Esprima 检测全局范围访问 [英] Esprima detect global scope access

问题描述

esprima(或其他类似工具)是否可以 100% 检测到一段不受信任的代码是否试图访问其运行的函数范围之外的变量?

Is it possible with esprima (or other similar tools) to 100% detect if a piece of untrusted code tries to access variables outside the function scope it runs in?

window.foo = 5
var func = new Function('"use strict"; console.log(foo);')
func.call(null)

这将记录 5.我可以使用 func.call(null) 防止 this 在函数中可用，并在不受信任的代码前加上use strict".

This would log 5. I can prevent this from being available in the function with func.call(null) and prepending "use strict" to the untrusted code.

我想我也可以用 esprima 甚至 eslint 分析代码并检测 func svope 中不存在的变量，对吗?它是 100% 安全的吗?我知道代码仍然可能行为不端，例如执行 while(true){}，但除了长时间运行的代码之外，它是否范围安全"?

I assume I could also analyze the code with esprima, or even eslint and detect the variables that don't exist in the func svope, am I right? Is it 100% secure? I know the code could still misbehave and for instance do a while(true){}, but aside from long running code like is it "scope secure"?

推荐答案

我想我也可以用 esprima 甚至 eslint 分析代码并检测 func 作用域中不存在的变量，对吗?

I assume I could also analyze the code with esprima, or even eslint and detect the variables that don't exist in the func scope, am I right?

是的.

是否 100% 安全?

Is it 100% secure?

不，一点也不.考虑 new {}.constructor.constructor("alert('evil!')")()，它不访问任何变量.

No, not at all. Consider new {}.constructor.constructor("alert('evil!')")(), which does not access any variables.

这篇关于Esprima 检测全局范围访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！