Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
514 views
in Technique[技术] by (71.8m points)

node.js - Safe usage of eval() on server-sent JavaScript code

I'm using Node.js and Socket.io. I've written an application which can send JavaScript snippets from the server and execute them on the client. The JavaScript is sent via Secure WebSocket (WSS), and the client has a listener which will execute any code passed to it via the server.

This short script demonstrates the principle: http://jsfiddle.net/KMURe/ and you can think of the onScript function as the socket listener.

Question

What security protocols can I put in place to make this transaction safe? Would a secure websocket channel make it difficult for a third party to act as a middle man (altering the code before it's sent to the client)?

Some Use Cases..

  • Dynamically assigned distributed computation.
  • Browser client can dynamically learn from the server.
  • Update browser behavior in unison.
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

eval(), even if you have legit use, is just dangerous. You should avoid using it at all costs. use it with care.

However, if it's really needed, then you can use strict mode via "use strict" command. When eval() is executed in a strict function, the eval's content will not leak in the immediate scope. The code in an eval will be contained in eval() itself (as if it has it's own scope). In the demo, try removing the trailing x and eval() will return undefined.

But still, using eval() is dangerous. It's better if you find alternatives like JSON with custom string commands that will be parsed client-side.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...