Node.JS redirect eval output to string

Question

Can I redirect nodejs eval output to string or any other way?

edit: I need to return it as string as response for my web application (post data)

var http = require('http');

var server = http.createServer(function(req, res) {
    var script = '';
    if (req.method === 'POST' && req.url === '/doeval') {
      req.on('data', function(chunk) {
        script += chunk;
      });

      req.on('end', function() {
        // script = 'console.log("aaaa")';

        var result = eval(script);
        res.write(String(result));
        res.end();
      });
    }
  }
}

server.listen(80);

output:

result: undefined

expected:

result: aaaa

Answer 1

Note: Running untrusted code is extremely dangerous and you should be extremely careful with whatever solution you are choosing. The one proposed here has flaws as well. To be safer, consider using a container, such as docker or lxc.

---

Don't use eval in this case. It's the wrong tool for the job. Do you really want arbitrary code to be evaled in your webserver context? What if the sent code is throw new Error('haha') or process.exit()? It's a huge security risk! Write the code to a temporary file, spawn a node process that executes the file and read its output. See https://nodejs.org/api/child_process.html .

Example:

var http = require('http');
var fs = require('fs');
var childProcess = require('child_process');

var server = http.createServer(function(req, res) {
    var script = '';
    if (req.method === 'POST' && req.url === '/doeval') {
      req.on('data', function(chunk) {
        script += chunk;
      });

      req.on('end', function() {
        var tempFileName = Date.now() + '.js';
        fs.writeFile(tempFileName, script, function(err) {
          if (err) {
            // handle error
          }

          child_process.execFile('node', [tempFileName], function(err, stdout, stderr) {
            if (err) {
              // handle err
            }

            // Delete tempfile...

            res.write(stdout);
            res.end();
          });
        });
      });
    }
  }
}

server.listen(80);

There are existing npm packages that help creating and cleaning up temporary files. Also have a look at other methods of child_process.

But, this is not secure yet because the subprocess will run with the same privileges as your server (which by the looks of it runs as root :-/ ).

You should set the owner (and the group) of the file and the subprocess to nobody or some other system user that basically doesn't have any rights to access anything. Or chroot the subprocess.

Answer 2

Note: It was downvoted but read the entire answer before jumping to conclusions

First of all this looks like a completely insecure functionality that can potentially open your system to countless vulnerabilities. But it's an interesting question so I'll answer how you can do what you ask for, but I strongly suggest to reconsider your requirements nonetheless.

That having been said, you could pass a fake console object to you evaluated script, by wrapping it in a closure in a similar way like modules are wrapped when they are required.

Instead of eval you can use the vm module to run the script in a separate V8 context with no access file system or even require().

Note that I don't recommend saving it in a file and running it as a child process because that way the script will have access to your file system which is a serious vulnerability. The only option I would ever consider running untrusted code as a standalone process would be inside of a container that has no access to the network or any shared storage outside of that container.

With eval

For example:

const util = require('util');

const script = 'console.log("aaaa");';

let result = '';
const cons = {
  log: (...args) => result += (util.format(...args) + '\n'),
};
eval(`((console) => { ${script} })`)(cons);

console.log('result:', result);

This will work if everything is synchronous. If the console.log happens asynchronously then you will have to add some way of waiting for the changes.

So this will not work:

const util = require('util');

const script = 'setTimeout(() => console.log("aaaa"), 1000);';

let result = '';
const cons = {
  log: (...args) => result += (util.format(...args) + '\n'),
};
eval(`((console) => { ${script} })`)(cons);

console.log('result:', result);

but this will:

const util = require('util');

const script = 'setTimeout(() => console.log("aaaa"), 1000);';

let result = '';
const cons = {
  log: (...args) => result += (util.format(...args) + '\n'),
};
eval(`((console) => { ${script} })`)(cons);

setTimeout(() => console.log('result:', result), 1500);

because it waits before inspecting the collected output longer than it takes the evaluated code to create that output.

Without eval

You can run that code in a separate V8 context that has no access to other modules, file system, etc. For example:

const vm = require('vm');
const util = require('util');

const script = 'console.log("aaaa");';

let result = '';

const cons = {
  log: (...args) => result += (util.format(...args) + '\n'),
};
const context = vm.createContext({console: cons});

vm.runInContext(script, context);

console.log('result:', result);

Handling syntax errors

You can handle syntax errors to make sure that this script will not crash your application like this:

const vm = require('vm');
const util = require('util');

const script = 'console.lo("aaaa");';

let result = '';

const cons = {
  log: (...args) => result += (util.format(...args) + '\n'),
};
const context = vm.createContext({console: cons});

try {
  vm.runInContext(script, context);
  console.log('result:', result);
} catch (err) {
  console.log('error:', err.message);
}

Now instead of crashing it will print:

error: console.lo is not a function