grmartin/DontEverDoThis...ItsMonumentallyStupid.js

## DontEverDoThis...ItsMonumentallyStupid.js
const express = require('express');
const bodyParser = require('body-parser');
const vm = require('vm');

const app = express();
const port = 3000;

app.use(bodyParser.text({type: 'bloody-insane/javascript'}));

app.post('/unsafe', (req, res) => {
    return new Promise((resolve, reject) => {
        const sandbox = { req:req, res:res, resolve:resolve, reject:reject };
        vm.createContext(sandbox);
        vm.runInContext(req.body+'; resolve();', sandbox);
    });
});

app.listen(port, () => console.log(`Example app listening on port ${port}!`));

## request.http
POST /unsafe HTTP/1.1
Content-Type: bloody-insane/javascript
Host: 127.0.0.1:3000
Connection: close
User-Agent: Paw/3.1.8 (Macintosh; OS X/10.13.6) GCDHTTPRequest
Content-Length: 25

res.send("meow").end();

## response.http
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 4
ETag: W/"4-fVwqLWE2+/FmIR1Rg79mIUokfzE"
Date: Thu, 14 Feb 2019 23:44:34 GMT
Connection: close

meow
	const express = require('express');
	const bodyParser = require('body-parser');
	const vm = require('vm');

	const app = express();
	const port = 3000;

	app.use(bodyParser.text({type: 'bloody-insane/javascript'}));

	app.post('/unsafe', (req, res) => {
	return new Promise((resolve, reject) => {
	const sandbox = { req:req, res:res, resolve:resolve, reject:reject };
	vm.createContext(sandbox);
	vm.runInContext(req.body+'; resolve();', sandbox);
	});
	});

	app.listen(port, () => console.log(`Example app listening on port ${port}!`));
	POST /unsafe HTTP/1.1
	Content-Type: bloody-insane/javascript
	Host: 127.0.0.1:3000
	Connection: close
	User-Agent: Paw/3.1.8 (Macintosh; OS X/10.13.6) GCDHTTPRequest
	Content-Length: 25

	res.send("meow").end();
	HTTP/1.1 200 OK
	X-Powered-By: Express
	Content-Type: text/html; charset=utf-8
	Content-Length: 4
	ETag: W/"4-fVwqLWE2+/FmIR1Rg79mIUokfzE"
	Date: Thu, 14 Feb 2019 23:44:34 GMT
	Connection: close

	meow