Abstract
Eval endows JavaScript developers with great power. It allows developers and end-users, by turning text into executable code, to seamlessly extend and customize the behavior of deployed applications as they are running. With great power comes great responsibility, though not in our experience. In previous work we demonstrated through a large corpus study that programmers wield that power in rather irresponsible and arbitrary ways. We showed that most calls to eval fall into a small number of very predictable patterns. We argued that those patterns could easily be recognized by an automated algorithm and that they could almost always be replaced with safer JavaScript idioms. In this paper we set out to validate our claim by designing and implementing a tool, which we call Evalorizer, that can assist programmers in getting rid of their unneeded evals. We use the tool to remove eval from a real-world website and validated our approach over logs taken from the top 100 websites with a success rate over 97% under an open world assumption.
- Christopher Anderson and Sophia Drossopoulou. BabyJ: From object based to class based programming via types. Electr. Notes in Theor. Comput. Sci., 82 (7): 53--81, 2003. 10.1016/S1571-0661(04)80802--8.Google ScholarCross Ref
- Christopher Anderson and Paola Giannini. Type checking for JavaScript. Electr. Notes Theor. Comput. Sci., 138 (2): 37--58, 2005. 10.1016/j.entcs.2005.09.010. Google ScholarDigital Library
- Michael Bolin. Closure: The Definitive Guide. O'Reilly Series. O'Reilly Media, 2010. ISBN 9781449381875. URL http://books.google.ch/books?id=p7uyWPcVGZsC.Google Scholar
- Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for JavaScript. In Conference on Programming language design and implementation (PLDI), pages 50--62, 2009. 10.1145/1542476.1542483. Google ScholarDigital Library
- Andreas Dewald, Thorsten Holz, and Felix C. Freiling. ADSandbox: sandboxing JavaScript to fight malicious websites. In Proceedings of the Symposium on Applied Computing (SAC), 2010. 10.1145/1774088.1774482. Google ScholarDigital Library
- Manuel Egele, Peter Wurzinger, Christopher Kruegel, and Engin Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, 2009. 10.1007/978--3--642-02918--9_6. Google ScholarDigital Library
- European Association for Standardizing Information and Communication Systems (ECMA). phECMA-262: ECMAScript Language Specification. Fifth edition, December 2009. URL http://www.ecma-international.org/publications/standards/Ecma-262.htm.Google Scholar
- Michael Furr, Jong-hoon (David) An, and Jeffrey S. Foster. Profile-guided static typing for dynamic scripting languages. In Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA), 2009. 10.1145/1640089.1640110. Google ScholarDigital Library
- S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In USENIX Security Symposium, 2009. URL https://www.usenix.org/events/sec09/tech/full_papers/sec09_javascript.pdf. Google ScholarDigital Library
- Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. Using static analysis for Ajax intrusion detection. In Conference on World wide web (WWW), 2009. 10.1145/1526709.1526785. Google ScholarDigital Library
- Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. The essence of JavaScript. In European Conference on Object-Oriented Programming (ECOOP),2010. 10.1007/978--3--642--14107--2_7. Google ScholarDigital Library
- Dongseok Jang and Kwang-Moo Choe. Points-to analysis for JavaScript. In Proceedings of the Symposium on Applied Computing (SAC), 2009. 10.1145/1529282.1529711. Google ScholarDigital Library
- Simon Jensen, Anders Møller, and Peter Thiemann. Type analysis for JavaScript. In Symposium on Static Analysis (SAS), 2009. 10.1007/978--3--642-03237-0_17. Google ScholarDigital Library
- er}jensen-issta-2012Simon Holm Jensen, Peter A. Jonsson, and Anders Møller. Remedying the eval that men do. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA), 2012. 10.1145/2338965.2336758. Google ScholarDigital Library
- Sergio Maffeis, John C. Mitchell, and Ankur Taly. An operational semantics for JavaScript. In Symposium on Programming Languages and Systems (APLAS), 2008. 10.1007/978--3--540--89330--1_22. Google ScholarDigital Library
- Sergio Maffeis, John Mitchell, and Ankur Taly. Isolating JavaScript with filters, rewriting, and wrappers. In Computer Security -- ESORICS 2009, 2009. 10.1007/978--3--642-04444--1_31. Google ScholarDigital Library
- Floréal Morandat, Brandon Hill, Leo Osvald, and Jan Vitek. Evaluating the design of the R language. In European Conference on Object-Oriented Programming (ECOOP), 2012. 10.1007/978--3--642--31057--7_6.Google ScholarDigital Library
- Paruj Ratanaworabhan, Benjamin Livshits, and Benjamin Zorn. JSMeter: Comparing the behavior of JavaScript benchmarks with real web applications. In Conference on Web Application Development (WebApps), 2010. URL http://www.usenix.org/events/webapps10/tech/full_papers/Ratanaworabhan.pdf. Google ScholarDigital Library
- Gregor Richards, Sylvain Lesbrene, Brian Burg, and Jan Vitek. An analysis of the dynamic behavior of JavaScript programs. In Proceedings of the ACM Programming Language Design and Implementation Conference (PLDI), 2010. 10.1145/1806596.1806598. Google ScholarDigital Library
- Richards, Gal, Eich, and Vitek}oopsla11Gregor Richards, Andreas Gal, Brendan Eich, and Jan Vitek. Automated construction of JavaScript benchmarks. In Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA), 2011. 10.1145/2048066.2048119. Google ScholarDigital Library
- Richards, Hammer, Burg, and Vitek}ecoop11Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. The eval that men do: A large-scale study of the use of eval in JavaScript applications. In European Conference on Object-Oriented Programming (ECOOP), 2011. 10.1007/978--3--642--22655--7_4. Google ScholarDigital Library
- Konrad Rieck, Tammo Krueger, and Andreas Dewald. Cujo: Efficient detection and prevention of drive-by-download attacks. In Annual Computer Security Applications Conference (ACSAC), 2010. 10.1145/1920261.1920267. Google ScholarDigital Library
- Peter Thiemann. Towards a type system for analyzing JavaScript programs. In European Symposium on Programming (ESOP), 2005. 10.1007/978--3--540--31987-0_28. Google ScholarDigital Library
Index Terms
- Eval begone!: semi-automated removal of eval from javascript programs
Recommendations
Eval begone!: semi-automated removal of eval from javascript programs
OOPSLA '12: Proceedings of the ACM international conference on Object oriented programming systems languages and applicationsEval endows JavaScript developers with great power. It allows developers and end-users, by turning text into executable code, to seamlessly extend and customize the behavior of deployed applications as they are running. With great power comes great ...
NodeMOP: runtime verification for Node.js applications
SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied ComputingNode.js has become one of the most popular frameworks for general-purpose and server-side application development in JavaScript. However, due to its dynamic, asynchronous, event-driven programming model, Node.js applications are considered error-prone, ...
Generation of TypeScript declaration files from JavaScript code
MPLR 2021: Proceedings of the 18th ACM SIGPLAN International Conference on Managed Programming Languages and RuntimesDevelopers are starting to write large and complex applications in TypeScript, a typed dialect of JavaScript. TypeScript applications integrate JavaScript libraries via typed descriptions of their APIs called declaration files. DefinitelyTyped is the ...
Comments