ericz
commented
13 years ago Hi skilesare, I'm glad you have been observant but nowjs is NOT vulnerable to the attack described.
Functions are always run on the machine that they are created. So if you change fullname = function(){app = '} and sync that with the server, when the server tries to call it, it'll pass a message through the socket and actually execute the function on the client side where you created it. So your browser javascript would throw an error, not the server.
There is never a situation where the server executes code created on the client or vice versa. We simply pass messages down the socket, execute on that side, and then handle any callbacks that may have been created.
In terms of overwriting things in general, the now scope exists between you and the server. So anything you change on the client side is only changed for your particular scope.
Thanks, Eric
skilesare
I had a security question.
I just read the nowjs docs. And it seems that it would be easy to sabatoge the server by passing up code that sets the server variables to null.
I guess it would be possible to avoid this if you never put anything in now that had a function attached to it. But it doesn't say this anywhere and it seem like a pretty big issue.
For example. Say I have now.name = {firstname: 'skile', lastname: 'sare', fullname= function(){return this.firstname + ' ' + this.lastname}};
And then maliciously change this.fullname = function(){app = 1'}; (via the chrome script window or some other method)
If the server calls this.now.fullname(), am I going to kill my node.js sever's app object?
If variables are nicely sandboxed and/or given a new context when passed across, I'd love an explanation on how this is done and why it is safe.
It seems like you are just begging folks to inject node.js code into the server that does malicious things.