We’re under attack! 23+ Node.js security best practices

This is not just a performance concern but also an important security concern due to malicious JavaScript code that may be sourced from user input..Another language feature that should be avoided is new Function constructor..setTimeout and setInterval should never be passed dynamic JavaScript code either.Otherwise: Malicious JavaScript code finds a way into a text passed into eval or other real-time evaluating JavaScript language functions, and will gain complete access to JavaScript permissions on the page..This vulnerability is often manifested as an XSS attack.Read More: Avoid JavaScript eval statements16..Prevent evil RegEx from overloading your single thread executionTL;DR: Regular Expressions, while being handy, pose a real threat to JavaScript applications at large, and the Node.js platform in particular..A user input for text to match might require an outstanding amount of CPU cycles to process..RegEx processing might be inefficient to an extent that a single request that validates 10 words can block the entire event loop for 6 seconds and set the CPU on ????..For that reason, prefer third-party validation packages like validator.js instead of writing your own Regex patterns, or make use of safe-regex to detect vulnerable regex patternsOtherwise: Poorly written regexes could be susceptible to Regular Expression DoS attacks that will block the event loop completely..For example, the popular moment package was found vulnerable with malicious RegEx usage in November of 2017Read More: Prevent malicious RegEx17..Avoid module loading using a variableTL;DR: Avoid requiring/importing another file with a path that was given as parameter due to the concern that it could have originated from user input..This rule can be extended for accessing files in general (i.e..fs.readFile()) or other sensitive resource access with dynamic variables originating from user input.. More details

Leave a Reply