我的eval()安全吗? [英] Is my eval() safe?
问题描述
我在这里制作了一个骰子滚轮: http://howderek.com/projects/diediedie/
I built a dice roller here: http://howderek.com/projects/diediedie/
我希望实现数学运算,以便我的用户可以将数学操作预先设置到他们的数据库中,这对RPG很有用。
and I wanted to implement math so that my users could preform mathmatical operations to their rolls, which is useful for RPGs.
我没有构建一个处理数学的函数,也没有使用像 math.js 这样的库,我认为由于JavaScript内置了数学运算,因此这可能是<$ c的一个很好的用途$ c> eval()。
Instead of building a function to handle the math, or using a library like math.js, I figured that since JavaScript has math built in, this might be a good use for eval().
我担心 eval()?q =无论附加到DieDieDie的网址中,将输入并输入框并传递给它to DieDieDie
The reason I am concerned with the eval() however, is that appending ?q=whatever to the url of DieDieDie enters whatever into the box and passed it to DieDieDie
现在,很明显,如果这只是一个eval控制台,很容易滥用并运行恶意JavaScript,但事实并非如此,我使用的是RegEx在运行之前 eval()
Now, obviously, if this was purely just an eval console, it would be easy to abuse and run malicious JavaScript through, but it's not, I use a RegEx before running eval()
来自( http://howderek.com/projects/diediedie/js/diediedie.js ):
if (!replaced.match(/[^0-9 | + | \- | * | \/ | ( | ) | \. | % | > | <]/g)) {
result = eval(replaced);
} else {
throw 'Unsafe eval (more than just math), refusing to execute.';
}
所以,我想知道是否有办法规避RegEx,以及只需在框中输入文字即可运行代码 eval()。
So, I was wondering if there was any way to circumvent the RegEx, and run code though that eval() just by entering text into the box.
推荐答案
复杂性是安全的敌人,所以我发现最好实现一个你知道的安全的简单解决方案,而不是试图想出一些更复杂的可能做了一些安全的东西(但是在找到漏洞之前没有人确定)。
Complexity is the enemy of security, so I find it best to implement a simple solution that you know is secure rather than attempting to come up with something more complicated that has possibly made something safe (but no one is quite sure until an exploit is found).
一种安全的方法是你可以使用 HTML5 Sandbox 加载托管脚本的页面,然后您无需担心关于您的RegEx是否可以被绕过。
A safe way to do it is that you could use a HTML5 Sandbox to load a page hosting your script, then you do not need to be concerned about whether your RegEx can be bypassed.
您需要在不同于主站点的域下托管该页面(例如 script.example。 com 而不是 www.example.com )。如果攻击者诱使用户信任,这将阻止任何 XSS 攻击直接访问该页面(在沙箱外面)。
You will need to host the page under a different domain than your main site (e.g. script.example.com instead of www.example.com). This will prevent any XSS attack if an attacker convinces a user to visit the page directly (outside of the sandbox).
您需要使用以下代码在IFrame中启用脚本:
You will need to enable scripts within the IFrame by using code like this:
< iframe src =http://script.example.com/projects/diediedie/sandbox =allow-scripts/>
这将允许脚本,但是如果在您的RegEx中找到漏洞利用,将阻止IFrame之外的表单和导航。由于它位于不同的域中,因此您的主站点不会受到 XSS <的攻击/ a>。
This will allow scripts, but in the case of an exploit being found to your RegEx, forms and navigation outside of the IFrame will be prevented. As it is on a different domain, your main site cannot be attacked via XSS.
HTML5 OWASP上的安全备忘单指出这是沙箱的目的:
The HTML5 Security Cheat Sheet guidance on OWASP states this is the purpose of the sandbox:
使用iframe的sandbox属性进行不信任content
Use the sandbox attribute of an iframe for untrusted content
因为你允许不受信任的内容通过 eval 运行(虽然清理通过RegEx,这似乎是对沙盒IFrame的恰当使用。
As you are allowing untrusted content to run via eval (albeit "sanitised" via RegEx), this seems like an appropriate use of the sandboxed IFrame.
在呈现IFrame之前,您应该先测试是否支持沙箱:
You should test whether sandbox is supported first, before rendering the IFrame:
< iframe src =/ blank.htmsandbox =allow-scriptsid =foo/>
var sandboxSupported = "sandbox" in document.createElement("iframe");
if (sandboxSupported) {
document.getElementById('foo').setAttribute('src', 'http://script.example.com/projects/diediedie/');
}
else
{
// Not safe to display IFrame
}
通过动态更改 src 这样做更安全,而不是重定向,如果 sandboxSupported 是 false ,因为如果重定向没有及时发生,则不会意外地呈现iframe。
It is safer to do it this way by dynamically changing the src rather than redirecting away if sandboxSupported is false because then the iframe will not accidentally be rendered if the redirect doesn't happen in time.
启用此功能以跨域工作( script.example.com 和 www.example.com )您将需要使用HTML5的 Window.postMessage 功能。这将实现IFrame和外部窗口之间的安全通信。请注意,设置 document.domain 不安全,因为它首先会破坏在单独域名上托管页面的目的。
To enable this to work cross-domain (between script.example.com and www.example.com) you will need to use HTML5's Window.postMessage functionality. This will enable secure communication between the IFrame and the outer window. Note that setting document.domain is not secure as it will defeat the purpose of hosting the page on a separate domain in the first place.
这篇关于我的eval()安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
