Arguably the most dangerous thing you could ever do in XPages – let other people use your eval() in their SSJS

In this article I will discuss the power of the JavaScript method eval() and demonstrate how your inappropriate usage of such could bring down your entire organization – yeah it is THAT dangerous….

Introduction

In JavaScript the eval() method has long been known as extremely powerful and also extremely dangerous. It turns a string into an executable piece of JavaScript code.

It can turn string  into JSON arrays:

var str = '[{marky: "genius"}, {brad: "blog monster"}]'
eval(str)

But it can also lead to more sinister things like XSS cross scripting attacks and other nasties – http://stackoverflow.com/questions/86513/why-is-using-the-javascript-eval-function-a-bad-idea

Well guess what – you can also use eval() in SSJS – yaaaaaaaaay

No – Boo ! Big fat Boo and it should only be allowed in specially controlled circumstances – it can only hurt innocent developers who didn’t realize the risks or hurt innocent users who do not understand the responsibility which comes with the power.

But this would be a really cool capability

If you were able to give your users the ability to pass through some SSJS through the XPages web interface so that they could create some custom reports without having to add code to the database – that would be really nice of you, very flexible and kinda cool.

Let the user type in their own SSJS through a field on the form and then eval() the code executing it on the back end….NICE

And now you can see where this is going – suppose you either have:

  • A complete dufus working at your company 
  • An extremely smart and well trained disgruntled employee

You are in for a whole world of hurt.

Who does eval() run as?

The Signer of the XPage – which means in many corporate environments that is the signer id which has the ability to run unrestricted agents on the server – so in no time at all anyone could…and it would take most of us less than an hour to write this code….

  • Go to the catalog
  • Get every database
  • Get every document in every database and download the contents
  • Delete every document in every database
  • Delete NAB users
  • Replicate these changes out to every server in the environment
  • Mess with the server settings

Yeah but Marky we can all do that anyway so why the big deal

Yes I know you have the signer id or access to insert malicious code into your own environment – but your users don’t. Let me rephrase that – they had better not otherwise your administrators need beating with sharp sticks.

The risk in reality is people hurting themselves – writing code in the browser and then evaluating it on the server – is not:

  • Developing in in a dev environment
  • Thoroughly testing it in a secure test environment
  • Rolling it out to production in a controlled and pre-planned manner

No – it is giving the power of god to your users – and frankly, some of them are idiots…

Because the code would run as the signer it also gives users the potential to access areas of the server they would not otherwise have access to – databases, readers fields etc – that is also not good. And with this they have the power to cover their tracks as well – cos well it was clearly the signer who made the changes not them.

Can we do anything to protect ourselves?

Probably……

First – don’t let un-trusted, untested code into your environment – you wouldn’t let a developer do it, why let a non-developer do it ?!

Then maybe, do code reviews and do not allow code to be run unless reviewed, locked and approved.

Conclusion

This article is intentionally alarmist because I do not want to underestimate the potential risks involved. As I said in reality you are unlikely to cause any more trouble to stupid users than them hurting themselves.

eval() is used judiciously and in a well controlled manner is extremely powerful and allows developers the ability to do things otherwise impossible.

With using eval() comes the need for a complete understanding of the risks evolved. Used incorrectly it could be used to destroy your environment in a manner very few other code snippets are able to.

8 thoughts on “Arguably the most dangerous thing you could ever do in XPages – let other people use your eval() in their SSJS

  1. It’s probably better to just not use SSJS at all. This affects all number objects in all databases until a restart, for example:

    (1).prototype.toFixed = function() {
    database.getAllDocuments().removeAll(true)
    return “instead of formatting a number, I deleted all your docs!”
    }

  2. What do I care about database signer?

    lotus.domino.Session session = AccessController
    .doPrivileged(new PrivilegedExceptionAction() {
    public lotus.domino.Session run() throws Exception {
    long hList = NotesUtil.createUserNameList(“CN=the Domino Admin/O=YourOrg”);
    return XSPNative.createXPageSession(“CN=the Domino Admin/O=YourOrg”, hList, true, false);
    }
    });

  3. function evalAsCurrentUser(String ssjs, optionalComponentContext) {
    var methodBinding = facesContext.getApplication().createMethodBinding(“#{javascript:” + ssjs + “}”);
    if (optionalComponentContext) {methodBinding.setComponent(optionalComponentContext);}
    methodBinding.invoke(facesContext, null);
    }

    Of course, there’s nothing stopping them from using sessionAsSignerWithFullAccess and then wreaking havoc.

    So yeah. eval is evil. Design your apps with enough flexibility to bring value to your users, but don’t just evaluate a String at runtime as executable code. That would be like…… um, well… that would be like precisely what the Expression Language resolver does with all SSJS. Okay, Jesse’s right: don’t use SSJS at all.🙂

  4. Then use this watery mixture to water your plants in the garden.
    This way, you can avoid replacing the plants with artificial ones and
    you can lessen your expenses by buying again. If
    you have a good drainage system in your garden, using good planting patterns, slopes,
    and runoff ditches, the plants will not run the risk of being waterlogged.

  5. Hello are using WordPress for your blog platform? I’m new to the
    blog world but I’m trying to get started and create my own.

    Do you require any html coding expertise to make your own blog?
    Any help would be really appreciated!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s