Monday, February 13, 2012

NodeJS: Global Namespace Pollution


From a security standpoint, a big change for most server-side developers moving on to NodeJS would be the notion of JavaScript's global namespace. If misunderstood or with limited knowledge of this inherent property, writing secure NodeJS web apps will be a challenge.

So what is it? A prime property of JavaScript is, it is a 'global' language.
  • variables by default have an implied global scope
  • functions by default have an implied global scope
  • all objects inherit from the native / built-in global objects
Let's understand more with a code snippet. In a traditional PHP script (or any other non-server side JS paradigm), each request  has it's own scope. So a code similar to below will always print 1, unlike in the case of NodeJS. Any request will share the same global scope.


In relevance to this code, each request will increase the global variable gbl by 1, as seen in the screenshot below for two different requests. In a PHP script such a model would only show 1 for every request.



So, what could go wrong from security perspective? Short answer - it depends, on the context and sensitivity of a global variable or function. An attacker could exploit this behavior to her benefit to achieve desired effects. What could those be,
  • as a web user, could bypass logic flows
  • a malicious library could over-ride native, built-in or known objects, variables, functions to adversely impact sensitive code base/libraries
  • in a shared coding environment, an inexperienced developer could unintentionally over-ride native, built-in or known objects, variables, functions - adversely impacting sensitive code base/libraries
A lot more serious stuff could happen only time will tell.

So what's the defense? Unless really needed, always define your functions, variables, as local, as shown in the screenshot below.



Now you get the desired effect as in PHP. Each request now shows gbl as 1. For potential rogue/malicious libraries - audit them! JSLint (though a bit noisy) is a good bet.

I am a JavaScript beginner, hence for a healthy advise for typical programming requirements, I recommend reading Douglas Crockford's post on why Global is Evil and the best practices to avoid it.

12 comments:

  1. If this is something new to you, I would say that you are not familiar with JS in general. But, I agree that this is confusing for a PHP develeoper, who switches to NodeJS.

    ReplyDelete
  2. Please be familiar with JS first.

    ReplyDelete
  3. This article doesn't actually say how global variables are a security vulnerability, outside of being a potential cause of programming bugs for people who don't know JavaScript.

    ReplyDelete
  4. Node.JS Courses Security TrainingNode.js Training Node js and server side JavaScript databases like MongoDB Courses Training Node js Online Course traditional server side programming Training Courses Node.js paradigms Node.js Essential Training WebDAV buffer overflow Node.js Online Training messing with global variables Courses Node.js Training in Chennai

    ReplyDelete
  5. Thanks for sharing this blogpost. Really useful for learning NodeJS.
    NodeJS

    ReplyDelete
  6. Good blog post. Really good information about nodejs. Thanks for sharing this post. NodeJS training in Bangalore

    ReplyDelete
  7. Wow, absolutely fantastic blog. I am very glad to have such useful information.

    ทองดีฟันขาว

    ReplyDelete
  8. Nice Post! Deciding on the Node.js web application framework for your project, you should pay attention to the following criteria: Community. Documentation. Versions upgrading. Scalability. System resources loading. Performance. Simplicity of development and testing. Availability and variety of modules.
    node.js development company

    ReplyDelete
  9. I am very much pleased to read this post. I enjoyed every little bit part of it. It contains truly information. thanks for sharing publicly.

    Digital Marketing Company in India | Travel Technology Software | Software Development Solutions in India | Web Design Services in India | Mobile App Developer Noida

    ReplyDelete
  10. We are among the best online companies providing affordable nursing essay writing services. When you nursing writing services, you get the services of experts and specialists in your field.

    ReplyDelete
  11. Enjoyed reading the article above, really explains everything in detail, the article is very interesting and effective. Thank you and good luck for the upcoming articles learn Node JS training

    ReplyDelete
  12. Great article..I am looking so forward to your blog comment and I love your page on your post.. That is so pretty.
    online gambling

    ReplyDelete