Potential threat with eval?

Potential threat with eval?

boulaycoteboulaycote Posts: 2Questions: 0Answers: 0
edited June 2012 in DataTables 1.9
Hi,

There is this part in the _fnCreateCookie function:
[code]
var aSplitCookie = aCookies[i].split('=');
try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); }
catch( e ) { continue; }
[/code]
I see a potential threat. Any reason eval is used here?

It is also used a few lines earlier:
[code]
oData = (typeof $.parseJSON === 'function') ?
$.parseJSON( sValue ) : eval( '('+sValue+')' );
[/code]
Is that validation used for compatibility with older version of jquery? Why not just use $.parseJSON?

Thanks!

Replies

  • allanallan Posts: 63,695Questions: 1Answers: 10,500 Site admin
    I think the chances of an exploit with that are reasonably low (not impossible of course) simply because if someone has gained the ability to modify your cookies (which would be needed to exploit this) you've got much bigger problems!

    $.parseJSON isn't solely used because DataTables currently support jQuery 1.3+ and $.parseJSON was introduced in 1.4.1 ( http://api.jquery.com/jQuery.parseJSON/ ). So if you have jQuery 1.4.1+ then you aren't exposed to this issue since eval will not be used.

    Having said that, perhaps 1.10 is a good time to bump up the jQuery version requirement and remove that code... Issue opened: https://github.com/DataTables/DataTables/issues/66

    Allan
  • boulaycoteboulaycote Posts: 2Questions: 0Answers: 0
    All right! I'll just remove it from the source here and my bosses will be happy. Thanks a lot!
This discussion has been closed.