Monday, February 13, 2012

NodeJS: 'with' is evil

It is a known fact that with statement in JavaScript is evil. For a good read on why read Douglas Crockford's post on YUI blog.

Let's look at how it implies on server side JavaScript. Below is a fun little app coded by a beginner that tries to be funny although in real apps this could lead to unbelievably serious vulnerabilities.


So what went wrong here? The developer loves using with for it's shot handedness and thought she called the property names of the welcome object correctly. Also it didn't show any errors. But what her first user on the web saw was this (not that this)



So, she did a typo and ended up unintentionally modifying global variables she wasn't even aware of. Let's just imagine they existed in some other code base where she couldn't even see. This just reminds me how difficult will it be for a security guy like me to code review a code with with.

Now how with works is, it tries to find the property assignments in the context of the called object, if found, great, else it tracks back on the higher scope till reaching the global scope and assigning (actually clobbering) value of some other global variable if there is a match. Think common names like i, x, a, name... we all grew up coding with (not that with).

In short, do not use with, unless you are very sure of what you are doing. On a positive note, use of with is forbidden in ES5 strict mode.



53 comments:

  1. create an object and contain variables there.
    eg:

    var my_constants = {
    names : "bla bla",
    browsers : "bla bla"
    }

    So, it will become a namespace and its variables are hardly overwritten. It's one of the JS good practices as well.

    It's nothing to do with NodeJs. Learn JS first! Don't be an idiot.
    Google JS good practices.

    ReplyDelete
  2. You wrongly define a Global variable, if you do programming this way. You will completely mess up, So first better define namespace, where you can only accessible from namespace instead of direct access.

    ReplyDelete
  3. Node.JS Courses Security TrainingNode.js Training Node js and server side JavaScript databases like MongoDB Courses Training Node js Online Course traditional server side programming Training Courses Node.js paradigms Node.js Essential Training WebDAV buffer overflow Node.js Online Training messing with global variables Courses Node.js Training in Chennai

    ReplyDelete
  4. This is just perfect,..
    Thank you so much for this helpful article,.
    angularjs course

    ReplyDelete
  5. Really an amazing post..! By reading your blog post I gathered more information about NodeJS. I really appreciate your news. Thanks a lot for posting individual information and made me more knowledgeable person. I hope it will be very helpful for all. I don't have words to describe this blog.Thanks for sharing valuable post.
    Engineering Colleges, ECE Engineering Colleges in Chennai

    ReplyDelete
  6. Nice blog spot. Very useful information about NodeJS with evil. keep. easily understandable.
    Node JS Training in Bangalore

    ReplyDelete
  7. I really like you post good blog,Thanks for your sharing.

    ทองดีฟันขาว

    ReplyDelete
  8. This is a nice and informative, containing all information and also has a great impact on the new technology.
    node.js development services

    ReplyDelete
  9. Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best. Angularjs Development Services

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. It is very useful information about Node Js. This is the place for learner and glad to be here in this blog Thank you
    Node Js Training in Hyderabad
    Best Node JsTraining in Hyderabad
    Node Js Online Training
    Best Node Js Training in india

    ReplyDelete
  12. very useful blog to learner so happy to be part in this blog. Thank you

    Nodejs training in hyderabad
    Enroll now

    ReplyDelete

  13. Our research paper service writers have been 14 years experience in the field where they have assisted thousands of returning clients in attaining high scores.

    ReplyDelete
  14. Hey That was a great read, very informative, though native java debugging is not something I am good at i really liked this article, Check this out for a little more info.
    React JS

    ReplyDelete
  15. We understand that students in Australia encounter different challenges in completing their Best Research Paper Writing Service. We offer College Term Paper Writing Service to students regardless of their specialty, discipline or educational level.

    ReplyDelete
  16. Thanks for this information. Happy to find Information like this.

    Dynamic Hip-Hop And Western Dance Institute one of the best dance institute in Indore. Please contact for dance choreography in your school function for sangeet.

    ReplyDelete
  17. QuikieApps is the best flutter app development company with trustable services. We assure you faster delivery of new customized applications and contextual solutions using Flutter app development. Our company has a well experienced talented veteran team of flutter developers having adequate knowledge on Dart. Combining knowledge with adequate skill we provide you the best functionally rich flutter app development services and solution. We effortlessly try to convert your dream application comes true with assured quality services from our flutter developer team.

    ReplyDelete
  18. Hey There. I found your weblog the use of msn. This is a really well written article. I’ll be sure to bookmark it and come back to read extra of your helpful info. Thank you for the post.
    play online

    ReplyDelete
  19. The birbal video interview platform is one of the few mobile-friendly tools on the market. This software allows candidates to record their video responses on their smartphones and tablets. This software also uses AI to analyze non-verbal cues like facial expressions, eye movements, and voice nuances. This helps the interviewer make meaningful assessments at the end of the interview.

    video interview software

    ReplyDelete
  20. CronJ, a flutter development company, can provide you with a flutter app developer, coder, programmer, architect, and engineer mentor. We offer flutter app development services to startups and enterprises all over the world, including the United States, the United Kingdom, Singapore, and Hong Kong.

    ReplyDelete
  21. React is a JavaScript library built and maintained by Facebook and is beneficial in the creation of scalable front-end applications. Since its imposition in the digital sphere, React has developed quite a following. According to Stack Overflow’s Research, React is the most popular web framework. Today React JS for web development has been adopted by more than 200 companies. Its credibility has been vouched for by industry giants such as Apple, Netflix, and Paypal.
    react web development

    ReplyDelete
  22. React developer hiring you must have a fair amount of software development knowledge, without which you cannot access the competency of a professional developer. However, if you are a non -technical executive, then you can follow our comprehensive guide on how to hire react developer who could meet your end-to-end business requirements.

    ReplyDelete
  23. When it comes to hiring solidity developers, you need to look deeper than resumes and profiles. If you are absolutely new to hiring Solidity Developers, then these resources can help you out and make the process a lot easier.

    ReplyDelete
  24. With React Agency's high-quality and cost-effective services, your vision of web and mobile app development can be furthered to innovation!react js agency

    ReplyDelete
  25. Thanks for giving such information, I read many blogs but did not get such information. I have also written something about Benefits Of Node.Js For Startups, must read it once Advantages Of Node.Js For Startups In 2022

    ReplyDelete
  26. Nice way to deer node js developer rest i have also told one wayHire Node js Development Company in India

    ReplyDelete
  27. Thanks for giving such information but in my list also India's best development company Top Development company in India

    ReplyDelete
  28. I have read many articles and read many blogs, but such information is available to be read somewhere, thanks and I have also written something, must read it once.Outsource node js developer in India

    ReplyDelete
  29. Thanks for giving such full information, not everyone has such information, I have also written something, that must read Custom Web Solution Development

    ReplyDelete
  30. Thanks for sharing such great information that too about Outsource node js developer in India

    ReplyDelete
  31. Thanks for giving such full information, not everyone has such information, I have also written something, that must read Outsourcing software development company in India

    ReplyDelete
  32. Thanks for giving such great information, I have kept you a follower because your information is different. Hire outsourcing node.js developer

    ReplyDelete
  33. Great information nice to read your post. Outsource node js developer in India

    ReplyDelete
  34. Your information is commendable. Thanks. Now I know-how. Outsourcing node.js developer India

    ReplyDelete
  35. Thanks a lot for sharing the great piece of the information with us. i really enjoyed this blog for react native application developers remote hiring . I would surely refer to the steps to find an ideal React Native Application Developers Remote Hiring.We are react native developers remote hiring and we develop online react native development application.

    ReplyDelete
  36. I read many blogs but hardly got information like yours. thanks for giving information about Outsource node js developer in India

    ReplyDelete
  37. I read many blogs but hardly got information like yours. thanks for giving information about Hire outsource node js developer

    ReplyDelete
  38. ทดลอง เล่น สล็อต PG SLOT ทดลองเล่นฟรีไม่ต้องสมัครก็สามารถเล่นได้ไม่จำกัดวงเงินปั่นรัวๆได้ กับเว็บ สล็อตออนไลน์ PG-SLOT.GAME ที่นำเกมสล็อตจากค่าย PG SLOT มารวมไว้ในที่เดียว

    ReplyDelete
  39. โปรโมชั่น pg slot มากมาย เล่นง่ายจ่ายจริง แตกจริง ต้อง PG-สล็อต เท่านั้น! เล่นสล็อต พีจีสล็อต เว็บไซต์ตรงผู้ให้บริการเกมสล็อตออนไลน์ชั้นหนึ่ง ทกลอง เล่น ฟรี พร้อมโบนัส

    ReplyDelete
  40. Create your own skill-bearing and experienced technical team today! Hire dot NET developers vetted by AI at the least possible cost worldwide.

    ReplyDelete

  41. WhyDonate is één van de populairste crowdfunding platforms van alle Europese landen en de Verenigde Staten
    WhyDonate is niet alleen geschikt voor het opzetten van fondsenwervende campagnes, maar bevat ook vele actieve fondsenwervers waaraan men kan doneren.
    Top 10 crowdfunding platforms in België

    Crowdfunding Platfoarm

    ReplyDelete
  42. เว็บ ตรง สล็อต สล็อต เว็บ ตรง pg slot pg slot ค่ายเกมสล็อตออนไลน์ที่กำลังเป็นที่นิยมจากนักเล่นพนันทั้งโลก ด้วยประสิทธิภาพของตัวเกมที่ตามมาตรฐานตามระดับสากล ก็เลยมีความปลอดภัยสูง PG SLOT ทั้งยังในหัวข้อการจัดเก็บข้อมูลของผู้รับและก็ประเด็น

    ReplyDelete