首页 \ 问答 \ 在这种情况下,有比eval()更好的方法吗?(Is there a better way than eval() in this scenario?)

在这种情况下,有比eval()更好的方法吗?(Is there a better way than eval() in this scenario?)

它是一个使用Google Apps脚本的网络应用,以访问应用的用户身份运行。

我们为某些用户提供自定义数据和代码。

该自定义信息位于开发人员Google云端硬盘中的文本文件中,仅具有来自特定用户的View访问权限。

该文本文件的内容可能类似于虚拟代码:

var oConfig = {
  some : "OK",  
  getinfo : function (s) {
    return this.some + s;
  }
}

为了将自定义数据/代码放入应用程序,我们可以使用eval(),如下所示:

  var rawjs = DriveApp.getFileById(jsid).getBlob().getDataAsString();
  eval(rawjs);
  Logger.log(oConfig.getinfo("?")); // OK?

我的问题是:

  1. 有没有比eval()更好的方法来实现这个目标?

  2. 考虑到文本文件只能由开发人员编辑,在这种情况下eval()是否足够安全?

谢谢,福斯托


It is a web app, using Google Apps Script, running as the user accessing the app.

We have custom data and code for some users.

That custom information is in a text file within the developer's Google Drive, with only View access from the specific user.

The content of that text file could be like below dummy code:

var oConfig = {
  some : "OK",  
  getinfo : function (s) {
    return this.some + s;
  }
}

In order to get that custom data / code into the app, we can use eval() as shown below:

  var rawjs = DriveApp.getFileById(jsid).getBlob().getDataAsString();
  eval(rawjs);
  Logger.log(oConfig.getinfo("?")); // OK?

My questions are:

  1. Is there a better way to achieve this goal than eval()?

  2. Is eval() secure enough in this case, considering that the text file is only editable by the developer?

Thanks, Fausto


原文:https://stackoverflow.com/questions/26846786
更新时间:2019-11-21 10:09

最满意答案

嗯,它看起来足够安全。 但是使用eval还有其他问题,例如难以调试代码,以及其他一些问题。

如果您在代码中生成此类自定义数据,我想可以枚举各种此类自定义项。 如果是这样,我会将代码保留在脚本中并保存在Drive just data中,并使用指针(如函数变体名称)来说明如何在脚本中重建配置对象。 例如:

function buildConfig(data) {
  var config = JSON.parse(data); //only data, no code
  config.getInfo = this[config.getInfo]; //hook code safely
  return config;
}

function customInfo1(s) { return this.some + s; }

function customInfo2(s) { return s + this.some; }

function testSetup() {
  //var userData = DriveApp.getFileById(jsid).getBlob().getDataAsString();
  var userData = '{"some":"OK", "getInfo":"customInfo1"}'; //just for easier testing

  var config = buildConfig(userdata); //no eval

  //let's test it
  Logger.log(config.getInfo('test'));
}

Well, it looks secure enough. But using eval has other problems, like making it difficult to debug your code, and possibly some other problems.

If you're generating such custom data within your code, I imagine the variety of such customizations is enumerable. If so, I'd leave the code within your script and save in Drive just data and use indicators (like function variants names) of how to rebuild the config object in your script. For example:

function buildConfig(data) {
  var config = JSON.parse(data); //only data, no code
  config.getInfo = this[config.getInfo]; //hook code safely
  return config;
}

function customInfo1(s) { return this.some + s; }

function customInfo2(s) { return s + this.some; }

function testSetup() {
  //var userData = DriveApp.getFileById(jsid).getBlob().getDataAsString();
  var userData = '{"some":"OK", "getInfo":"customInfo1"}'; //just for easier testing

  var config = buildConfig(userdata); //no eval

  //let's test it
  Logger.log(config.getInfo('test'));
}
2014-11-10

相关文章

更多

最新问答

更多
  • jsPlumb draggable element javascript函数(jsPlumb draggable element javascript function)
  • MVC4:ViewModel(带有radiobuttonlist)在HttpPost之后为空(MVC4: ViewModel (with radiobuttonlist) is empty after HttpPost)
  • 如何在同一帐户上设置“Dev repo”(在prod和团队之间)(How to set up a “Dev repo” (between the prod and the team) on the same account)
  • 如何在tcl中将eth0配置为发送方udp端口(how to configure eth0 as a sender udp port in tcl)
  • 如何在datarow []中的列中找到最大值?(How to find max value in a column in a datarow[] ?)
  • 如何使用预定义文本替换来自数据库的部分结果(How do I replace part of result coming from Database with predefined text)
  • Selenium Java注入了新的Javascript函数(Selenium Java inject new Javascript function)
  • 使用.on的多个下拉菜单选择文本仅适用于第一个下拉列表(Multiple Dropdowns Menu Selection text using .on works only on first dropdown)
  • 快速将黄土曲线添加到大型数据集图中的方法(Quick way to add loess curve to large data set graph)
  • FilteringSelect in mvc(FilteringSelect in mvc)
  • 在Delphi XE2中开发Mac或iOS应用程序需要哪些硬件/软件?(What hardware/software is necessary to develop Mac or iOS apps in Delphi XE2?)
  • 在原型的构造函数中初始化属性时获取“未定义”(Getting 'undefined' when a property is initialized in the constructor of a prototype)
  • 通过越狱加载的应用程序的Documents文件夹位置(Location of Documents folder for an app loaded via jailbreak)
  • 在OpenGL中使用可编程和固定管道功能(Using both programmable and fixed pipeline functionality in OpenGL)
  • 将任何用户输入重定向到单独的底层程序(redirect any user input to a separate underlying program)
  • 编辑文本不能正常工作android(Edit texts not working properly android)
  • “user_denied”Facebook应用页面上的Facebook用户区域设置(Facebook user locale on “user_denied” facebook app page)
  • 在大图像中找到小的部分透明图像的坐标(find coordinates of small partially-transparent image within a large image)
  • 我如何在cakephp 3.1中获得完整的相对路径?(How i can get full relative path of image in cakephp 3.1?)
  • 如何保存拖动标记的新本地化?(How to save new localization of dragged marker?)
  • MySQL UPDATE vs INSERT和DELETE(MySQL UPDATE vs INSERT and DELETE)
  • 在执行查询之前,在SQLAlchemy模型中将datetime转换为unix时间戳?(Convert datetime to unix timestamp in SQLAlchemy model before executing query?)
  • OpenCL与OpenGL互操作的优势(Advantage of OpenCL interoperability with OpenGL)
  • 如何解析用点和等分隔的数据然后添加到listview(How to parsing data from delimited with dot and equal then add to listview)
  • 带调试输出的X3解析器段错误(BOOST_SPIRIT_X3_DEBUG)(X3 parser segfaults with debug output (BOOST_SPIRIT_X3_DEBUG))
  • 将文件夹名称添加到fgrep结果(Add folder name to fgrep result)
  • 在MySQL中加载一个表是非常慢的(Loading one table in MySQL is ridiculously slow)
  • 如何将JSON放入PHP变量?(How do I put JSON into a PHP Variable?)
  • 如何绕过Microsoft.Speech.Recognition中的不流畅?(How to bypass disfluencies in Microsoft.Speech.Recognition?)
  • 原点的最后一行是什么?(What is the last row of an origin for?)