CSC/ECE 517 Fall 2012/ch1 1w28 mv: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
= eval =
= eval =
Eval function in most of the languages will either be a valid string representing expression in the language or some languages may allow blocks of valid code. The input is executed by the interpreter or compiler in same manner as other code in the language.
= Advantage of eval =
eval is useful for writing metaprogamming code in most of the languages. This is a great asset for statically typed languages where most of the operatioons are performed at the compile time. Consider the following case:
Problem statement:
Write a script to accept directories and pattern as input and send the files matching the pattern to a different server using sftp.
We can maintain a string to store all the filenames to be moved to a directory on destination server preceded with appropriate sftp commands and use eval method to execute those commands in batchmode.
= Disadvantages of eval =
Slow in Execution :
The code executed by eval runs slower, thus , whenever possible different technique should be used.


= Perl =
= Perl =
The general form of [[Perl (programming language)|Perl]] expects an expression or a block of code as an expression. The expr passed as an argument is parsed and executed as small Perl program. If there are no errors in the expr , which is parsed , then it is executed within the lexical content of the current Perl program.  
The general form of [[Perl (programming language)|Perl]] expects an expression or a block of code as an expression. The expr passed as an argument is parsed and executed as small Perl program. If there are no errors in the expr , which is parsed , then it is executed within the lexical content of the current Perl program.  


''' Error Handling with eval '''
=== Error Handling with eval ===
<br>Eval can be used to trap the errors. During execution of the routines , the program might die due to errors and interrupts in the code. However , using eval , the code can still be running if the errors are handled inside the eval without being exited. We can evaluate the functionality of eval from the given code.
Eval can be used to trap the errors. During execution of the routines , the program might die due to errors and interrupts in the code. However , using eval , the code can still be running if the errors are handled inside the eval without being exited. We can evaluate the functionality of eval from the given code.
===== print "entern number 1 \n"; <br>$number1 = <STDIN>; <br>chomp $number1; <br>print "enter number 2 \n"; <br>$number2 = <STDIN>; <br>chomp $number2; <br>print "division output is "; <br>$x =eval {$result = $number1/$number2}; <br>print "$x\n$@"; <br>$sum = $number1 + $number2; <br>print "sum is $sum \n"; <br>=====
===== print "entern number 1 \n"; <br>$number1 = <STDIN>; <br>chomp $number1; <br>print "enter number 2 \n"; <br>$number2 = <STDIN>; <br>chomp $number2; <br>print "division output is "; <br>$x =eval {$result = $number1/$number2}; <br>print "$x\n$@"; <br>$sum = $number1 + $number2; <br>print "sum is $sum \n"; <br>=====


The above given code prompts the user to give 2 inputs and then performs the division and addition of the numbers. If the second number entered by the user is 0 , then in that case code exits showing the error message and it does not calculate the addition. However , we can handle this exception using eval. Eval handles the exception, shows the appropriate error message and then return the controller back to the program without exiting it. Hence , even if the second input is 0 , the addition is performed by the eval method.
The above given code prompts the user to give 2 inputs and then performs the division and addition of the numbers. If the second number entered by the user is 0 , then in that case code exits showing the error message and it does not calculate the addition. However , we can handle this exception using eval. Eval handles the exception, shows the appropriate error message and then return the controller back to the program without exiting it. Hence , even if the second input is 0 , the addition is performed by the eval method.
= Security risks =
= Security risks =
Special care '''must''' be taken when using <code>eval</code> with data from an untrusted source. For instance, assuming that the <code>get_data()</code> function gets data from the Internet, this [[Python (programming language)|Python]] code is insecure:
'''JavaScript eval()'''
<br>Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser, the JavaScript interpreter itself is used to execute the JSON data to produce native JavaScript objects. However, there are some Unicode characters that are valid in JSON strings but invalid in JavaScript, so additional escaping would be needed before using a JavaScript interpreter.[16]
Unless precautions are taken to validate the data first, the eval technique is subject to security vulnerabilities if the data and the entire JavaScript environment is not within the control of a single trusted source. For example, if the data is itself not trusted, it may be subject to malicious JavaScript code injection attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources. Regular expressions can be used to validate the data prior to invoking eval(). Consider the following contrived example:


session['authenticated'] = False
'''<html><br><head><br></head><br><body><br><script type="text/javascript" lang="javascript">'''
<br>data = get_data()
'''alert("some problem");<br>var evalstring="obj={ name:'username',address: '238 Milton , st. Mary , WT 87382'}; alert('This is''' '''malicious code');";<br>eval(evalstring);<br></script><br></body><br></head><br></html> <br>'''
<br>foo = eval(data)  


An attacker could supply the program with the string <code>"session.update(authenticated=True)"</code> as data, which would update the <code>session</code> dictionary to set an authenticated key to be True. To remedy this, all data which will be used with <code>eval</code> must be escaped, or it must be run without access to potentially harmful functions.
Let's assume that the client side script is expecting a JSON object from the server. However, along with the JSON object it can also send other valid javascript statement. If the above code is run in the browser, after the execution of eval there will be an alert message saying 'This is malicious code'. The alert statement represents a placeholder for any potential javascript code. This can be avoided by using the safe Javascript library at JSON.org which contains the JSON.parse method.

Revision as of 02:53, 15 September 2012

eval

Eval function in most of the languages will either be a valid string representing expression in the language or some languages may allow blocks of valid code. The input is executed by the interpreter or compiler in same manner as other code in the language.

Advantage of eval

eval is useful for writing metaprogamming code in most of the languages. This is a great asset for statically typed languages where most of the operatioons are performed at the compile time. Consider the following case:

Problem statement: Write a script to accept directories and pattern as input and send the files matching the pattern to a different server using sftp.

We can maintain a string to store all the filenames to be moved to a directory on destination server preceded with appropriate sftp commands and use eval method to execute those commands in batchmode.


Disadvantages of eval

Slow in Execution : The code executed by eval runs slower, thus , whenever possible different technique should be used.

Perl

The general form of Perl expects an expression or a block of code as an expression. The expr passed as an argument is parsed and executed as small Perl program. If there are no errors in the expr , which is parsed , then it is executed within the lexical content of the current Perl program.

Error Handling with eval

Eval can be used to trap the errors. During execution of the routines , the program might die due to errors and interrupts in the code. However , using eval , the code can still be running if the errors are handled inside the eval without being exited. We can evaluate the functionality of eval from the given code.

print "entern number 1 \n";
$number1 = <STDIN>;
chomp $number1;
print "enter number 2 \n";
$number2 = <STDIN>;
chomp $number2;
print "division output is ";
$x =eval {$result = $number1/$number2};
print "$x\n$@";
$sum = $number1 + $number2;
print "sum is $sum \n";

The above given code prompts the user to give 2 inputs and then performs the division and addition of the numbers. If the second number entered by the user is 0 , then in that case code exits showing the error message and it does not calculate the addition. However , we can handle this exception using eval. Eval handles the exception, shows the appropriate error message and then return the controller back to the program without exiting it. Hence , even if the second input is 0 , the addition is performed by the eval method.

Security risks

JavaScript eval()
Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser, the JavaScript interpreter itself is used to execute the JSON data to produce native JavaScript objects. However, there are some Unicode characters that are valid in JSON strings but invalid in JavaScript, so additional escaping would be needed before using a JavaScript interpreter.[16] Unless precautions are taken to validate the data first, the eval technique is subject to security vulnerabilities if the data and the entire JavaScript environment is not within the control of a single trusted source. For example, if the data is itself not trusted, it may be subject to malicious JavaScript code injection attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources. Regular expressions can be used to validate the data prior to invoking eval(). Consider the following contrived example:

<html>
<head>
</head>
<body>
<script type="text/javascript" lang="javascript">
alert("some problem");
var evalstring="obj={ name:'username',address: '238 Milton , st. Mary , WT 87382'}; alert('This is
malicious code');";
eval(evalstring);
</script>
</body>
</head>
</html>

Let's assume that the client side script is expecting a JSON object from the server. However, along with the JSON object it can also send other valid javascript statement. If the above code is run in the browser, after the execution of eval there will be an alert message saying 'This is malicious code'. The alert statement represents a placeholder for any potential javascript code. This can be avoided by using the safe Javascript library at JSON.org which contains the JSON.parse method.