In summary I'm writing a webapp to run on my personal LAN that will only accept connections from my laptop's IP (so no code injection risks unless I'm already hacked).The app, among other things, has a TEXTAREA for me to input Javascript snippets that will be set to run at user-defined intervals. (Right now I run a lot of little JS things that contain the same boilerplate and I'd rather just consolidate a lot of it and make it easier to create new snippets that run at intervals.)I'm wondering which of the following would be the preferred method (or is there another?) to invoke this code. Suppose the code is retrieved from the DB and stored in myCode.const result = eval(myCode);const p = child_process.spawn(`node <(echo "${myCode}")`);With #2 then I'd use the events to get the result (p.stdout.on I think).I could additionally swap out eval for one of the libraries like safe-eval to only allow whitelisted functions if I really needed to worry about code injection.I'm leaning toward #2. It seems more "node-ic." It's effectively just running the code as if it were stored in code.js and calling node code.js.Thoughts? Is there another way I'm not thinking about? Thanks.
Submitted June 01, 2018 at 07:01AM by KyleG
No comments:
Post a Comment