使用“new Function（...）”的安全注意事项（在渲染期间，表达来自我的Javascript来源） [英] Security considerations using "new Function(...)" (during rendertime, expression coming from my Javascript sources)

问题描述

我想使用 new Function（...）从非常简化的代码生成函数。我想这样做

I'd like to use new Function(...) to generate a function from very reduced code. I'l like to do this to

• 避免解析我自己的表达式和


• 正在尽可能灵活。

尽可能避免 eval（）。但我不确定它是否足够安全使用新功能（...），这也被称为易受安全漏洞影响。

I avoid eval() whenever possible. But I'm not sure if it's secure enough to use new Function(...) which is also known as being liable to security holes.

我想管理菜单按钮的状态。因此，在定义按钮时，我想写一些类似

I want to manage the states of menu buttons. So, while defining the buttons, I'd like to write something like

 {
 ..., // More button definition
 state: "isInEditmode && (isWidgetSelected || isCursorInWidget),
 ...
 }

在多个事件中处理状态转换时，我将检查（汇总）当前整体状态对象的状态与<$ c $中的状态c>状态属性。

While handling the statechange during several events I'll check (summarize) the states of the current overall state object against those in the states attribute.

因此我将在渲染期间生成一个函数并将其作为DOM对象属性附加，不是DOM属性这样：

So I'll generate a Function during rendertime and attaching it as a DOM object attribute, not DOM attribute this way:

 ...
 $el.stateFn = new Function("stateObj", "with (stateObj) {return " + item.state + ";}");
 ...

测试状态：

 visible = $el.stateFn.call(currentStates, currentStates);

带有语句的帮助我提供当前的州对象的attri butes as variables，以便上面的表达式不需要像 obj.isInEditmode 。

The with statement helps me providing the current state object's attributes as variables so that the above expression does not need something like obj.isInEditmode.

在我看来，这不会引入安全漏洞，因为附加到DOM对象的函数是在渲染时生成并从源读取的。还是我错了？我应该避免这种情况吗？

In my opinion this does not introduce security holes as the function attached to the DOM object is generated during render time and read from source. Or am I wrong? Should I avoid this?

表示赞赏（评论）（我认为只要我评估新的功能一次在渲染时间内，这是可以接受的。）

Performance hints are appreciated (comment) (I think as long as I evaluating a new Function once during render time, this is acceptable).

• 我正在使用Backbone.js。使用另一个框架是不可能的。


• 某些菜单项需要绑定到不同甚至多个模型。


• 委托（或门面/代理） ？）模型是相当可观的。

推荐答案

如果用户输入，安全性也同样差允许在代码中爆发。但是，维护方面，当本地eval与您的示波器混淆并导致动态范围时，您不必担心隐藏的错误。

Security-wise both are just as bad if user input is allowed to break out in the code. However, maintenance wise you don't have to worry about hidden bugs when local eval messes with your scope and causes dynamic scoping.

性能方面由<$生成的函数c $ c> new Function 与任何其他函数完全相同。生成速度较慢但是在 eval 中它不会导致包含范围不可优化。

Performance-wise the function generated by new Function is exactly the same as any other function. The generation is slower but inlike eval it doesn't cause the containing scope to be unoptimizable.

实际上， new Function 可用于改善以下情况下的表现：

In fact, new Function can be used to improve performance in situations like:

//Will behave like function a( obj ) { return obj.something }
function makePropReader( propName ) {
    return new Function( "obj", "return obj." + propName );
}

构建的函数将比此处返回的函数执行得更好：

function makePropReader( propName ) {
     return function( obj ) {
         return obj[propName];
     }
}

由于必须动态读取 propName 来自闭包上下文，并在每次调用时对对象进行动态读取。

Due to having to dynamically read propName from closure context and do a dynamic read on the object everytime it is called.

这篇关于使用“new Function（...）”的安全注意事项（在渲染期间，表达来自我的Javascript来源）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！