16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
59 lines
1.3 KiB
Plaintext
59 lines
1.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments similar to the way ``++eval++`` works, which could expose your program to random, unintended code which can be both slow and a security risk.
|
|
|
|
|
|
In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or a dedicated library.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,javascript]
|
|
----
|
|
var obj = new Function("return " + data)(); // Noncompliant
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,javascript]
|
|
----
|
|
var obj = JSON.parse(data);
|
|
----
|
|
|
|
|
|
=== Exceptions
|
|
|
|
Function calls where the argument is a string literal (e.g. ``++(Function('return this'))()++``) are ignored.
|
|
|
|
|
|
== Resources
|
|
|
|
* OWASP Top 10 2017 Category A1 - Injection
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Review this "Function" call and make sure its arguments are properly validated.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
* primary: ``++new Function++``
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 31 Aug 2018, 15:35:45 Nicolas Harraudeau wrote:
|
|
Detecting ``++new Function("...")++`` should be added to the Hotspot rule RSPEC-1523
|
|
|
|
endif::env-github,rspecator-view[]
|