如何使用$ watch违反Angularjs? [英] How to breach Angularjs using $watch?

问题描述

在angular js安全性文档中，它是使用$ watch编写的，以观察用户生成的内容的值是不安全的:

In angular js security documentation it is written using $watch to watch the value of user generated content is unsafe:

可以通过多种方式来控制模板和表达式:...

There are a number of ways that templates and expressions can be controlled:...

在调用范围内将由用户提供的内容生成的表达式传递给以下方法: ...

Passing an expression generated from user-provided content in calls to the following methods on a scope: ...

$ watch(userContent，...)

$watch(userContent, ...)

这里的userContent是什么意思?如果我观看用户输入字段的ngModel值，这是userContent吗?小提琴中的表格不安全吗?

What is the meaning of userContent here? If I watch ngModel value of user input field, is this a userContent? Is the form in the fiddle unsafe?

推荐答案

$watch表达式是eval 的受限形式，其中，表达式由AngularJS表达式解析器解析并针对当前范围进行评估.

$watch expression is restricted form of eval, where an expression is parsed by AngularJS expression parser and evaluated against current scope.

尽管AngularJS表达式解析器具有针对实际eval评估任意JS代码的安全措施，但安全隐患可能仍然存在，并且已知的漏洞可能在较旧的框架版本中被利用.

Although AngularJS expression parser has security measures against evaluating arbitrary JS code with real eval, security hazards may still exist, and known vulnerabilities can be potentially exploited in older framework versions.

这意味着在任何最新的AngularJS版本中，$on.constructor('alert(1)')()表达式都无法求值，也不会造成安全威胁.但是考虑到$window服务已暴露给作用域(这是ES6控制器的常见做法)，因此可以评估$window.alert(1)表达式.

This means that $on.constructor('alert(1)')() expression cannot be evaluated and won't create a security threat in any up-to-date AngularJS version. But considering that $window service was exposed to scope (which is a common practice for ES6 controllers), $window.alert(1) expression can be evaluated.

此不能构成安全威胁:

$scope.$watch('myValue', function () {
    console.log($scope.myValue);
});

此可以构成安全威胁:

$scope.$watch($scope.myValue, function () {
    console.log($scope.myValue);
});

这篇关于如何使用$ watch违反Angularjs?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！