mongo-edit icon indicating copy to clipboard operation
mongo-edit copied to clipboard

Published 20 hours ago verified publisher icon louischatriot

Unsafe use of eval

Open cristianstaicu opened this issue 8 years ago • 1 comments

Even though the comment says the eval in lib/serialization.js is harmless:

function deserializeFromGUI(data) {
    var res;
    data = data.replace(/^.+=[^{]+/, '');
    eval('res = ' + data);
    return res;
}

I think it is still a big security risk. Allowing someone to manipulate your database with a tool like mongo-edit should not allow arbitrary code execution on the server where the app is deployed. Imagine the impact of combining something like this with XSS (See the book "Hacking: The Next Generation" for details on such a complex attack)! I suggest using some validation on the data using regexs or using a sanitization package like: https://www.npmjs.com/package/eval-sanitizer

cristianstaicu avatar Apr 08 '16 15:04 cristianstaicu

So @cristianstaicu, I am guessing the maintainers are dying in a ditch somewhere?

WORMSS avatar May 05 '17 12:05 WORMSS