-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathUnsafeCodeConstruction.qhelp
More file actions
55 lines (45 loc) · 1.3 KB
/
UnsafeCodeConstruction.qhelp
File metadata and controls
55 lines (45 loc) · 1.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Dynamically constructing code with inputs from exported functions
may inadvertently change the meaning of the code.
Clients using the functions may use characters that have special
meaning, such as quotes and spaces.
This can result in the resulting code to misbehave, or in the worst case
cause an attacker to execute arbitrary code on the system.
</p>
</overview>
<recommendation>
<p>
Avoid dynamically constructing code where possible.
</p>
</recommendation>
<example>
<p>
The following example shows two methods implemented using `eval`: a simple
deserialization routine and a getter method.
</p>
<sample src="examples/UnsafeCodeConstruction.js" />
<p>
If untrusted inputs are used with these methods,
then an attacker might be able to execute arbitrary code on the system.
</p>
<p>
To avoid this problem, use an alternative solution such as `JSON.parse`
or another library that does not allow arbitrary code to be executed.
</p>
<sample src="examples/UnsafeCodeConstructionSafe.js" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Code_Injection">Code Injection</a>.
</li>
<li>
Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection">Code Injection</a>.
</li>
</references>
</qhelp>