Inappropriate coding practices - Eval function - TypeScript

Inappropriate coding practices - Eval function - TypeScript

Need

Secure input validation and sanitization

Context

  • Usage of TypeScript for type-checking and compiling JavaScript code
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/eval', (req, res) => {
  const userInput = req.query.input;
  eval(userInput);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code lies in the use of the eval function without proper validation of the user input.

In the code, the app.get method is used to handle GET requests to the '/eval' endpoint. Inside the request handler, the user input is retrieved from the req.query.input property and directly passed to the eval function.

The eval function is a powerful JavaScript function that can execute any code passed to it as a string. This means that if an attacker provides malicious input, they can inject arbitrary code that will be executed on the server.

This can lead to serious security risks, such as the ability for an attacker to execute arbitrary commands on the server or send expressions that could potentially saturate the server's resources.

To mitigate this vulnerability, it is recommended to perform proper validation and sanitization of user input before using it in an eval function or any other potentially dangerous context.

Steps

  • Remove the use of the eval function.
  • Validate and sanitize the user input before using it.
  • Use a safer alternative to execute dynamic code if necessary, such as a JavaScript parser or a sandboxed environment.

Compliant code

        import express from 'express';

const app = express();

app.get('/eval', (req, res) => {
  const userInput = req.query.input;
  // Validate and sanitize the user input
  const sanitizedInput = validateAndSanitize(userInput);
  // Use a safer alternative to execute dynamic code
  executeCode(sanitizedInput);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

function validateAndSanitize(input: string): string {
  // Perform validation and sanitization logic here
  // Return the sanitized input
}

function executeCode(input: string) {
  // Execute the code using a safer alternative
}
        
        

The fixed code addresses the vulnerability by implementing proper validation and sanitization of user input before executing any dynamic code.

Here's an explanation of the code:

1. The code imports the Express framework and creates an instance of the Express application. 2. The application listens for GET requests on the '/eval' endpoint. 3. When a GET request is received, the code retrieves the user input from the query parameter named 'input' using req.query.input. 4. The user input is then passed to the validateAndSanitize function to perform validation and sanitization. 5. The validateAndSanitize function is responsible for implementing the necessary logic to validate and sanitize the user input. It takes a string as input and returns a sanitized string. 6. After the user input is validated and sanitized, it is passed to the executeCode function. 7. The executeCode function is responsible for executing the dynamic code using a safer alternative. The implementation of this function is not provided in the code snippet, but it should use a secure method to execute the code, such as using a sandboxed environment or a restricted execution context. 8. The application listens on port 3000 and logs a message to indicate that the server is running.

By implementing proper validation and sanitization of user input and using a safer alternative to execute dynamic code, the fixed code mitigates the risk of code injection vulnerabilities.

References