Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move eval to parseInt #3328

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Move eval to parseInt #3328

wants to merge 4 commits into from
5 −5

Conversation

mawburn
Copy link
Sponsor Contributor

@mawburn mawburn commented Jul 11, 2024
edited
Loading

Summary

Using parseInt is preferred over eval for handling environment variables because parseInt safely converts a string to an integer without executing any code. In contrast, eval can execute arbitrary code, which poses a significant security risk if the environment variable contains malicious input. By using parseInt, we mitigate the risk of code injection attacks and ensure that only numerical values are processed.

While this isn't used in a whole lot of places and the chances of a malicious environment variable is low, it's also a significant performance boost.

Running this script:

const { performance } = require('perf_hooks')

const numStr = '12345'
const iterations = 10000000

const measureTime = (fn) => {
  const start = performance.now()
  fn()
  const end = performance.now()
  return end - start
}

const evalTest = () => {
  for (let i = 0; i < iterations; i  ) {
    eval(numStr)
  }
}

const parseIntTest = () => {
  for (let i = 0; i < iterations; i  ) {
    parseInt(numStr, 10)
  }
}

const evalTime = measureTime(evalTest)
const parseIntTime = measureTime(parseIntTest)

console.log(`eval time: ${evalTime.toFixed(2)} ms`)
console.log(`parseInt time: ${parseIntTime.toFixed(2)} ms`)
console.log(`parseInt is ${(evalTime / parseIntTime).toFixed(2)} times faster than eval`)

I get this output on my local machine (MBA M1-series first gen):

eval time: 1745.03 ms
parseInt time: 39.69 ms
parseInt is 43.97 times faster than eval

Change Type

Please delete any irrelevant options.

  • Bug fix (non-breaking change which fixes an issue)

Testing

Tests should pass as normal and no changes should be seen within the app. It should work the same, unless there were environment variable based code being injected.

Checklist

Please delete any irrelevant options.

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • Local unit tests pass with my changes

Copilot Summary

This pull request includes changes to improve the security and robustness of the codebase. The most important changes involve replacing the eval function with parseInt in several files to parse environment variables. This change improves security by avoiding the potential execution of malicious code.

Changes to environment variable parsing:

Changes to utility functions:

  • api/server/utils/math.js: Replaced eval with parseInt in the math function and updated the error message to reflect the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@mawburn