Applied Patching

Overview

The web application was relatively securely coded, except for the eval injection vulnerability. We'll provide:

1. Alternative approaches

2. Extra security measures

3. Specific code patches

---

Recommendations Summary

Priority	Recommendation
1	Replace eval with function callback
2	If eval required, use safe-eval (with caution)
3	Always sanitize user input
4	Always validate user input

---

Alternative 1: Function Callback (Recommended)

The Problem

function validateString(input, onError) {
  if (...) {
    eval(onError);  // ← User input reaches eval
  }
}

The Solution

Use onError as a function instead of string:

function validateString(input, onError) {
  if (...) {
    onError();  // ← Execute function, not string
  }
}

Updated generateQR Call

!validateString(text, function () {
  throw {
    message:
      role === "admin"
        ? `The input "${text}" contains the following invalid characters: [${text.match(
            /['"`;]/g
          )}]`
        : "Invalid input",
    statusCode: 403,
  };
});

Why This Works

• User input stays within message string

• No code evaluation occurs

• Same functionality maintained

---

Alternative 2: safe-eval (Use with Caution)

Installation

npm install safe-eval -S

Warning: Known Vulnerabilities!

$ npm audit

safe-eval  *
Severity: critical
- Sandbox Breakout / Arbitrary Code Execution
- Prototype Pollution vulnerabilities
- Sandbox Bypass due to improper input sanitization
No fix available

Recommendation

⚠️ Avoid eval whenever possible!

Only use safe-eval when:

• eval is absolutely required

• Combined with other security measures

• Risk is understood and accepted

---

Extra Security: Sanitization

Option 1: Third-Party Package

Add middleware in routes/service-routes.js:

router.use(verifyToken);
router.use(require("sanitize").middleware);
router.post("/generate", generateQR);

Use in controller:

const text = req.bodyString("text");

Option 2: Manual Sanitization (Recommended)

const sanitizedText = text.replace(/['"`;]/g, "");

Comparison

Method	Pros	Cons
Package	More comprehensive	Dependency overhead
Manual	Simple, no deps	Limited to specific chars

Recommendation: Use manual for this app (specific, simple requirement).

---

Extra Security: Validation

Why Packages Are Better

• Validation requires thorough understanding

• Multiple input types need different rules

• Built-in patterns reduce errors

• Maintained by security experts

Using Yup

Install:

npm install yup

Basic Schema:

const yup = require('yup');

let schema = yup
  .string()
  .required()
  .matches(/^[^"';`]*$/);

schema.validateSync(text);

With Role-Based Error Messages

let schema = yup
  .string()
  .required()
  .matches(/^[^"';`]*$/, role === "admin" ? null : "Invalid input");

schema.validateSync(text);

Replace validateEmail

Before:

function validateEmail(email) {
  return String(email)
    .toLowerCase()
    .match(/^...regex...$/);
}

After:

const validateEmail = (email) => {
  const schema = yup.string().email().required();
  return schema.isValidSync(email);
};

---

Complete Patch Summary

1. Replace eval with function

// Before
eval(onError);

// After
onError();

2. Update validateString calls

// Before
validateString(text, `throw({message: '...'})`)

// After
validateString(text, function() {
  throw { message: '...', statusCode: 403 };
})

3. Add input sanitization

const sanitizedText = text.replace(/['"`;]/g, "");

4. Add input validation

const yup = require('yup');

const schema = yup.string().required().matches(/^[^"';`]*$/);
schema.validateSync(sanitizedText);

---

Patched service-controllers.js

const yup = require('yup');
const QRCode = require('qrcode');

function validateString(input, onError) {
  // Input validation with Yup
  const schema = yup.string().required().matches(/^[^"';`]*$/);
  
  try {
    schema.validateSync(input);
    return true;
  } catch (e) {
    onError();  // Execute function instead of eval
    return false;
  }
}

async function generateQR(req, res, next) {
  const text = req.body.text;
  const role = req.user?.role;
  
  // Sanitize input
  const sanitizedText = text?.replace(/['"`;]/g, "") || "";

  try {
    if (!validateString(sanitizedText, function() {
      throw {
        message: role === "admin" 
          ? `Invalid characters in input`
          : "Invalid input",
        statusCode: 403,
      };
    })) {
      return;
    }

    const qr = await QRCode.toDataURL(sanitizedText);
    return res.send(`<img src="${qr}" alt="QR Code" />`);
  } catch (e) {
    if (e.statusCode === 403) {
      return next(e);
    }
    return next({
      message: "Could not generate QR code.",
      statusCode: 500,
    });
  }
}

module.exports = { generateQR };

---

Verification Steps

1. Re-run PoC Exploit

python3 poc.py

> ls
[-] Error: Exploit failed

2. Test Normal Functionality

# Valid input
curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d '{"text": "hello world"}' \
  http://localhost:5000/api/service/generate

# Should return QR code

3. Test Validation

# Invalid input (contains banned char)
curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d '{"text": "test;injection"}' \
  http://localhost:5000/api/service/generate

# Should return error
{"message":"Invalid input","statusCode":403}

---

Secure Coding Tips

General

Tip	Description
Avoid eval()	Use safer alternatives
Validate all input	Server-side, always
Sanitize all input	Remove unwanted chars
Use typed functions	Functions over strings
Use security packages	yup, validator, helmet

JavaScript Specific

// ❌ Bad
eval(userInput)
new Function(userInput)
setTimeout(userInput, 1000)

// ✅ Good
JSON.parse(userInput)  // For JSON
userInput.callback()   // For functions

npm Security

# Check for vulnerabilities
npm audit

# Fix automatically (when possible)
npm audit fix

# Update to latest
npm update

---

Checklist

Patching

• Replace eval with function callback

• Update all validateString calls

• Add input sanitization

• Add input validation with Yup

• Remove vulnerable dependencies

Verification

• PoC exploit no longer works

• Normal functionality preserved

• Invalid input properly rejected

• npm audit shows no critical issues

Documentation

• Patches documented with code samples

• Verification steps provided

• Secure coding tips included