dart会有一个动态代码注入吗？ [英] Will there be a dynamic code injection for dart?

问题描述

我目前正在准备有关 Polymer.dart 的演讲，并想简要介绍镖。有一个问题我想准备：

I am currently preparing a talk about Polymer.dart and would like to give a short introduction to dart. There is one question I would like to be prepared for:

通过< script> / code> for dart？

文章说，目前有目前不支持这个有很好的理由。

This article says that there is currently no support for this for a good reason.

但是，目前相对于语句有一点，我想知道是否有任何计划在未来支持动态代码注入？

However, the currently relativizes the statement a bit and I wonder if there is anything planned in the future to support dynamic code injection?

推荐答案

如果例如在Dart中引入了eval命令，那么答案是YES，Dart容易受到注入攻击。
Javascript在这方面就像SQL：它具有与所有其他动态解释编程语言（包括所有shell脚本，PHP ...）相同的漏洞，我称之为DATA IS CODE。这样的语言具有用于人类消费的具体语法，并且它们的处理需要称为PARSING的第一步骤：字符序列被分解成描述表达式的含义的内部结构，计算机可以区分DATA和INSTRUCTIONS。同样的问题导致在现代CPU上引入NX（No-eXecute）位。像eval这样的函数在没有约束的情况下打开了执行恶意代码的大门。在运行时解析代码不应该以安全语言被允许。
这就是为什么Dart不推荐使用注射，如下所述：
https://www.dartlang.org/articles/embedding-in-html/#no-script-injection-of-dart-code

If for example the "eval" command is introduced in Dart, then the answer is YES, Dart is vulnerable to injection attacks. Javascript is in this regard like SQL: it has the same vulnerability than all other dynamically interpreted programming languages (this includes all shell scripts, PHP...), which I call "DATA IS CODE". Such languages have a concrete syntax which is meant for human consumption and their processing entails a first step which is called PARSING: the sequence of characters is broken down into an internal structure which describes the meaning of the expression, in a way which the computer can distinguish the DATA from the INSTRUCTIONS. It is the same problem that lead to the introduction of the NX (No-eXecute) bit on modern CPUs. Functions like "eval" open the door to malicious code to be executed with no constraint. Parsing code at runtime should NEVER be allowed in a secure language. This is why Dart doesn't recomend the use of injections, as explained here: https://www.dartlang.org/articles/embedding-in-html/#no-script-injection-of-dart-code

没有脚本注入Dart代码我们目前不支持或者
推荐动态注入一个加载Dart代码的标签。
最近的浏览器安全趋势，如内容安全策略，主动
防止这种做法。

"No script injection of Dart code We do not currently support or recommend dynamically injecting a tag that loads Dart code. Recent browser security trends, like Content Security Policy, actively prevent this practice."

做更多，并完全禁止，与eval命令。

But google should do more than that, and forbid it entirely, together with the "eval" command.

这篇关于dart会有一个动态代码注入吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！