Monday, February 13, 2012

NodeJS: 'with' is evil

It is a known fact that with statement in JavaScript is evil. For a good read on why read Douglas Crockford's post on YUI blog.

Let's look at how it implies on server side JavaScript. Below is a fun little app coded by a beginner that tries to be funny although in real apps this could lead to unbelievably serious vulnerabilities.


So what went wrong here? The developer loves using with for it's shot handedness and thought she called the property names of the welcome object correctly. Also it didn't show any errors. But what her first user on the web saw was this (not that this)



So, she did a typo and ended up unintentionally modifying global variables she wasn't even aware of. Let's just imagine they existed in some other code base where she couldn't even see. This just reminds me how difficult will it be for a security guy like me to code review a code with with.

Now how with works is, it tries to find the property assignments in the context of the called object, if found, great, else it tracks back on the higher scope till reaching the global scope and assigning (actually clobbering) value of some other global variable if there is a match. Think common names like i, x, a, name... we all grew up coding with (not that with).

In short, do not use with, unless you are very sure of what you are doing. On a positive note, use of with is forbidden in ES5 strict mode.



Posted by at
Labels: , , ,

52 comments:

  1. AnonymousJune 27, 2012 at 1:07 AM

    create an object and contain variables there.
    eg:

    var my_constants = {
    names : "bla bla",
    browsers : "bla bla"
    }

    So, it will become a namespace and its variables are hardly overwritten. It's one of the JS good practices as well.

    It's nothing to do with NodeJs. Learn JS first! Don't be an idiot.
    Google JS good practices.

    ReplyDelete
  2. Bhagi Raj LimbuDecember 27, 2013 at 7:45 AM

    You wrongly define a Global variable, if you do programming this way. You will completely mess up, So first better define namespace, where you can only accessible from namespace instead of direct access.

    ReplyDelete
  3. for ict 99January 11, 2016 at 7:53 PM

    Node.JS Courses Security TrainingNode.js Training Node js and server side JavaScript databases like MongoDB Courses Training Node js Online Course traditional server side programming Training Courses Node.js paradigms Node.js Essential Training WebDAV buffer overflow Node.js Online Training messing with global variables Courses Node.js Training in Chennai

    ReplyDelete
  4. GennieJanuary 31, 2016 at 9:47 PM

    This is just perfect,..
    Thank you so much for this helpful article,.
    angularjs course

    ReplyDelete
  5. stewardMarch 24, 2016 at 9:31 PM

    Keep sharing more informative posts like that,
    AngularJs development companies

    ReplyDelete
  6. stewardJuly 26, 2016 at 10:09 PM

    Thanks for such a nice blog,
    javascript image editor

    ReplyDelete
  7. kumarMarch 8, 2017 at 3:45 PM

    Really an amazing post..! By reading your blog post I gathered more information about NodeJS. I really appreciate your news. Thanks a lot for posting individual information and made me more knowledgeable person. I hope it will be very helpful for all. I don't have words to describe this blog.Thanks for sharing valuable post.
    Engineering Colleges, ECE Engineering Colleges in Chennai

    ReplyDelete
  8. UnknownJune 29, 2017 at 4:52 PM

    Nice blog spot. Very useful information about NodeJS with evil. keep. easily understandable.
    Node JS Training in Bangalore

    ReplyDelete
  9. InwizardsSeptember 14, 2017 at 4:33 PM

    Nice blog. Thanks for sharing such great information.Hire Angularjs Developer , Nodejs Development Company

    ReplyDelete
  10. vaiyboraOctober 19, 2017 at 8:42 AM

    I really like you post good blog,Thanks for your sharing.

    ทองดีฟันขาว

    ReplyDelete
  11. NemcoFebruary 23, 2018 at 10:19 AM

    This is a nice and informative, containing all information and also has a great impact on the new technology.
    node.js development services

    ReplyDelete
  12. InwizardsMarch 21, 2018 at 3:44 PM

    Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best. Angularjs Development Services

    ReplyDelete
  13. UnknownMarch 23, 2018 at 12:31 PM

    This comment has been removed by the author.

    ReplyDelete
  14. UnknownMarch 23, 2018 at 12:33 PM

    It is very useful information about Node Js. This is the place for learner and glad to be here in this blog Thank you
    Node Js Training in Hyderabad
    Best Node JsTraining in Hyderabad
    Node Js Online Training
    Best Node Js Training in india

    ReplyDelete
  15. rajithaMay 8, 2018 at 4:01 PM

    very useful blog to learner so happy to be part in this blog. Thank you

    Nodejs training in hyderabad
    Enroll now

    ReplyDelete
  16. UnknownOctober 27, 2018 at 11:51 AM

    Node.js Web Application Development India,

    ReplyDelete
  17. meldaresearchusaJune 24, 2019 at 1:26 PM


    Our research paper service writers have been 14 years experience in the field where they have assisted thousands of returning clients in attaining high scores.

    ReplyDelete
  18. Rich BrownJuly 8, 2019 at 1:38 PM

    Hey That was a great read, very informative, though native java debugging is not something I am good at i really liked this article, Check this out for a little more info.
    React JS

    ReplyDelete
  19. IvymeldaAugust 2, 2019 at 3:30 PM

    We understand that students in Australia encounter different challenges in completing their Best Research Paper Writing Service. We offer College Term Paper Writing Service to students regardless of their specialty, discipline or educational level.

    ReplyDelete
  20. RamakrishnaAugust 27, 2019 at 5:42 PM

    Very good explanation sir. Thank you for sharing
    NodeJs Online Training
    NodeJs Training in Hyderabad
    NodeJs Training in Ameerpet
    Best NodeJs Training in Hyderabad

    ReplyDelete
  21. Gclub SlotSeptember 2, 2019 at 3:24 PM

    thank you
    .....................
    Mclub


    ReplyDelete
  22. Zinavo-Web Design | Web Development | SEO | Mobile Apps | ERP/CRMSeptember 18, 2019 at 2:13 PM

    This is a great post. I like this topic.Your writing skills is very unique and informative..Keep updating more information from your blog. Web Designing Company in Bangalore | Web Design Companies in Bangalore | Website Development Company in Bangalore | Web Development Company in Bangalore | Website Design Company in Bangalore

    ReplyDelete
  23. Dynamic Hip-hop Dance InstituteDecember 17, 2019 at 6:46 PM

    Thanks for this information. Happy to find Information like this.

    Dynamic Hip-Hop And Western Dance Institute one of the best dance institute in Indore. Please contact for dance choreography in your school function for sangeet.

    ReplyDelete
  24. mobileappdevelopmentFebruary 25, 2021 at 10:59 AM

    Great post and it is really so interesting to read. I will suggest this blog to others

    mobile app development company| web app development company|cloud app development company|saas app development company|custom mobile app & web app development company|mobile app and web app maintenance services|seo services | seo company|digital marketing company|Paid marketing services | ppc service providers

    ReplyDelete
  25. yaduSeptember 7, 2021 at 8:01 PM

    QuikieApps is the best flutter app development company with trustable services. We assure you faster delivery of new customized applications and contextual solutions using Flutter app development. Our company has a well experienced talented veteran team of flutter developers having adequate knowledge on Dart. Combining knowledge with adequate skill we provide you the best functionally rich flutter app development services and solution. We effortlessly try to convert your dream application comes true with assured quality services from our flutter developer team.

    ReplyDelete
  26. video interview platformDecember 29, 2021 at 5:24 PM

    The birbal video interview platform is one of the few mobile-friendly tools on the market. This software allows candidates to record their video responses on their smartphones and tablets. This software also uses AI to analyze non-verbal cues like facial expressions, eye movements, and voice nuances. This helps the interviewer make meaningful assessments at the end of the interview.

    video interview software

    ReplyDelete
  27. flutter development companyJanuary 18, 2022 at 10:00 AM

    CronJ, a flutter development company, can provide you with a flutter app developer, coder, programmer, architect, and engineer mentor. We offer flutter app development services to startups and enterprises all over the world, including the United States, the United Kingdom, Singapore, and Hong Kong.

    ReplyDelete
  28. Reactjs development companyJanuary 27, 2022 at 6:25 PM

    React is a JavaScript library built and maintained by Facebook and is beneficial in the creation of scalable front-end applications. Since its imposition in the digital sphere, React has developed quite a following. According to Stack Overflow’s Research, React is the most popular web framework. Today React JS for web development has been adopted by more than 200 companies. Its credibility has been vouched for by industry giants such as Apple, Netflix, and Paypal.
    react web development

    ReplyDelete
  29. hire react developerFebruary 9, 2022 at 4:08 PM

    React developer hiring you must have a fair amount of software development knowledge, without which you cannot access the competency of a professional developer. However, if you are a non -technical executive, then you can follow our comprehensive guide on how to hire react developer who could meet your end-to-end business requirements.

    ReplyDelete
  30. solidity developersMarch 3, 2022 at 10:30 AM

    When it comes to hiring solidity developers, you need to look deeper than resumes and profiles. If you are absolutely new to hiring Solidity Developers, then these resources can help you out and make the process a lot easier.

    ReplyDelete
  31. AnonymousApril 7, 2022 at 11:17 AM

    With React Agency's high-quality and cost-effective services, your vision of web and mobile app development can be furthered to innovation!react js agency

    ReplyDelete
  32. AnonymousMay 25, 2022 at 4:17 PM

    Thanks for giving such information, I read many blogs but did not get such information. I have also written something about Benefits Of Node.Js For Startups, must read it once Advantages Of Node.Js For Startups In 2022

    ReplyDelete
  33. IPL is the most popular and most watched cricket tournament in India. So, If you want to Play IPL Online Betting? Then, come to Fun88. Fun88 is an IPL Online Betting site that offers the best odds forMay 26, 2022 at 4:28 PM

    This information about node will be very useful to me, thank you for giving such informationHire Node js Development Company

    ReplyDelete
  34. AnonymousMay 27, 2022 at 12:57 PM

    Nice way to deer node js developer rest i have also told one wayHire Node js Development Company in India

    ReplyDelete
  35. AnonymousMay 27, 2022 at 1:03 PM

    Thanks for giving such information but in my list also India's best development company Top Development company in India

    ReplyDelete
  36. Best Dedicated Laravel DeveloperJune 13, 2022 at 12:24 PM

    I have read many articles and read many blogs, but such information is available to be read somewhere, thanks and I have also written something, must read it once.Outsource node js developer in India

    ReplyDelete
  37. AnonymousJune 22, 2022 at 6:24 PM

    Thanks for giving such full information, not everyone has such information, I have also written something, that must read Custom Web Solution Development

    ReplyDelete
  38. AnonymousJune 28, 2022 at 12:29 PM

    Thanks for sharing such great information that too about Outsource node js developer in India

    ReplyDelete
  39. AnonymousJune 29, 2022 at 11:23 AM

    Thanks for giving such full information, not everyone has such information, I have also written something, that must read Outsourcing software development company in India

    ReplyDelete
  40. AnonymousJune 30, 2022 at 6:11 PM

    Thanks for giving such great information, I have kept you a follower because your information is different. Hire outsourcing node.js developer

    ReplyDelete
  41. AnonymousJuly 4, 2022 at 1:33 PM

    Great information nice to read your post. Hire outsourcing node.js developer India

    ReplyDelete
  42. AnonymousJuly 4, 2022 at 1:41 PM

    Great information nice to read your post. Outsource node js developer in India

    ReplyDelete
  43. Best Dedicated Laravel DeveloperJuly 5, 2022 at 2:34 PM

    Your information is commendable. Thanks. Now I know-how. Hire outsourcing node.js developer India

    ReplyDelete
  44. AnonymousJuly 5, 2022 at 2:42 PM

    Your information is commendable. Thanks. Now I know-how. Outsourcing node.js developer India

    ReplyDelete
  45. artisanamiJuly 8, 2022 at 12:53 PM

    Thanks a lot for sharing the great piece of the information with us. i really enjoyed this blog for react native application developers remote hiring . I would surely refer to the steps to find an ideal React Native Application Developers Remote Hiring.We are react native developers remote hiring and we develop online react native development application.

    ReplyDelete
  46. AnonymousAugust 8, 2022 at 1:29 PM

    I read many blogs but hardly got information like yours. thanks for giving information about Outsource node js developer in India

    ReplyDelete
  47. AnonymousAugust 8, 2022 at 1:32 PM

    I read many blogs but hardly got information like yours. thanks for giving information about Hire outsource node js developer

    ReplyDelete
  48. ทดลอง เล่น สล็อต PG SLOTJanuary 8, 2023 at 5:15 PM

    ทดลอง เล่น สล็อต PG SLOT ทดลองเล่นฟรีไม่ต้องสมัครก็สามารถเล่นได้ไม่จำกัดวงเงินปั่นรัวๆได้ กับเว็บ สล็อตออนไลน์ PG-SLOT.GAME ที่นำเกมสล็อตจากค่าย PG SLOT มารวมไว้ในที่เดียว

    ReplyDelete
  49. pg slot (หน้าหลัก)January 8, 2023 at 5:30 PM

    โปรโมชั่น pg slot มากมาย เล่นง่ายจ่ายจริง แตกจริง ต้อง PG-สล็อต เท่านั้น! เล่นสล็อต พีจีสล็อต เว็บไซต์ตรงผู้ให้บริการเกมสล็อตออนไลน์ชั้นหนึ่ง ทกลอง เล่น ฟรี พร้อมโบนัส

    ReplyDelete
  50. hire dot NET developerJanuary 24, 2023 at 3:07 PM

    Create your own skill-bearing and experienced technical team today! Hire dot NET developers vetted by AI at the least possible cost worldwide.

    ReplyDelete
  51. AnonymousApril 27, 2023 at 1:09 PM


    WhyDonate is één van de populairste crowdfunding platforms van alle Europese landen en de Verenigde Staten
    WhyDonate is niet alleen geschikt voor het opzetten van fondsenwervende campagnes, maar bevat ook vele actieve fondsenwervers waaraan men kan doneren.
    Top 10 crowdfunding platforms in België

    Crowdfunding Platfoarm

    ReplyDelete
  52. pg slotMarch 1, 2024 at 2:38 PM

    เว็บ ตรง สล็อต สล็อต เว็บ ตรง pg slot pg slot ค่ายเกมสล็อตออนไลน์ที่กำลังเป็นที่นิยมจากนักเล่นพนันทั้งโลก ด้วยประสิทธิภาพของตัวเกมที่ตามมาตรฐานตามระดับสากล ก็เลยมีความปลอดภัยสูง PG SLOT ทั้งยังในหัวข้อการจัดเก็บข้อมูลของผู้รับและก็ประเด็น

    ReplyDelete

Subscribe to: Post Comments (Atom)