-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move eval to parseInt #3328
Move eval to parseInt #3328
Conversation
const value = parseInt(str, 10); | ||
|
||
if (typeof value !== 'number') { | ||
if (isNaN(value)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume that eval is correct in this place since there is a regex above checking for a valid string containing only digits and mathematical characters, i.e. numerical equation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The parseInt will turn it into a base 10 number and isNan will check if it succeeded.
The general issue with this is to change the .env values for While this is more readable in env, I would rather include comments to the .env file than execute eval in unsafe places. Ot at least used the math function which checks for the string validity |
While I think this update is necessary I'm concerned of backwards compatibility. Thinking how to handle this gracefully so it doesn't create so many tickets. |
I see. So, what about keeping only the math function and use it instead of eval. Then, the math function gonna check for the string if it contains only digits and then it uses parseInt, otherwise it would use the eval (as there is the regex checking for the valid string equation). There gonna be an announcement that users should migrate their env values to contain only digits, for performance improvements. And the breaking change would be then introduced only when releasing a major version (in future). ? |
I honestly didn't think of that. Good catch. This change isn't really worth it in that case. The alternatives are slower, this is only executed a couple times during the lifecycle of the app, and the attack vector is low. It's not bad to use If your ENV vars are a legitimate attack vector, then you have much more serious problems. 🤣 |
Summary
Using
parseInt
is preferred overeval
for handling environment variables becauseparseInt
safely converts a string to an integer without executing any code. In contrast,eval
can execute arbitrary code, which poses a significant security risk if the environment variable contains malicious input. By usingparseInt
, we mitigate the risk of code injection attacks and ensure that only numerical values are processed.While this isn't used in a whole lot of places and the chances of a malicious environment variable is low, it's also a significant performance boost.
Running this script:
I get this output on my local machine (MBA M1-series first gen):
Change Type
Please delete any irrelevant options.
Testing
Tests should pass as normal and no changes should be seen within the app. It should work the same, unless there were environment variable based code being injected.
Checklist
Please delete any irrelevant options.
Copilot Summary
This pull request includes changes to improve the security and robustness of the codebase. The most important changes involve replacing the
eval
function withparseInt
in several files to parse environment variables. This change improves security by avoiding the potential execution of malicious code.Changes to environment variable parsing:
api/models/Session.js
: Replacedeval
withparseInt
for parsing theREFRESH_TOKEN_EXPIRY
environment variable.api/models/userMethods.js
: Replacedeval
withparseInt
for parsing theSESSION_EXPIRY
environment variable.api/server/services/AuthService.js
: Replacedeval
withparseInt
for parsing theREFRESH_TOKEN_EXPIRY
environment variable.Changes to utility functions:
api/server/utils/math.js
: Replacedeval
withparseInt
in themath
function and updated the error message to reflect the change.