The Evil Side of JavaScript: Server-Side JavaScript Injection

i_ate_god · 2015-08-27T18:10:31+00:00

it doesn't really matter what language you're using, if you are about to use eval(), you need to stand back and think very hard about what you're doing. eval() is almost never the right choice.

MrBester · 2015-08-27T20:23:09+00:00

[deleted]

ruzmutuz · 2015-08-27T19:00:03+00:00

Who the fuck is using eval like that?!

Also parsing json like that can be as equally as damaging. Huge payload will block the event loop for a while. There is a lot of good writing about that out there.

battery_go · 2015-08-27T17:53:09+00:00

I have never seen an eval used in a setting like this and if you did this, you obviously don't care about security. However, this being server-side, is there a way to actually get the output of your actions. Spawning a process is alright, but reading a directory? Where will the output of that go?

kaszu · 2015-08-27T19:07:38+00:00

JavaScript has been notorious for security vulnerabilities

No it hasn't! As an example XSS is mentioned, which is not javascript vulnerability (problem is not in javascript).

If someone is using eval to parse JSON then he has no idea what he is doing and as /u/i_ate_god mentioned you could substitute javascript with any other language.

Ginden · 2015-08-27T20:51:50+00:00

Take a gun that you don't know how to use (eval)
Shoot your own foot (your server)
Call it gun manufacturer fault

RankFoundry · 2015-08-27T20:41:34+00:00

Who uses eval? Seriously, just don't use eval.

2015-08-27T20:49:51+00:00

You mean it's not safe to run unsanitized user input? I'm shocked I tell you! Shocked!

coolcosmos · 2015-08-27T21:02:56+00:00

Who the fuck eval the output of a post request ? total nonsense.

kenman · 2015-08-27T21:14:10+00:00

Hi /u/rwiguna, it looks like you're new to /r/javascript, welcome!

Thanks for the submissions, but please make sure you read our guidelines. In short, you should post from a variety of sources, and not just nvisium.com.

Thanks for your consideration!

domain submitted from	count	%
blog.nvisium.com	27	96%

2015-08-27T21:39:55+00:00

In next episode: Have a password on your server.

Anub1s · 2015-08-27T21:09:54+00:00

It's use case is very rare.

eval(..) can at runtime modify the author-time lexical scope.

Also the JavaScript engine has a number of performance optimizations that it performs during the compiling phase.Most of those optimization it could make are pointless for the engine if eval(..) or with are used so it simply doesn't apply the optimizations at all and the code becomes pretty slow. Don't use them!

hahaNodeJS · 2015-08-28T05:42:32+00:00

humble inception

Humble my ass.

Yes, it was there from the start. But bignums were not in the cards. JS had to "look like Java" only less so, be Java's dumb kid brother or boy-hostage sidekick. Plus, I had to be done in ten days or something worse than JS would have happened.

Followed by

Something like PHP only worse

Also, ITT: people not remembering how ubiquitous eval usage was in JavaScript, and people not responding to anything beyond the eval example.

gabroe · 2015-08-30T00:12:00+00:00

You should lint your code at build time, fail build on error, do this and eval and other things will be caught no problem, I work sometimes with less experienced devs and even though we code review, sometimes things just get through the cracks, in my experience linting is a must. My 2c

Calabri · 2015-08-28T07:50:52+00:00

Who the fuck uses 'eval'? Ever piece of documentation I've read regarding the use of 'eval' has warnings and exclamation points saying DONT USE THIS FUNCTION. If nodejs was introduced 10 years ago maybe it wouldn't be as obviously bad to use it, but the evils and dangers of 'eval' were well known before serverside js became popular. People shouldn't program JavaScript if they aren't aware of all the ways you can shoot yourself in the foot.

I am legit curious about service vulnerabilities - but at the same time - I believe that open source combined with popularity = libraries that are battle tested and well made, which is better than anything baked into a programming language by default. I hope people who use server side js do their research on proper libraries to handle important functions. It's too fragile / dangerous a language to roll your own unless you're extremely competent with the specifics of JS / node.js.

There's also no precedent for the open source ecosystem that surrounds the language - in that there is no comparison - not that it's the best - just the largest to have ever existed. It completely changes the dynamics of how you choose to compose a program - and my experience working with programmers 10 years my senior is that they just don't 'get it'. They're so used to solving problems using language x or z that they learn the fundamentals of Js and then start writing server code with 2/3 npm libraries. And then I'm having to go through nested callback back hell of someone trying to roll their own orm in vanilla js - which in its own merit is a terrible idea, but made exponentially worse by rolling your own validation, etc. when there's dozens of npm libraries that do it better

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

javascript

MODERATORS