• (nodebb)

    I'm not sure that I agree about "send data" being better than "generate code", but what's sure is that the server code that is "generating" should send only the code necessary to run with the given settings, so instead of sending this:

        if ( configuration_value_as_literal == constant1 )  // e.g. "if ( false == true)"
    {
        some_code(....);
    }
    else
    {
        some_other_code(...);
    }

    just send a call to some_code() or a call to some_other_code(), as required by the value of configuration_value_as_literal.

    Why? It conceals information that attackers might find useful, since they don't see that there even is an option, nor a difference in behaviour, nor what the "not for you, Chuckles" behaviour even is. Sending the if() and the two sets of code is an information leak, and sending data also facilitates the attacker attacking the code he shouldn't be allowed to use, because it's easier to use the JS console to modify the data than it is to use the console to modify the script.

  • Argle (unregistered)

    if ( true + true === 2 ) { // leave a comment }

  • Shiwa (unregistered)

    Without more context (was this code spotted in a codebase ? on a live website ?), it’s hard to judge how much of a WTF it is.

    A legitimate case for this code to appear would be in development mode with environment variables injected in the source code. Like if (process.env.DISABLE_PASSWORD_AUTH === 'Y') { … }. In development mode the process.env.xxx would get replaced, but the dead code would not be eliminated (because minification is unnecessary in this context). In production, the generated code would be cleaned and minified. Depending of the variable, it can be more relevant than keeping all the code and loading the variable from the backend (e.g. react debugging code that gets stripped in production env).

    Though in this case, it’s still would be weird to disable inputs based on an environment variable.

  • dusoft (unregistered)

    if (x==false OR 1)

  • (nodebb) in reply to Argle

    #define false 0 #define true !false

Leave a comment on “No Yes”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article