If the attacker controls a string and there's a function in the same serialization process, then he is going to be able to convert its string as a function.
var serialize = require('serialize-javascript');
console.log(serialize({a: function() {}, b: '@__FUNCTION_0__@'}));{
"a": function () {},
"b": function () {}
}It seems unlikely that it is possible to exploit it, but we never know.
In the same vein, an attacker can throw an exception if it is given a string and there's a function serialized somewhere.
var serialize = require('serialize-javascript');
console.log(serialize({a: function() {}, b: '@__FUNCTION_999__@'}));serialize/node_modules/serialize-javascript/index.js:80
serializedFn = fn.toString();
^
TypeError: Cannot read property 'toString' of undefined
at serialize/node_modules/serialize-javascript/index.js:80:30
at String.replace (native)
at serialize (serialize/node_modules/serialize-javascript/index.js:74:16)
at Object.<anonymous> (serialize/test.js:2:13)
at Module._compile (module.js:430:26)
at Object.Module._extensions..js (module.js:448:10)
at Module.load (module.js:355:32)
at Function.Module._load (module.js:310:12)
at Function.Module.runMain (module.js:471:10)
at startup (node.js:117:18)
If the attacker controls a string and there's a function in the same serialization process, then he is going to be able to convert its string as a function.
It seems unlikely that it is possible to exploit it, but we never know.
In the same vein, an attacker can throw an exception if it is given a string and there's a function serialized somewhere.