Monday, February 13, 2012

NodeJS: Global Namespace Pollution


From a security standpoint, a big change for most server-side developers moving on to NodeJS would be the notion of JavaScript's global namespace. If misunderstood or with limited knowledge of this inherent property, writing secure NodeJS web apps will be a challenge.

So what is it? A prime property of JavaScript is, it is a 'global' language.
  • variables by default have an implied global scope
  • functions by default have an implied global scope
  • all objects inherit from the native / built-in global objects
Let's understand more with a code snippet. In a traditional PHP script (or any other non-server side JS paradigm), each request  has it's own scope. So a code similar to below will always print 1, unlike in the case of NodeJS. Any request will share the same global scope.


In relevance to this code, each request will increase the global variable gbl by 1, as seen in the screenshot below for two different requests. In a PHP script such a model would only show 1 for every request.



So, what could go wrong from security perspective? Short answer - it depends, on the context and sensitivity of a global variable or function. An attacker could exploit this behavior to her benefit to achieve desired effects. What could those be,
  • as a web user, could bypass logic flows
  • a malicious library could over-ride native, built-in or known objects, variables, functions to adversely impact sensitive code base/libraries
  • in a shared coding environment, an inexperienced developer could unintentionally over-ride native, built-in or known objects, variables, functions - adversely impacting sensitive code base/libraries
A lot more serious stuff could happen only time will tell.

So what's the defense? Unless really needed, always define your functions, variables, as local, as shown in the screenshot below.



Now you get the desired effect as in PHP. Each request now shows gbl as 1. For potential rogue/malicious libraries - audit them! JSLint (though a bit noisy) is a good bet.

I am a JavaScript beginner, hence for a healthy advise for typical programming requirements, I recommend reading Douglas Crockford's post on why Global is Evil and the best practices to avoid it.

12 comments:

  1. If this is something new to you, I would say that you are not familiar with JS in general. But, I agree that this is confusing for a PHP develeoper, who switches to NodeJS.

    ReplyDelete
  2. Please be familiar with JS first.

    ReplyDelete
  3. This article doesn't actually say how global variables are a security vulnerability, outside of being a potential cause of programming bugs for people who don't know JavaScript.

    ReplyDelete
  4. Node.JS Courses Security TrainingNode.js Training Node js and server side JavaScript databases like MongoDB Courses Training Node js Online Course traditional server side programming Training Courses Node.js paradigms Node.js Essential Training WebDAV buffer overflow Node.js Online Training messing with global variables Courses Node.js Training in Chennai

    ReplyDelete
  5. I found a lot of information here to create this actually best for all newbie here. Thank you for this information.
    Lenny Face , Text Face , Text Faces , Lenny Face , Text Face

    ReplyDelete
  6. I must appreciate the way you have expressed your feelingsthrough your blog!..
    banana kong , banana kong , banana kong , banana kong , banana kong

    ReplyDelete
  7. You need to have time to take care of the active. It in fact was a amusement account it. Look advanced to far added agreeable from you.
    Hotmail
    Hotmail Iniciar Sesión
    Iniciar Sesión
    Iniciar Sesión Hotmail
    Iniciar Sesión
    Iniciar Sesión Hotmail

    ReplyDelete
  8. Life becomes more interesting and wonderful when you share your memorable moments with friends and family through unique photographs. You can create your own unique style impressed with image editing software. And after hours of work stress you can also

    whatsapp messenger
    baixar whatsapp
    whatsapp plus
    download whatsapp
    whatsapp baixar


    ReplyDelete
  9. Mostly people have all the same things when they are writing academic task or any other writing, especially light music most people like during the writing.
    facebook iniciar sesión , facebook, iniciar sesion , iniciar sesion facebook

    ReplyDelete
  10. Thanks for sharing this blogpost. Really useful for learning NodeJS.
    NodeJS

    ReplyDelete
  11. Good blog post. Really good information about nodejs. Thanks for sharing this post. NodeJS training in Bangalore

    ReplyDelete