为什么用变量调用数组索引是不好的做法? [英] Why is it bad pratice calling an array index with a variable?

问题描述

我目前正在用 Javascript 开发一个小游戏，我正在使用 Codacy 来检查我的代码并提供帮助我清理它.

I'm currently developing a little game in Javascript and I'm using Codacy to review my code and help me cleaning it.

最常见的错误之一是通用对象注入接收器(安全/检测对象注入).

当我尝试使用变量访问数组中的值时会发生这种情况.就像在这个例子中:

It happens when I'm trying to access a value in an array using a variable. Like in this example :

function getValString(value)
{
    var values = ["Mis&eacuterable", "Acceptable", "Excellente", "Divine"];
    return values[value];
}

这个函数用于在屏幕上显示一个项目的值的字符串.它接收一个值".可以是 0、1、2 或 3，并返回值的字符串.

This function is used to display on screen the value's string of an item. It receives a "value" which can be 0, 1, 2 or 3 and returns the string of the value.

现在这是我的问题:

Codacy 告诉我应该禁止使用 var[var]，因为它会导致安全问题，而且由于我对 Javascript 比较陌生，我想知道为什么以及在那种情况.

Codacy is telling me that use of var[var] should be prohibited because it causes security issues and since I'm rather new to Javascript, I was wondering why and what are the good practices in that kind of situation.

推荐答案

这里存在的安全问题是 value 的字符串化值可能正在访问从对象的 继承的属性__proto__ 分层原型，而不是对象本身的实际属性.

The security issue present here is that the stringified value of value may be accessing a property that is inherited from the Object's __proto__ hierarchical prototype, and not an actual property of the object itself.

例如，考虑 value 是 constructor" 的字符串文字的场景.

For example, consider the scenario when value is a string literal of "constructor".

const property = "constructor";
const object = [];
const value = object[property];

value 在此上下文中的结果将解析为 Array() 函数 - 作为对象原型的一部分继承，而不是 Array() 的实际属性代码>对象变量.此外，被访问的对象可能覆盖了任何默认继承的Object.prototype属性，可能用于恶意目的.

The result of value in this context will resolve to the Array() function - which is inherited as part of the Object's prototype, not an actual property of the object variable. Furthermore, the object being accessed may have overridden any of the default inherited Object.prototype properties, potentially for malicious purposes.

通过执行object.hasOwnProperty(property) 条件检查以确保对象实际上具有此属性，可以部分防止此行为.例如:

This behavior can be partially prevented by doing a object.hasOwnProperty(property) conditional check to ensure the object actually has this property. For example:

const property = "constructor";
const object = [];
if (object.hasOwnProperty(property)) {
    const value = object[property];
}

请注意，如果我们怀疑被访问的对象可能是恶意的或覆盖了 hasOwnProperty 方法，则可能需要直接使用从原型继承的 Object hasOwnProperty:Object.prototype.hasOwnProperty.call(object, property)
当然，这是假设我们的 Object.prototype 尚未被篡改.

Note that if we suspect the object being accessed might be malicious or overridden the hasOwnProperty method, it may be necessary to use the Object hasOwnProperty inherited from the prototype directly: Object.prototype.hasOwnProperty.call(object, property)
Of course, this assumes that our Object.prototype has not already been tampered with.

这不一定是全貌，但它确实表明了一个观点.

This is not necessarily the full picture, but it does demonstrate a point.

查看以下资源，其中更详细地阐述了为什么会出现此问题以及一些替代解决方案:

Check out the following resources which elaborates in more detail why this is an issue and some alternative solutions:

• https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/the-dangers-of-square-bracket-notation.md
• 安全设置未知属性(缓解方括号对象注入攻击)效用函数

这篇关于为什么用变量调用数组索引是不好的做法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！