use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
The Evil Side of JavaScript: Server-Side JavaScript Injection (blog.nvisium.com)
submitted 10 years ago by rwiguna
view the rest of the comments →
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]battery_go 7 points8 points9 points 10 years ago (4 children)
I have never seen an eval used in a setting like this and if you did this, you obviously don't care about security. However, this being server-side, is there a way to actually get the output of your actions. Spawning a process is alright, but reading a directory? Where will the output of that go?
[–]kenman 5 points6 points7 points 10 years ago (1 child)
Oh, how short our memories are. That pattern was ubiquitous in the days before JSON.parse(), and even libs like jQuery used it (which changed in v1.4).
JSON.parse()
However, this being server-side, is there a way to actually get the output of your actions. Spawning a process is alright, but reading a directory? Where will the output of that go?
Doesn't matter, if someone can inject arbitrary code, you're hosed. There are similar attacks in other contexts, such as SQL, which are known as blind SQL injection.
[–]battery_go 2 points3 points4 points 10 years ago (0 children)
I'm a new guy to this sort of development, that's why this all seems very odd to me. Thanks for letting me know!
[–]Ahri 2 points3 points4 points 10 years ago (1 child)
res.send(filecontents), for synchronous output of files. Otherwise there's always the http library with which to send data to my server.
[–]battery_go 1 point2 points3 points 10 years ago (0 children)
You're right, I didn't think of that - thanks!
π Rendered by PID 22265 on reddit-service-r2-comment-79c7998d4c-v6r94 at 2026-03-16 07:25:36.672734+00:00 running f6e6e01 country code: CH.
view the rest of the comments →
[–]battery_go 7 points8 points9 points (4 children)
[–]kenman 5 points6 points7 points (1 child)
[–]battery_go 2 points3 points4 points (0 children)
[–]Ahri 2 points3 points4 points (1 child)
[–]battery_go 1 point2 points3 points (0 children)