Network Programming in .NET

TL;DR;

https://rapidapi.com/dananos/api/evaluate-javascript

Evaluating Javascript on the server side is a bit of an unusual ask, but perhaps you have an application that you’d like to be highly user-configurable, like you want to support fields that are supplied as complex mathematical formulae, or with complex if/else conditions.

Now, this opens a Pandora’s box of problems. What happens if someone writes malicious or simply bad code that could potentially damage or expose private data on your server, in which case, it’s good to run this in an isolated environment like Lambda (Running under a least-privilege IAM Role)

So, I first create a super simple lambda function as follows

exports.handler = async (event) => {
     const response = {
         statusCode: 200,
         body: JSON.stringify(eval(event.body)),
     };
     return response;
 };

And then create an API gateway as a Trigger, which means that I can now evaluate Javascript on the server side, using a CURL command as follows;

curl -X POST "https://xxxxxx.execute-api.eu-west-1.amazonaws.com/eval" -d "1+5" -H "Content-Type: application/json"

Where xxxx is dynamically assigned during the API gateway setup, and eval was the name of my Lambda function

The result of “1+5” is returned as “6” in the response.

Now, be aware, that the inner workings of your lambda can be exposed by executing Javascript like “process.env”, but as long as the Lambda itself has little permissions, then the damage it can do is limited also. Also, the running time and memory limits are capped, so it is unlikely to cost much.