tags:

views:

27

answers:

1
Q: 

Dynamic evaluation of functions in JS (is this safe?)

I have a website in which all the pages are processed through an index.php that includes different PHP files depending on the requested URL (this is done through mod_rewrite).

I'm using the following method to execute specific functions at page load:

index.php

<script type="text/javascript">
readyFns = Array();
</script>

<?php
// Do some stuff here, and pull the name of the PHP page to include from the DB
include $pageToInclude
?>

<script type="text/javascript">

    commonFunctionToApplyToAllThePages();
    otherCommonFunction();

    // page-specific functions
    for (i=0; i<readyFns.length; i++)
    {
    if (typeof(window[readyFns[i]]) == "function")
        window[readyFns[i]]();
    }    
</script>

includedPage.php

<?php
// Generate page
?>
<script type="text/javascript">
readyFns.push("someFunction");
readyFns.push("someOtherFunction");
</script>

I quite like this approach because I just have to set readyFns at the end of this page and everything else will be nicely controlled by index.php. My questions is: is this safe? Could it be sensitive to someone generating a link that arbitrarily sets readyFns to point to some malicious code and then links to my site? How would I prevent that?

thanks nico

+1  A: 

This is interesting. In principle, it's probably ok, but you're right to be a little concerned. This is just compiling a list of keys to lookup as functions on an object, and execute, so it's not really a security problem in that respect. But, you are essentially providing access to all globals like that. You'd probably be better off making a global object besides window to store your functions on, like so:

var funcs = {};
funcs.someFunction = function() {/*blah*/};
funcs.someOther = function() {/*blah*/};

and then your readyFuncs thing would loop over funcs instead of window. I don't think there'd be anything to worry about past that.

Of course, there are other things with your approach that could be improved, but I think it's ok as-is if it works for you.

bcherry  2010-07-20 07:34:23
Thanks for the answer, but wouldn't that just move the problem? I mean, one could define a malicious function in `functs` instead of the main scope, no? Or am I missing something?
nico  2010-07-20 21:58:12
It's technically possible, but it's not something to worry about. I moved it out of window so you don't give access to built-ins like `setTimeout` or `alert`.
bcherry  2010-07-22 22:06:52

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security