Applied Patching

Overview

The web application was relatively securely coded, except for the eval injection vulnerability. We'll provide:

Alternative approaches
Extra security measures
Specific code patches

Recommendations Summary

Priority

Recommendation

Replace eval with function callback

If eval required, use safe-eval (with caution)

Always sanitize user input

Always validate user input

Alternative 1: Function Callback (Recommended)

The Problem

function validateString(input, onError) {
  if (...) {
    eval(onError);  // ← User input reaches eval
  }
}

The Solution

Use onError as a function instead of string:

function validateString(input, onError) {
  if (...) {
    onError();  // ← Execute function, not string
  }
}

Updated generateQR Call

!validateString(text, function () {
  throw {
    message:
      role === "admin"
        ? `The input "${text}" contains the following invalid characters: [${text.match(
            /['"`;]/g
          )}]`
        : "Invalid input",
    statusCode: 403,
  };
});

Why This Works

User input stays within message string
No code evaluation occurs
Same functionality maintained

Alternative 2: safe-eval (Use with Caution)

Installation

npm install safe-eval -S

Warning: Known Vulnerabilities!

$ npm audit

safe-eval  *
Severity: critical
- Sandbox Breakout / Arbitrary Code Execution
- Prototype Pollution vulnerabilities
- Sandbox Bypass due to improper input sanitization
No fix available

Recommendation

⚠️ Avoid eval whenever possible!

Only use safe-eval when:

eval is absolutely required
Combined with other security measures
Risk is understood and accepted

Extra Security: Sanitization

Option 1: Third-Party Package

Add middleware in routes/service-routes.js:

router.use(verifyToken);
router.use(require("sanitize").middleware);
router.post("/generate", generateQR);

Use in controller:

const text = req.bodyString("text");

Option 2: Manual Sanitization (Recommended)

const sanitizedText = text.replace(/['"`;]/g, "");

Comparison

Method

Pros

Cons

Package

More comprehensive

Dependency overhead

Manual

Simple, no deps

Limited to specific chars

Recommendation: Use manual for this app (specific, simple requirement).

Extra Security: Validation

Why Packages Are Better

Validation requires thorough understanding
Multiple input types need different rules
Built-in patterns reduce errors
Maintained by security experts

Using Yup

Install:

npm install yup

Basic Schema:

const yup = require('yup');

let schema = yup
  .string()
  .required()
  .matches(/^[^"';`]*$/);

schema.validateSync(text);

With Role-Based Error Messages

let schema = yup
  .string()
  .required()
  .matches(/^[^"';`]*$/, role === "admin" ? null : "Invalid input");

schema.validateSync(text);

Replace validateEmail

Before:

function validateEmail(email) {
  return String(email)
    .toLowerCase()
    .match(/^...regex...$/);
}

After:

const validateEmail = (email) => {
  const schema = yup.string().email().required();
  return schema.isValidSync(email);
};

Complete Patch Summary

1. Replace eval with function

// Before
eval(onError);

// After
onError();

2. Update validateString calls

// Before
validateString(text, `throw({message: '...'})`)

// After
validateString(text, function() {
  throw { message: '...', statusCode: 403 };
})

3. Add input sanitization

const sanitizedText = text.replace(/['"`;]/g, "");

4. Add input validation

const yup = require('yup');

const schema = yup.string().required().matches(/^[^"';`]*$/);
schema.validateSync(sanitizedText);

Patched service-controllers.js

const yup = require('yup');
const QRCode = require('qrcode');

function validateString(input, onError) {
  // Input validation with Yup
  const schema = yup.string().required().matches(/^[^"';`]*$/);
  
  try {
    schema.validateSync(input);
    return true;
  } catch (e) {
    onError();  // Execute function instead of eval
    return false;
  }
}

async function generateQR(req, res, next) {
  const text = req.body.text;
  const role = req.user?.role;
  
  // Sanitize input
  const sanitizedText = text?.replace(/['"`;]/g, "") || "";

  try {
    if (!validateString(sanitizedText, function() {
      throw {
        message: role === "admin" 
          ? `Invalid characters in input`
          : "Invalid input",
        statusCode: 403,
      };
    })) {
      return;
    }

    const qr = await QRCode.toDataURL(sanitizedText);
    return res.send(`<img src="${qr}" alt="QR Code" />`);
  } catch (e) {
    if (e.statusCode === 403) {
      return next(e);
    }
    return next({
      message: "Could not generate QR code.",
      statusCode: 500,
    });
  }
}

module.exports = { generateQR };

Verification Steps

1. Re-run PoC Exploit

python3 poc.py

> ls
[-] Error: Exploit failed

2. Test Normal Functionality

# Valid input
curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d '{"text": "hello world"}' \
  http://localhost:5000/api/service/generate

# Should return QR code

3. Test Validation

# Invalid input (contains banned char)
curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d '{"text": "test;injection"}' \
  http://localhost:5000/api/service/generate

# Should return error
{"message":"Invalid input","statusCode":403}

Secure Coding Tips

General

Tip

Description

Avoid eval()

Use safer alternatives

Validate all input

Server-side, always

Sanitize all input

Remove unwanted chars

Use typed functions

Functions over strings

Use security packages

yup, validator, helmet

JavaScript Specific

// ❌ Bad
eval(userInput)
new Function(userInput)
setTimeout(userInput, 1000)

// ✅ Good
JSON.parse(userInput)  // For JSON
userInput.callback()   // For functions

npm Security

# Check for vulnerabilities
npm audit

# Fix automatically (when possible)
npm audit fix

# Update to latest
npm update

Checklist

Patching

Verification

PoC exploit no longer works
Normal functionality preserved
Invalid input properly rejected
npm audit shows no critical issues

Documentation

Patches documented with code samples
Verification steps provided
Secure coding tips included

PreviousExploit Development NextModern Web Exploitation

Last updated 1 month ago

hashtagOverview

hashtagRecommendations Summary

hashtagAlternative 1: Function Callback (Recommended)

hashtagThe Problem

hashtagThe Solution

hashtagUpdated generateQR Call

hashtagWhy This Works

hashtagAlternative 2: safe-eval (Use with Caution)

hashtagInstallation

hashtagWarning: Known Vulnerabilities!

hashtagRecommendation

hashtagExtra Security: Sanitization

hashtagOption 1: Third-Party Package

hashtagOption 2: Manual Sanitization (Recommended)

hashtagComparison

hashtagExtra Security: Validation

hashtagWhy Packages Are Better

hashtagUsing Yup

hashtagWith Role-Based Error Messages

hashtagReplace validateEmail

hashtagComplete Patch Summary

hashtag1. Replace eval with function

hashtag2. Update validateString calls

hashtag3. Add input sanitization

hashtag4. Add input validation

hashtagPatched service-controllers.js

hashtagVerification Steps

hashtag1. Re-run PoC Exploit

hashtag2. Test Normal Functionality

hashtag3. Test Validation

hashtagSecure Coding Tips

hashtagGeneral

hashtagJavaScript Specific

hashtagnpm Security

hashtagChecklist

hashtagPatching

hashtagVerification

hashtagDocumentation

Overview

Recommendations Summary

Alternative 1: Function Callback (Recommended)

The Problem

The Solution

Updated generateQR Call

Why This Works

Alternative 2: safe-eval (Use with Caution)

Installation

Warning: Known Vulnerabilities!

Recommendation

Extra Security: Sanitization

Option 1: Third-Party Package

Option 2: Manual Sanitization (Recommended)

Comparison

Extra Security: Validation

Why Packages Are Better

Using Yup

With Role-Based Error Messages

Replace validateEmail

Complete Patch Summary

1. Replace eval with function

2. Update validateString calls

3. Add input sanitization

4. Add input validation

Patched service-controllers.js

Verification Steps

1. Re-run PoC Exploit

2. Test Normal Functionality

3. Test Validation

Secure Coding Tips

General

JavaScript Specific

npm Security

Checklist

Patching

Verification

Documentation