1

I have a calculator widget (jsfiddle) that uses javascript's eval() function to evaluate the user's input to work as a calculator. It's an embedded widget in a chrome extension, so it doesn't have any database or anything else attached that could be hurt, and it doesn't send or receive any data.

Obviously, since it uses javascript's eval function, any javascript can be executed by this box. Is there any risk involved with this? I'm fairly new to javascript so I'm not sure what could result from the user being able to evaluate their own javascript inside this widget. Wouldn't anything they do just be reverted upon refresh?

xdumaine
  • 10,096
  • 6
  • 62
  • 103
  • possible duplicate of [what are the issues javascript eval can pose](http://stackoverflow.com/questions/3607539/what-are-the-issues-javascript-eval-can-pose) – Ken White Nov 11 '11 at 23:16
  • 1
    Even if there are no real risks, I think you might be better off not using `eval` for a calculator. For example, it might be easier to add new operators. – icktoofay Nov 11 '11 at 23:18
  • You could validate the input before evoking `eval()` to verify that only properly formatted expressions composed of numbers, parentheses and supported operators or functions were being used. That would certainly limit what could be done. Or, you could just build your own parser and evaluator and avoid eval() all together. It is somewhat comical to just type something like `document.cookie` into your calculator. – jfriend00 Nov 11 '11 at 23:22
  • @icktoofay my use of eval seems to be one that is accepted. See [this question](http://stackoverflow.com/questions/3499672/when-if-ever-is-eval-not-evil) – xdumaine Nov 11 '11 at 23:34
  • @roviuser: Just as long as you also sanitize the input like suggested both by jfriend00 and the comments in an answer to that question. – icktoofay Nov 11 '11 at 23:44
  • possible duplicate of [Why is using Javascript eval function a bad idea?](http://stackoverflow.com/questions/86513/why-is-using-javascript-eval-function-a-bad-idea) – jpalecek Nov 12 '11 at 18:26

3 Answers3

1

JavaScript runs on the client side, so your server is not in any imminent danger.

But this could be a problem if users could save their inputs somehow and give a link to other users, as this would allow for the execution of arbitrary JavaScript (ie: Cross-site scripting aka XSS)

NullUserException
  • 83,810
  • 28
  • 209
  • 234
1

All other "eval is evil" and "quality of code" concerns aside...

...the security concern isn't about allowing user-supplied code: the user can delete every file they own if they feel like it. Not recommended, but entirely possible.

The danger with JavaScript, be it eval() or otherwise, is allowing an attacker to run code on the users behalf (without consent), in the context of said user (ergo browser/domain).

This is known as XSS: Cross-Site Scripting:

Cross-site scripting holes are web-application vulnerabilities which allow attackers to bypass client-side security ... by finding ways of injecting malicious scripts into web pages [which may or may not involve eval], an attacker can gain elevated access-privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.

Happy coding.

  • I realize that usually eval is evil, but my use of eval seems to be one that is accepted in practice. See [this question](http://stackoverflow.com/questions/3499672/when-if-ever-is-eval-not-evil) – xdumaine Nov 11 '11 at 23:35
  • @roviuser I am not challenging the use of `eval` here -- just pointing out that it is not inherently more or less secure than any other JavaScript which is running. (However, the other post is talking about `eval` in context of PHP, which *can* be *bad bad bad bad bad* as it's on the server.) **DO NOT USE EVAL ON A SERVER WITHOUT EXTREME PRECAUTION.** Sorry for shouting :) –  Nov 11 '11 at 23:37
  • The question regards php, but the link on the accepted answer discusses javascript specifically. Thanks for your info and warnings. – xdumaine Nov 11 '11 at 23:38
  • @roviuser Please re-read my post again. I think you will find it agreeable. (I purposefully did not touch on the other issues, other than a lead-in.) –  Nov 11 '11 at 23:39
0

See: "eval is evil" from Efficient JavaScript code:

The 'eval' method, and related constructs such as 'new Function', are extremely wasteful. They effectively require the browser to create an entirely new scripting environment (just like creating a new web page), import all variables from the current scope, execute the script, collect the garbage, and export the variables back into the original environment. Additionally, the code cannot be cached for optimisation purposes. eval and its relatives should be avoided if at all possible.

Niels
  • 48,601
  • 4
  • 62
  • 81
  • While I agree that "`eval` is evil", I don't believe it requires a completely new scripting environment to be created. Also, I don't believe that it would have to import/export the variables any more than a normal function would. Finally, garbage collection happens for all JavaScript code, not just code passed to `eval`, and it doesn't necessarily happen at the end of `eval` execution, either. – icktoofay Nov 11 '11 at 23:20
  • 1
    Cut/paste is not much of an answer. We might even be talking about legal issues here. – cHao Nov 11 '11 at 23:21
  • After @cHao mentioned it, I checked the copyright link at the bottom of the linked page: "All content on this site is © 2005 by UserJS.org and its respective authors, and may not be republished without written permission from UserJS.org." – icktoofay Nov 11 '11 at 23:23
  • Hmm did not know that copy paste was bad, but just thought it would be the answer for the main poster. I did post the link to the original post. So there should be any issues. – Niels Nov 11 '11 at 23:23
  • IANAL, but I have no problem with links and excerpts -- just make sure to use quotes and indicate where it came from. However, the question is primarily about security while the link is about performance. –  Nov 11 '11 at 23:34
  • @Niels as I commented on the other answer, it seems that "eval is evil" doesn't apply to my usage of it. see [this answer](http://stackoverflow.com/questions/3499672/when-if-ever-is-eval-not-evil) for why – xdumaine Nov 11 '11 at 23:37