7

Question: I'm using eval to parse a JSON return value from one of my WebMethods.

I prefer not to add jquery-json because the transfer volume is already quite large. So I parse the JSON return value with eval.
Now rumors go that this is insecure. Why ?

Nobody can modify the JSOn return value unless they hack my server, in which case I would have a much larger problem anyway.

And if they do it locally, JavaScript only executes in their browser.
So I fail to see where the problem is.

Can anybody shed some light on this, using this concrete example?

function OnWebMethodSucceeded(JSONstrWebMethodReturnValue) 
{
    var result=eval('(' + JSONstrWebMethodReturnValue + ')')
    ... // Adding result.xy to a table
}
Improve this question

2 Answers 2

Reset to default
14

The fundamental issue is that eval can run any JavaScript, not just deserialize JSON-formatted data. That's the risk when using it to process JSON from an untrusted or semi-trusted source. The frequent trick of wrapping the JSON in parentheses is not sufficient to ensure that arbitrary JavaScript isn't executed. Consider this "JSON" which really isn't:

function(){alert('Hi')})(

If you had that in a variable x and did this:

var result = eval("(" + x + ")");

...you'd see an alert -- the JavaScript ran. Security issue.

If your data is coming from a trusted source (and it sounds like it is), I wouldn't worry about it too much. That said, you might be interested in Crockford's discussion here (Crockford being the inventor of JSON and a generally-knowledgeable JavaScript person). Crockford also provides at least three public domain parsers on this page you might consider using: His json2.js parser and stringifier, which when minified is only 2.5k in size, but which still uses eval (it just takes several precautions first); his json_parse.js, which is a recursive-descent parser not using eval; and his json_parse_state.js, a state machine parser (again not using eval). So you get to pick your poison. (Shout out to Camilo Martin for pointing out those last two alternatives.)

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

It should be noted that Crockford's JSON includes two other libraries (besides the main json.js and json2.js) with different parsing modes that don't use eval. They are json_parse.js and json_parse_state.js and can be found here
Is it ok to say that whan I have no input from outer source I can safely use eval ?
@RoyiNamir: If you are in control of the string going into eval and the string will be JSON (or JSON-like), you're avoiding at least two of the major "evils" of eval (that it runs code and can have odd effects on the scope in which you call it). You're still firing up a full JavaScript parser, but FWIW I don't really see a problem with that.
4

Increasingly, JSON parsing and encoding is available natively in modern browsers, [wikipedia reference] This gives your application secure JSON functionality without needing to load an additional library.

You can test for native JSON support by doing something like this:

var native_JSON_exists = typeof window.JSON === 'object';

You should load up a JSON parsing library like Douglas Crockford's one (linked by T.J. Crowder, above) or functionality available via a framewok for browsers that don't have native support. (But you should at least use native JSON in browsers that support it, to protect users lucky enough to have modern browsers)

Bear in mind, JSON is a subset of JavaScript's syntax so strings that work in an JavaScript eval statement may not work in proper JSON parsing. You can test your JSON strings for errors using JSLint (http://www.jslint.com/).

Improve this answer

5 Comments

+1 Sadly, though, native support isn't really ready for prime time yet; too many implementation bugs (surprisingly). But it'll get there.
@Camilo: There's this one for instance. I'm sure I've heard comments from people involved in both the Prototype and jQuery libraries about others (and not just in IE). In the near term, I think I'll probably stick with either json2.js or (if I'm parsing data from an untrusted or semi-trusted source) the non-eval json_parse.js and json_parse_state.js alternatives you pointed out on Crockford's github page.
Also, since 2.8.0, Yahoo's JSON util has these nice properties: useNativeParse and useNativeStringify that can be disabled. But I still would like to think Firefox and Webkit don't mess with my JSON.
@Camilo: And yet: bugzilla.mozilla.org/show_bug.cgi?id=509184 Mind you, that's a bug in the stringifier, but still.
@T.J. Crowder I can imagine the frustration of going nuts looking for a bug in a script when it's a JSON processing issue. That's not where I'd expect a bug. In those times, being able to simply use a libraries' safe implementation is vital.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.