node.js - Safe usage of eval() on server-sent JavaScript code

Question

I'm using Node.js and Socket.io. I've written an application which can send JavaScript snippets from the server and execute them on the client. The JavaScript is sent via Secure WebSocket (WSS), and the client has a listener which will execute any code passed to it via the server.

This short script demonstrates the principle: http://jsfiddle.net/KMURe/ and you can think of the onScript function as the socket listener.

Question

What security protocols can I put in place to make this transaction safe? Would a secure websocket channel make it difficult for a third party to act as a middle man (altering the code before it's sent to the client)?

Some Use Cases..

• Dynamically assigned distributed computation.
• Browser client can dynamically learn from the server.
• Update browser behavior in unison.

Answer 1

eval(), even if you have legit use, is just dangerous. You should avoid using it at all costs. use it with care.

However, if it's really needed, then you can use strict mode via "use strict" command. When eval() is executed in a strict function, the eval's content will not leak in the immediate scope. The code in an eval will be contained in eval() itself (as if it has it's own scope). In the demo, try removing the trailing x and eval() will return undefined.

But still, using eval() is dangerous. It's better if you find alternatives like JSON with custom string commands that will be parsed client-side.