CODEWITHSUNDEEP
javascript
user905864
user905864

Reputation:

Can you find any security threat available on this javascript problem?

let's say I have a code as a following:

object[hash].init();

Please assume that hash comes from the website hash (www.example.com#hash).

Is there any possible security holes in the code I displayed above? For instance, is it possible that I could put any code in the #hash that injects and trigger any malicious code?

Thanks.

Upvotes: 1

Views: 143

Answers (3)

Felix Kling
Felix Kling

Reputation: 816790

This will be no problem, hash will not be evaluated as JavaScript code, it will be treated as a string. In case the value of hash is not a valid property name for object, object[hash] will return undefined and you will get an error (not being able to call init on undefined).

On the other hand, if you use hash in a way where strings are evaluated as JavaScript code, then you have a security problem.

So this is fine:

object[hash].init();

but this is not (even with inner quotes):

setTimeout("object['" + hash + "'].init();", 100);

For example if hash was a string containing

']; alert('foo'); object['something

Then alert('foo'); would be executed. It would be possible to inject and execute code without breaking your code.

That said, I would still not do it this way. It ties the code too much together. I would probable create a map of functions (which is similar to your example, but not the same):

var hashCodes = {
    'someHash': function() {
        object.something.init();
    }
};

if(hashCodes.hasOwnProperty(hash)) {
    hashCodes[hash]();
}

Upvotes: 6

Raynos
Raynos

Reputation: 169451

The only way this could ever cause problems is if you used ES6 harmony proxies.

Proxies allow you to catch all methods. See the FF Proxy

var object = Proxy({
  "get": function _get(obj, name) {
    // name is an evil string containing javascript
    eval(name); // security risk
    return {
      "init": function _init() {
        // init code
      }
    };
  }
});

There is no other way to implement a catch-all. This particular catch-all evals the name

Upvotes: 0

tinyd
tinyd

Reputation: 952

It's not really a security thing, more of a design thing but accessing what may be internal data structures from a publicly-exposed URL may enable malicious users to manipulate your code in unexpected ways. While this won't directly expose a security flaw, unexpected code behaviour can make it easier for risks to sneak into the code. However, if you're sure that calling the init() methods in the 'wrong' order would be fine if it were to happen, then there's no problem.

Upvotes: 1

Related Questions