51 lines
1.2 KiB
Plaintext
51 lines
1.2 KiB
Plaintext
== Why is this an issue?
|
|
|
|
In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments similar to the way ``++eval++`` works, which could expose your program to random, unintended code which can be both slow and a security risk.
|
|
|
|
|
|
In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or a dedicated library.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,javascript]
|
|
----
|
|
var obj = new Function("return " + data)(); // Noncompliant
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,javascript]
|
|
----
|
|
var obj = JSON.parse(data);
|
|
----
|
|
|
|
|
|
=== Exceptions
|
|
|
|
Function calls where the argument is a string literal (e.g. ``++(Function('return this'))()++``) are ignored.
|
|
|
|
|
|
== Resources
|
|
|
|
* OWASP Top 10 2017 Category A1 - Injection
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|