javascript eval(), controlling the input & the real dangers

Question

Introduction

I'm currently working on a project called draw.js. The idea behind the project is to have an online code editor linked to a drawing space so you can draw using code.

I got this idea when I first discovered the two.js library. I wanted to get started drawing right away but couldn't since I had to set up files etc. first. Setting up the files once and hosting it online with the code editor right there next to it made it much easier to get started and on top of that, I could do it from anywhere I wanted (school, home etc.) without having something like a usb stick handy.

Having the code editor right there also made getting the results much quicker. So only big plus points there.

I had to figure out a way to actually run the code I put into the code editor part of my web-app. I did some research online and found out the easiest solution would be to take the code, put the string in a variable and then pass the variable into the eval() function built into java-script.

My problem

This solution works flawlessly and it was super easy to set up. However, research online, along with common sense tells me that this is a really insecure solution.

You can basically put in any valid js and it will run.

Now this is a problem for stuff like $("body").html(""); but this is not the end of the world. Editing the html like that is powerful, but only client side. You can practically do this by opening your dev tools in chrome.

My question

I wasn't able to think of any serious problems with this security flaw myself. However I'm not really a specialist in this field. That's why I'm asking this question.

Are there any real dangers when using eval() in this way? WHAT ARE THOSE DANGERS?

If there are any...

Is there a way to fix this hole in security? Perhaps only allowing access to certain library's?

If there is a way to fix this, please tell me how I would go about fixing it?

http://stackoverflow.com/questions/86513/why-is-using-the-javascript-eval-function-a-bad-idea — Sanka, Sep 20 '16 at 08:48
As long as you're evaling your own code, you're fine. Evaling someone else's code under your domain is a big no-no. — georg, Sep 20 '16 at 09:22
@georg yeah, that's what I thought, but it's not quite clear to me why. What would be absolutely forbidden to put in? — Jesse van der Pluijm, Sep 20 '16 at 09:26
If Tom is viewing your site, and you allow him to run Alice's code, then Alice can 1) deface your site, e.g. insert a 100% iframe with her own stuff, 2) steal Tom's cookies, 3) post content on Tom's behalf. — georg, Sep 20 '16 at 09:37
@georg for that to work "tom" would need to copy/paste this code and run it himself? Or do I misunderstand? — Jesse van der Pluijm, Sep 20 '16 at 09:43
That would be Tom's own code. I'm talking about sites where people are sharing codes, like Codepen or SO snippets. — georg, Sep 20 '16 at 09:46
@georg Okey, so basically you're saying. Don't let your users share code. Or make sure you control what they put in. — Jesse van der Pluijm, Sep 20 '16 at 09:49
The last part isn't going to work (you can't really "control" Javascript, see comments below). I'd say "if they are sharing codes, make a separate jail domain to run these". — georg, Sep 20 '16 at 09:51
@georg so something like this would work? https://github.com/asvd/jailed — Jesse van der Pluijm, Sep 20 '16 at 09:52

score 1 · Accepted Answer · answered Sep 20 '16 at 10:06

Assume I'm a super legit user of your cool web application, authenticated myself, and wrote a cool script you (as developer of the application) want to run. Of course, you as super user can do much more than me as a simple user. And I'm being jealous of your rights.

It shouldn't be too difficult to write a script which, when executed:

Fakes the code input to look like something it is not.
Gets your authentication object and posts it to another server
Get more available information from your system (See https://github.com/Valve/fingerprintjs2)

Next to these privacy issues it can load ads from rogue networks which have the power to inject viruses on your and other user's systems.

Basically just don't trust any users code. If you want to execute user submitted code be careful it only has a limited scope it can access. Such thing (a sandbox) can only alter a specific part of your page. For a specific example of a library you can use to achieve this, see https://github.com/asvd/jailed.

score 0 · Answer 2 · answered Sep 20 '16 at 08:44

0

My advice would be to setup a whitelist pattern in RegEx. For instance, you may want to not allow javascript commands which contains certain patterns, such as \""|''\ and so on. The list of the whitelist will probably be extremely shorter than a blacklist one.

answered Sep 20 '16 at 08:44

Alberto Schiabel

1,049
10
23

This never works with Javascript. Give me your pattern and I'll show you how to circumvent it. – georg Sep 20 '16 at 09:20
Wait, can't he do this regex validation stuff backend instead of frontend? How would you circumvent it then? – Alberto Schiabel Sep 20 '16 at 09:23
The point is that you can always rephrase a "bad" pattern so that it looks innocent, e.g. `document.cookie => document['coo' + 'kie']` – georg Sep 20 '16 at 09:26
Interesting. And how would you structure a document query like "document.getElementsById(...)"? – Alberto Schiabel Sep 20 '16 at 09:30
1

`self['docu' + 'ment']['dIyBtnemelEteg'.split('').reverse().join('')]` ;) – georg Sep 20 '16 at 09:34
Thank you, I'll look at this stuff because I've found it really interesting – Alberto Schiabel Sep 20 '16 at 09:35

javascript eval(), controlling the input & the real dangers

Introduction

My problem

My question

2 Answers2