part is where you propagate your "potato" to **other users**. This could happen for example when you tell a user to specify in an input the element name that will be used to colorize in red the element in other users browser through an eval of the supplied code. – Denys Séguret Sep 02 '13 at 13:11