Monday, February 13, 2012

NodeJS: Global Namespace Pollution


From a security standpoint, a big change for most server-side developers moving on to NodeJS would be the notion of JavaScript's global namespace. If misunderstood or with limited knowledge of this inherent property, writing secure NodeJS web apps will be a challenge.

So what is it? A prime property of JavaScript is, it is a 'global' language.
  • variables by default have an implied global scope
  • functions by default have an implied global scope
  • all objects inherit from the native / built-in global objects
Let's understand more with a code snippet. In a traditional PHP script (or any other non-server side JS paradigm), each request  has it's own scope. So a code similar to below will always print 1, unlike in the case of NodeJS. Any request will share the same global scope.


In relevance to this code, each request will increase the global variable gbl by 1, as seen in the screenshot below for two different requests. In a PHP script such a model would only show 1 for every request.



So, what could go wrong from security perspective? Short answer - it depends, on the context and sensitivity of a global variable or function. An attacker could exploit this behavior to her benefit to achieve desired effects. What could those be,
  • as a web user, could bypass logic flows
  • a malicious library could over-ride native, built-in or known objects, variables, functions to adversely impact sensitive code base/libraries
  • in a shared coding environment, an inexperienced developer could unintentionally over-ride native, built-in or known objects, variables, functions - adversely impacting sensitive code base/libraries
A lot more serious stuff could happen only time will tell.

So what's the defense? Unless really needed, always define your functions, variables, as local, as shown in the screenshot below.



Now you get the desired effect as in PHP. Each request now shows gbl as 1. For potential rogue/malicious libraries - audit them! JSLint (though a bit noisy) is a good bet.

I am a JavaScript beginner, hence for a healthy advise for typical programming requirements, I recommend reading Douglas Crockford's post on why Global is Evil and the best practices to avoid it.
Posted by at
Labels: , , , , , ,

12 comments:

  1. AnonymousNovember 8, 2013 at 1:13 PM

    If this is something new to you, I would say that you are not familiar with JS in general. But, I agree that this is confusing for a PHP develeoper, who switches to NodeJS.

    ReplyDelete
  2. AnonymousDecember 10, 2013 at 4:23 AM

    Please be familiar with JS first.

    ReplyDelete
  3. Christopher Johnson (CJ)June 21, 2014 at 12:50 AM

    This article doesn't actually say how global variables are a security vulnerability, outside of being a potential cause of programming bugs for people who don't know JavaScript.

    ReplyDelete
  4. for ict 99January 11, 2016 at 7:53 PM

    Node.JS Courses Security TrainingNode.js Training Node js and server side JavaScript databases like MongoDB Courses Training Node js Online Course traditional server side programming Training Courses Node.js paradigms Node.js Essential Training WebDAV buffer overflow Node.js Online Training messing with global variables Courses Node.js Training in Chennai

    ReplyDelete
  5. UnknownAugust 15, 2017 at 2:49 PM

    Thanks for sharing this blogpost. Really useful for learning NodeJS.
    NodeJS

    ReplyDelete
  6. UnknownAugust 22, 2017 at 3:41 PM

    Good blog post. Really good information about nodejs. Thanks for sharing this post. NodeJS training in Bangalore

    ReplyDelete
  7. vaiyboraOctober 19, 2017 at 8:43 AM

    Wow, absolutely fantastic blog. I am very glad to have such useful information.

    ทองดีฟันขาว

    ReplyDelete
  8. NemcoFebruary 23, 2018 at 9:07 AM

    Nice Post! Deciding on the Node.js web application framework for your project, you should pay attention to the following criteria: Community. Documentation. Versions upgrading. Scalability. System resources loading. Performance. Simplicity of development and testing. Availability and variety of modules.
    node.js development company

    ReplyDelete
  9. Catabatic TechnologyDecember 5, 2018 at 11:50 AM

    I am very much pleased to read this post. I enjoyed every little bit part of it. It contains truly information. thanks for sharing publicly.

    Digital Marketing Company in India | Travel Technology Software | Software Development Solutions in India | Web Design Services in India | Mobile App Developer Noida

    ReplyDelete
  10. Angel ClaudiaJune 24, 2019 at 1:08 PM

    We are among the best online companies providing affordable nursing essay writing services. When you nursing writing services, you get the services of experts and specialists in your field.

    ReplyDelete
  11. latesttechnologyblogsJuly 8, 2019 at 11:39 AM

    Enjoyed reading the article above, really explains everything in detail, the article is very interesting and effective. Thank you and good luck for the upcoming articles learn Node JS training

    ReplyDelete
  12. AnonymousAugust 14, 2024 at 9:37 PM

    Respect and I have a dandy present: When Home Renovation small house remodel

    ReplyDelete

Subscribe to: Post Comments (Atom)