Running code generated in realtime in JavaScript with eval()
Using eval
in this context doesn't create any vulnerability, as long as an attacker can't interfere with the arguments passed to matchCondition
.
If you find it easier to read / program it this way, and you're confident that no untrusted input will ever go into your expression compiler, then go for it.
eval
isn't evil, untrusted data is.
Please note that it's entirely possible to avoid eval
, by extracting the predicates then handling them with your custom functions, for example:
if (predicate === 'isLoggedIn()') {
return Π.isLoggedIn();
}
Today, everything is written by developers. Next month or next year, someone will say "hey, why not let the users write those themselves?" Bam.
Also, even if the rules are written by the developers only, do they or will they include any user-originated data? Something like titles, names, categories, for instance? This could quickly lead to an XSS attack.
Your regular expressions are so "open" (using lots of .*
without any validation) that if anything untoward gets in, it will slip through directly to the eval
in a minute.
At the very least, if you want to keep eval
, you should have a lot stricter expressions instead of .*
. But those can quickly become either difficult to understand, or a hindrance for many practical cases.
Appearances and expectations
If something looks like a safe expression, people will probably treat it like one. If a field looks like any other data-field, people (even developers) will probably put untrusted data in there. If something is evaluated with full level application access, it should look and feel like code.
Another problem are subtle bugs in your pre-compiler, which could introduce unwanted bugs/security flaws. Most vulnerabilities start with unwanted bugs, before a malicious attacker can exploit something. And a new meta-language without proper vetting/tests and strongly defined syntax is just another layer of confusion and bugs waiting to happen.
If only developers write code for your conditions, why not just use plain JavaScript? The meta-language brings hardly any benefit. And code is handled by people like code.