Key Concepts

Review core concepts you need to learn to master this subject

Dangers of eval

Dangers and Alternatives of exec

Dangers of fs Module

Dangers of Regular Expressions

JavaScript Strict Mode

Static Code Analysis

Dangers of eval

// This user input causes an infinite loop to run
const user_input = "while(true) ;";
eval(user_input);

// This user input closes the application
const user_input = "process.exit(0)";
eval(user_input);

The eval() function in JavaScript takes a string as an argument and executes it as Javascript source code. Not only is it slow to execute, but bad actors can also inject malicious code into the input string for mischievous reasons. Thus, it’s best never to use it. If you MUST use it, only allow trusted and predetermined input through it. NEVER trust user input.

The functions, setInterval(), setTimeout(), and new Function() use eval() in their implementations, and should be used with the same caution.

Defensive Coding in JavaScript
Lesson 1 of 1
  1. 1
    Introduction
    Javascript is susceptible to all sorts of vulnerabilities, allowing bad actors to insert malicious code into Node applications and packages. Defensive programming combats these vulnerabilities, ens…
    Start
  2. 2
    The eval Function: Dangers and Alternatives
    The eval() function in JavaScript takes a string as an argument and executes it as Javascript source code. …
    Start
  3. 3
    The exec method: Dangers and Alternatives
    In this exercise, we will discuss the exec() method, its risks, and alternatives. The exec() …
    Start
  4. 4
    Dangers and Secure Use of the fs Module
    The file system, or fs, module in Node.js enables file system operations. It gives us access to methods like: - chmod() to change file permissions - mkdir() to cre…
    Start
  5. 5
    Dangers and Secure Use of Regular Expressions
    Regular Expressions are used in almost every single programming language to validate whether user input adheres to an expected condition. Attacke…
    Start
  6. 6
    Secure Your Code: Strict Mode
    Now that you have learned about some dangerous functions and regular expressions to avoid, let’s learn about some defensive tools. One of them is JavaScript’s strict mode. Using [strict mode](https…
    Start
  7. 7
    Secure Your Code: Static Code Analysis
    Static Code Analysis evaluates a code without executing it. A lint, or linter, is a static …
    Start
  8. 8
    Review
    Writing code defensively is key to securing applications from bad actors who seek to take advantage of your code. Over the course of this lesson we were introduced to some of the fundamental concep…
    Start

What you'll create

Portfolio projects that showcase your new skills

Pro Logo

How you'll master it

Stress-test your knowledge with quizzes that help commit syntax to memory

Pro Logo