Security Consequences of using Eval in a Simple Browser Game

Discussion in 'Javascript/Plugin Support' started by Tsukihime, Oct 21, 2015.

  1. Zeriab

    Zeriab Huggins! Veteran

    Messages:
    1,200
    Likes Received:
    1,253
    First Language:
    English
    Primarily Uses:
    RMXP
    I don't get it. Why would eval be particularly dangerous when working with untainted strings?

    Are there some elevated privileges exploits or something like that when using eval? Otherwise, couldn't the game dev just as easily wreck whatever havok you are talking about with code not using eval?

    Of course, you should not evaluate any tainted strings.

    *hugs*

     - Zeriab
     
    #21
    Harold Ållaberg likes this.
  2. Shaz

    Shaz Veteran Veteran

    Messages:
    37,533
    Likes Received:
    11,252
    Location:
    Australia
    First Language:
    English
    Primarily Uses:
    RMMV
    Sorry - not your topic, you don't get to do that.


    Every question that you listed as "off topic" is very much ON topic, from what I can see - asking about the risks of using eval. If you don't like where the conversation is headed, you don't have to take part in it, but it's not your thread. You can ask until you're blue in the face for people to read the documentation, but accept that it's not going to happen - we've been asking people to do that with the forum rules and pinned threads in each area for 3 years, and we're still asking. ;)
     
    Last edited by a moderator: Oct 21, 2015
    #22
  3. Dr.Yami

    Dr.Yami 。◕‿◕。 Developer

    Messages:
    994
    Likes Received:
    736
    Location:
    Finland
    First Language:
    Vietnamese
    Primarily Uses:
    Other
    @DarknessFalls:

    I still don't see any problem with eval when there is no input from user to server, and no interaction between user and user.

    For the RESTful API you said, even a child can get the token and send the request to server WITHOUT eval and developer tools (console). The most critical security problem of eval on client-side is the Cross-site Script attack (XSS), where it requires the interaction among users. Furthermore, the eval are mostly used in Configuration, which is hard-coded and un-editable even with eval, so why we should think about the security problem there?

    And for the .call, I don't think it's complex. I have worked with Lua before, and the .call in JavaScript is the same for Lua if we try to make something like object oriented. You see .call is complex, but I don't. Basically, I don't even see JS as a traditional object oriented programming language. Do not force something from other language to JavaScript since it's a different kind of language.

    For the server-side, I don't use eval because it's hard to debug, slow and might has much more critical problems. And FYI, the code base of RMMV is not suitable for an online game (where has interaction between client and server and among users), so I don't care much about server in this situation.

    Have fun ~

    Yami.
     
    #23
    Zeriab and Harold Ållaberg like this.
  4. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    You can intercept javascript calls especially with eval and then change the out come.

     
    Last edited by a moderator: Oct 21, 2015
    #24
  5. Andar

    Andar Veteran Veteran

    Messages:
    28,304
    Likes Received:
    6,431
    Location:
    Germany
    First Language:
    German
    Primarily Uses:
    RMMV
    "You", as the developer, can cause malicious code in any way you want. You do not need eval to cause any harm.
    From what we have seen so far, it looks as if the game is executed client-side, only downloading resources from the server. Which means that any user input is also executed only client-sided, and the user doesn't need eval to harm his own computer either.


    And unless the coding is strange, there should be no way to intercept eval if it is purely executed client-sided and never goes to the server.


    The only way how the use of eval can be used to cause harm to others is if it is executed server-sided - which (as far as I know) shouldn't happen unless you as the developer includes some scripts that change the engine behaviour.


    Of course that is possible, but then the developer of the plugin/script has to take care to keep eval secure (or use alternatives), that cannot be the responsibility of the default engine.


    Yes, the assumption that the game runs client-sided is not yet confirmed - but neither is the assumption that the engine runs on the server, and without running eval on the server I fail to see how it could cause any harm that any user or developer couldn't do in a better way without the use of eval.
     
    #25
    Dr.Yami and Harold Ållaberg like this.
  6. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    I suppose your argument is valid assuming you don't have any external resources, external code or anything else. I am more thinking of Web Applications and Services that I am use to building. So your point is valid assuming you do NOTHING else other then client side, that is export the game for html 5, upload and do NOTHING else other then whats required to get the game to actually work.

    Again, I come from Web development, so all this eval jazz is a HUGE no no
     
    #26
  7. Andar

    Andar Veteran Veteran

    Messages:
    28,304
    Likes Received:
    6,431
    Location:
    Germany
    First Language:
    German
    Primarily Uses:
    RMMV
    Yes, I agree - in server-based applications functions like Eval can cause a lot of problems. Which is why I specially excluded plugins written for server-sided access from my point - anyone writing a multiplayer plugin will have to take care of that problem.

    But this is a community that focuses on client-sided gaming and a lot of the users here are hobby developers that will never reach a level where they're working server-sided.

    And in such a case we need to specify the differences, and not make a general accusation against eval - that might cause rumors among people who don't understand what we're talking about. Because I think 80% of the readers here don't even know what eval is and what we're talking about, and they would only understand "something in RMMV can damage my computer" - which is simply wrong.
     
    Last edited by a moderator: Oct 22, 2015
    #27
  8. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    I wasn't intending to say that it can, its stupid to think it can. It can how ever harm your server should you be doing a "MMO" using this whole concept because eval in that instance is more dangerous then what 99.9% of people here use RM for. For the use case of the community, use eval. How ever be careful of the complexities it adds and make sure to document your code.
     
    #28
  9. Tsukihime

    Tsukihime Veteran Veteran

    Messages:
    8,230
    Likes Received:
    3,060
    Location:
    Toronto
    First Language:
    English
    Perhaps there should be a separate topic discussing the use of eval in an environment where there is a server involved, as that is likely going to be a popular use case pretty quickly.


    Even in the previous makers, people wanted to implement online functionality such as leaderboards and achievement systems on some website. With xhr natively supported in MV, there should be discussion on best practices given that MV uses eval in its core engine.

    Most hobby developers probably will never reach a level where they can implement real-time strategy or tactical battle systems. However, because we have a large scripting community, those things can be provided without them having to learn it on their own.


    Which is one of the main selling points of RPG Maker.


    And building on this notion, scripters will provide tools that will allow even the hobbiest of hobby developers to build intricate online systems WITHOUT having to do much work beyond reading the documentation and perhaps getting a credit card.


    So while historically this hasn't really been an issue, I'm sure it will become a big deal once MV becomes more mainstream.
     
    #29
  10. Nelderson

    Nelderson Coding Bitch Veteran

    Messages:
    164
    Likes Received:
    162
    Location:
    Rhode Island
    First Language:
    English
    Primarily Uses:
    RMMV
    I'm actually going to use the client/server model for my game as it's not a traditional rpg and it certainly won't be a mmorpg :p  .  See concept here:

    http://contest.gamedevfort.com/submission/662#.VifeaxCrSog

    Built a small little event loop with node.js and socket.io....pretty easy to get the hang of, considering I've done zero network or web development/programming.  But security is a HUGE hurtle for someone like me.  I'm glad we are getting questions like this out here, and I would love for people to throw documentation my way to read.

    Thanks.

    (....now resume your previous rants :) )
     
    #30
  11. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    The MDN Documentation on eval is a good place to look, hell even just MDN is an excellent resource.
     
    #31
  12. Shaz

    Shaz Veteran Veteran

    Messages:
    37,533
    Likes Received:
    11,252
    Location:
    Australia
    First Language:
    English
    Primarily Uses:
    RMMV
    Maybe you should give an example or two to make it easier to comprehend.


    Let's say I'm putting a game on my server, and I want to have a leaderboard, so there's going to be some updating from client to server of high scores. If, apart from that plugin, I have NO other plugins, there is ONE place where we all know eval is used - in a damage formula. Can you give an example of how someone could do damage to the server, or to the client, through the damage formula's eval? How could they access what's currently about to be passed in to the command in order to change it from what the dev put in there?
     
    #32
  13. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    Injection attacks is one thing. So lets say you are evaluating some code on the client that gets sent to the server, for damage formulas this isnt an issue because typically you would do all calculations and damage jazz client side and send back the resulting data to the server at the end of the battle or what have you. 

    But lets say you want to do something like: enemy hits, players HP is updated on the server (or something like that)

    I can inject code into your eval statement at the right moment so that when you evaluate your javascript I can evaluate some of my own as well. eval will evaluate what ever code is passed at the programs permission level, that is who have has permission to run the code is what eval will use. So if you have some code that sets values all the time I can sneak my stuff in there and it will also execute. Lets say your sending some data back to server, ok, well while your there (heres my code) get me the visa numbers from your database and console.log them to my screen.

    Now, after doing some reading, eval is also bad - because: when you are debugging you don't get line numbers in stack traces, so if an error is thrown and its code being evaluated, I wont know where to look for the error.

    Eval also uses more memory then other ways. The main concern here is passing user input directly into eval because thats when I can latch on to what ever your doing and execute my own code to say get our visa cards, look inside your database or do what ever else. This is called code injection.

    eval is also like goto, code debugging and maintenance becomes a nightmare when inexperienced developers use it all willy nilly.

    So to reiterate:

    - Code Injection via user input

    - Code maintainability and debugging

    - Reduces the confidence of security (again with user input)

    - Performance issues can arise

    Here is a good example, not so much a security issue but a scriptors nightmare:

    // Lets say you have a function:function messageForPlayers(messageForPlayer) { eval(messageForPlayers)}var helloThere = messageForPlayers('Hello Player :D');// So how does it get bad?var helloThere = messageForPlayers('function hahahaIamEvil() { ... }');// Uhoh ...// So how do we "fix this" - scope to the rescue:function messageForPlayers(messageForPlayer) { (function() { eval(messageForPlayers); })();}// Now its safe for the outer user because of the concept of scope.So what have we learned? code injection === bad, scopes can help, performance is a nightmare, debuggabillity and code readability becomes a nightmare.
     
    Last edited by a moderator: Oct 22, 2015
    #33
  14. Tsukihime

    Tsukihime Veteran Veteran

    Messages:
    8,230
    Likes Received:
    3,060
    Location:
    Toronto
    First Language:
    English
    If the damage formula is being evaluated and the player's HP is sent to the server, where does code injection come into play?


    The damage formula is presumably being evaluated your own client. If the damage formula is being evaluated on the server-side, you can't launch an attack to tell the server how to evaluate the formula.


    Now, if you're saying the game is set up so that the DAMAGE FORMULA was being sent to the server and the server uses that to evaluate the results...now we have a scenario where you can attack the server.
     
    Last edited by a moderator: Oct 22, 2015
    #34
    Harold Ållaberg likes this.
  15. Galenmereth

    Galenmereth I thought what I'd do was Veteran

    Messages:
    2,206
    Likes Received:
    1,911
    Location:
    Norway
    First Language:
    English
    Primarily Uses:
    RMMV
    In this instance, eval for damage formula is no more dangerous than the end user being able to open the console in the browser. It doesn't pose an extra security risk whatsoever. 

    Just to go a little off topic, what you need to consider for secure high score submission is that someone can always hijack the data transmission part unless you use a registration system with a secure session, and even then, you should never assume what is sent through is the truth. So to make you high score submission not be susceptible to fake submissions, you should instead send a log of the activity in the game that led to said high score, and have logic in place on the server side so that you can ensure that what is received is "sane" data, and calculate the score. You can't be sure that this is not user generated outside of the confines of gameplay, but you can ensure impossible scores are not sent through, and you can make it really problematic to fake scores.

    Yeah, it's quite a bit of extra work, but just sending a simple score value over will be intercepted quite easily and faked. It happens all the time, even on places like Apple's GameCenter.
     
    Last edited by a moderator: Oct 22, 2015
    #35
    Zeriab likes this.
  16. Andar

    Andar Veteran Veteran

    Messages:
    28,304
    Likes Received:
    6,431
    Location:
    Germany
    First Language:
    German
    Primarily Uses:
    RMMV
    But is that a possibility?

    In damage formula evals the formula is set by the developer and has no regular user input.

    Is there a way how a user can get something into the eval formula if he isn't asked for input by the engine?
     
    Last edited by a moderator: Oct 22, 2015
    #36
  17. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    Of the biggest issues, aside from security is: ​readability and debugging.

    If there is user input aside from hitting a, yes, other wise no. My examples was about user input in the forms of form. I can still code inject by listening for that eval statement to be called and then injecting code.

    THIS IS NOT AN ISSUE 99.999999999999999999% OF THE TIME on the rpg maker  community. You are not building web applications ... 

    so we can all stop worrying about security concerns because none of us are here to make MMO's or allow users to manually input content. These are the cases where it is an issue security wise.

    So why should we not use it then?

    Because it makes reading and debugging your code 7x harder when it comes to stack traces and readability over all.

    I would also like to state:

    Because you are not building direct web applications to take in a user physically entering content in and because 99% of your games are going o be run on the desk top or mac or ios or android with the 1% being like "look at me i'm cool i have a web site" you will NEVER EVER EVER EVER EVER EVER EVER EVER run into code injection issues.

    What you will run into is me trying to debug some script you wrote and finding eval every where, or me booting up my game with you using eval every where and finding performance drops to a snails pace.
     
    Last edited by a moderator: Oct 22, 2015
    #37
  18. Tsukihime

    Tsukihime Veteran Veteran

    Messages:
    8,230
    Likes Received:
    3,060
    Location:
    Toronto
    First Language:
    English
    You can re-compile javascript on-the-fly using browser debugger tools.


    Since the data files are being sent to the client, you could feasibly just go into them and change the formulas.


    Now when the engine runs the formula, it'll execute whatever you gave it as well.


    However, I doubt this can be used for code injection unless the damage formula is sent to the server to be evaluated.
     
    #38
  19. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    the damage formula no. Unless your watching for it and know how to inject on the fly. also for performance, im sure RPG Maker MV for web exports caches the JS, which also reduces the security threat by some.
     
    Last edited by a moderator: Oct 22, 2015
    #39
  20. lTyl

    lTyl Warper Member

    Messages:
    3
    Likes Received:
    1
    First Language:
    English
    As someone currently building a game with JavaScript, I'll chip in my thoughts. I haven't used RM in almost a decade, so I'm not sure how what I'm about to say ties in.

    In general, avoid using eval(). There are better ways to do certain tasks without having to call eval, and often a simple re-work of the code can avoid it altogether. The big issue with it is the performance hit, especially when used in tandem with an application you want to render as fast as possible ( like a game ). Here is a quick example showing a better way to serialize a string of data into JS objects we can use in our code, using JSON.parse:

    https://jsfiddle.net/L3tbt2a4/1/

    Here is a performance comparison between using JSON.parse, eval and new Function();

    https://jsperf.com/json-parse-vs-eval/6

    By doing it like this, you can generate your data from a string, then feed that data into the function call that requires it.
     
    #40
    Zeriab likes this.

Share This Page