Using PhantomJS, you can execute the code in the browser by doing page.evaluate() . Do we open ourselves up to the attack vector if we allow users to specify code that can be executed in this browser context? Is there any way to get out of the browser context into the phantomJS environment, thereby executing commands on our servers?
Here is an example:
page.open(options.url, function(status) { var test = function() { return page.evaluate(function() { return eval({{USER JAVASCRIPT STRING}}); }); }); var interval = setInterval(function() { if (test()) { clearInterval(interval);
In my opinion, the eval() occurring inside page.evaluate() prevents them from escaping the screens of the page that was opened. The user javascript string is passed as a string (it is not βcompiledβ into a single javascript file). It seems to me that this is no different from the way a user browses a site with a browser and tries to hack his favorite Javascript console. Therefore, this use does not present a security vulnerability. Is it correct?
Update
To get clearer information about a specific use case. The main point is that someone will go to the URL, http://www.myapp.com/?url=http://anotherurl.com/&condition= {{javascriptstring}}. When the worker is available, it expands the phantom instance, page.open provided URL, and then, when the condition is met, it takes a screenshot on the web page. The goal of this is that on some pages, especially with a huge number of asynchronous javascript, there are strange "ready" conditions that are not as simple as DOM ready or window ready . This way, the screenshot will not be executed until the javascript condition is true. Examples include $(".domNode").data("jQueryUIWidget").loaded == true or $(".someNode").length > 0 .
source share