ES2015模板字符串安全问题 [英] ES2015 template strings security issue
问题描述
以下是 MDN 的报价:
模板字符串不得由不受信任的用户构造,因为他们可以访问变量和函数。
Template strings MUST NOT be constructed by untrusted users, because they have access to variables and functions.
另一个例子:
`${console.warn("this is",this)}`; // "this is" Window
let a = 10;
console.warn(`${a+=20}`); // "30"
console.warn(a); // 30
这里的示例不显示任何可以看到的漏洞。
The example here doesn't show any vulnerabilities I can see.
任何人都可以提供一个利用此漏洞的示例?
Can anyone give an example of an exploit that takes advantage of this?
推荐答案
没有意义。模板字符串无法访问任何东西,也不会执行。模板字符串是语言的语法元素。
This makes no sense. A template string doesn't have access to anything, it is not executed either. A template string is a syntactical element of the language.
动态构建模板字符串是没有问题的 - 这就像构建一个表达式(以任何格式,它是一个代码字符串或AST)。 MDN提示的问题是评估这样的表达式(例如使用 eval
,将其序列化为为用户提供的脚本等) - 它可能包含任意代码,与字符串文字相反!但是你当然不会这样做,你会吗?
Dynamically constructing a template string is no problem therefore - it's like building an expression (in whatever format, be it a code string or an AST). The problem MDN hints at is with evaluating such an expression (e.g. using eval
, serialising it into a script that is served to the user, etc.) - it may contain arbitrary code, in contrast to a string literal! But of course you wouldn't do that anyway, would you?
这个警告就像说使用 +
操作符不能由不受信任的用户构造,因为他们可以访问变量和函数。并给出示例+ console.warn(this is这个)+
为它。那么对于任何语言的表达来说,这是真的,所以这并不是特别有趣。
This warning is like saying "Concatenations using the +
operator must not be constructed by untrusted users, because they have access to variables and functions." and giving the example "" + console.warn("this is",this) + ""
for it. Well, this is true for any expression of the language, so it's not particularly interesting.
当然,使用模板字符串(嘿,它们是多行的,而不是字符串)可能会导致问题:
While we are talking about crappy coding, there is of course a scenario where using template strings (hey, they're multiline and whatnot) instead of string literals can lead to problems:
function escapeString(str) {
return JSON.stringify(str).slice(1, -1)
.replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
}
// This is (kinda) fine!
var statement = 'var x = "Hello,\\n'+escapeString(userInput)+'";';
eval(statement); // some kind of evaluation
// But this is not:
var statement = 'var x = `Hello,\n'+escapeString(userInput)+'`;';
// ^ ^
现在想象 userInput
包含一个 $ {...}
- 我们没有逃脱...
Now imagine userInput
contains a ${…}
- which we did not escape…
这篇关于ES2015模板字符串安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!