Created
August 11, 2023 14:51
-
-
Save vernetto/dcff833ec4700bd1458e03b3762e4fc3 to your computer and use it in GitHub Desktop.
eval
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The line that raises a red flag for "Code Injection" vulnerability is: | |
javascript | |
Copy code | |
return eval(c.substring(token.length, c.length)); | |
The use of eval() is dangerous, especially when it is working with data that can be manipulated by an attacker, such as cookie values. In this case, an attacker can set a malicious cookie named "pluto" which, when processed by the getWindowIdList() function, will execute arbitrary code via the eval() function. | |
To fix this, you should remove the eval() function and parse the cookie value in a safe manner. Assuming that the value after "pluto=" in the cookie is a JSON array, you can use JSON.parse() to safely convert the string to an array: | |
javascript | |
Copy code | |
function getWindowIdList() { | |
var token = "pluto="; | |
var ca = document.cookie.split(';'); | |
for(var i=0; i<ca.length; i++) { | |
var c = eatSpacesFromFront(ca[i]); | |
if (c.indexOf(token) != -1) { | |
try { | |
return JSON.parse(c.substring(token.length, c.length)); | |
} catch (e) { | |
console.error("Error parsing pluto cookie:", e); | |
} | |
} | |
} | |
return []; | |
} | |
By using JSON.parse(), you safely convert the cookie value to an array without risking code execution. Always remember to avoid eval() wherever possible due to its inherent security risks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment