node.js - How can I safely interpolate with Node.js?
问题描述
I'm looking for a way to safely interpolate. What I want to do is as follows;
They have type schemas for my business objects and I make them perform database operations correctly with these schemas. But the problem is that when interpolating a security hole occurs. How can I solve this problem? Do you have a better idea?
https://replit.com/@aarican/Interpolate
class Utils {
static interpolate(template, scope) {
return (new Function(Object.keys(scope), "return " + template))(...Object.values(scope));
}
}
const docTypeJSON = {
name: 'user',
displayName: '$doc.firstName + " " + $doc.lastName',
properties: [
{
name: 'firstName',
type: 'string'
},
{
name: 'lastName',
type: 'string'
}
]
}
const doc = {
firstName: 'Ayhan',
lastName: 'ARICAN',
get displayName () {
return Utils.interpolate(docTypeJSON.displayName, { $doc: this }).toString()
}
}
console.log(doc.displayName)
docTypeJSON.displayName = 'require("child_process").execSync("ls -la")'
console.log(doc.displayName)
解决方案
推荐阅读
- java - JDK 8 可选功能
- linux-kernel - 系统调用 nice() 不能与否定参数一起使用
- c# - 将更改从 Advantage 数据库服务器复制到 PostgreSQL
- vue.js - 如果 VueJS 应用程序中确实存在动态 ID,如何将用户重定向到 404 页面?
- java - 如何在 Mac pc 中插入主要方法 Netbeans(快捷方式)
- reactjs - 如何在反应中使用 videoflash.js?
- python - 外语翻译词典
- javascript - 三.js 无法克隆一行
- rest - 使用PowerShell销毁TFS中标记为删除的源代码,这可能吗?
- python - 如何使用 python 将文本文件拆分为 25 行的多个文本文件?