Monday, February 13, 2012

NodeJS: 'with' is evil

It is a known fact that with statement in JavaScript is evil. For a good read on why read Douglas Crockford's post on YUI blog.

Let's look at how it implies on server side JavaScript. Below is a fun little app coded by a beginner that tries to be funny although in real apps this could lead to unbelievably serious vulnerabilities.


So what went wrong here? The developer loves using with for it's shot handedness and thought she called the property names of the welcome object correctly. Also it didn't show any errors. But what her first user on the web saw was this (not that this)



So, she did a typo and ended up unintentionally modifying global variables she wasn't even aware of. Let's just imagine they existed in some other code base where she couldn't even see. This just reminds me how difficult will it be for a security guy like me to code review a code with with.

Now how with works is, it tries to find the property assignments in the context of the called object, if found, great, else it tracks back on the higher scope till reaching the global scope and assigning (actually clobbering) value of some other global variable if there is a match. Think common names like i, x, a, name... we all grew up coding with (not that with).

In short, do not use with, unless you are very sure of what you are doing. On a positive note, use of with is forbidden in ES5 strict mode.



16 comments:

  1. create an object and contain variables there.
    eg:

    var my_constants = {
    names : "bla bla",
    browsers : "bla bla"
    }

    So, it will become a namespace and its variables are hardly overwritten. It's one of the JS good practices as well.

    It's nothing to do with NodeJs. Learn JS first! Don't be an idiot.
    Google JS good practices.

    ReplyDelete
  2. You wrongly define a Global variable, if you do programming this way. You will completely mess up, So first better define namespace, where you can only accessible from namespace instead of direct access.

    ReplyDelete
  3. Node.JS Courses Security TrainingNode.js Training Node js and server side JavaScript databases like MongoDB Courses Training Node js Online Course traditional server side programming Training Courses Node.js paradigms Node.js Essential Training WebDAV buffer overflow Node.js Online Training messing with global variables Courses Node.js Training in Chennai

    ReplyDelete
  4. This is just perfect,..
    Thank you so much for this helpful article,.
    angularjs course

    ReplyDelete
  5. Thank You for sharing your article. I like it. We provide TIBCO Online Training in Hyderabad.

    ReplyDelete
  6. The blog is absolutely truly incredible. Lots of large information and inspiration, both of which we all need.
    Bangalore Web Designing Company, UI Designing Company Bangalore

    ReplyDelete
  7. Really an amazing post..! By reading your blog post I gathered more information about NodeJS. I really appreciate your news. Thanks a lot for posting individual information and made me more knowledgeable person. I hope it will be very helpful for all. I don't have words to describe this blog.Thanks for sharing valuable post.
    Engineering Colleges, ECE Engineering Colleges in Chennai

    ReplyDelete
  8. A very well-written post. I read and liked the post and have also bookmarked you. All the best for future endeavors. Getting some solution regarding.
    UI UX Design Companies in Bangalore, Web Application Development in Bangalore

    ReplyDelete
  9. I am sure that the informative you shared througheful for my future. keep sharing. A good blog.
    wings.io | super mechs 2 | wingsio | run 2 game | supermechs | run 2

    ReplyDelete
  10. thank the good topic.
    Welcome To Casino online Please Click the website
    thank you.
    gclub
    gclub online
    goldenslot

    ReplyDelete
  11. Nice blog spot. Very useful information about NodeJS with evil. keep. easily understandable.
    Node JS Training in Bangalore

    ReplyDelete
  12. I really like you post good blog,Thanks for your sharing.

    ทองดีฟันขาว

    ReplyDelete