59 lines
1.4 KiB
Plaintext
59 lines
1.4 KiB
Plaintext
== Why is this an issue?
|
|
|
|
In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments similar to the way ``++eval++`` works, which could expose your program to random, unintended code which can be both slow and a security risk.
|
|
|
|
|
|
In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or a dedicated library.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,javascript]
|
|
----
|
|
var obj = new Function("return " + data)(); // Noncompliant
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,javascript]
|
|
----
|
|
var obj = JSON.parse(data);
|
|
----
|
|
|
|
|
|
=== Exceptions
|
|
|
|
Function calls where the argument is a string literal (e.g. ``++(Function('return this'))()++``) are ignored.
|
|
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Review this "Function" call and make sure its arguments are properly validated.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
* primary: ``++new Function++``
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 31 Aug 2018, 15:35:45 Nicolas Harraudeau wrote:
|
|
Detecting ``++new Function("...")++`` should be added to the Hotspot rule RSPEC-1523
|
|
|
|
endif::env-github,rspecator-view[]
|