Home > Uncategorized > Evaluate #Javascript in the cloud with #AWS #Lambda

Evaluate #Javascript in the cloud with #AWS #Lambda

TL;DR;

https://rapidapi.com/dananos/api/evaluate-javascript

Evaluating Javascript on the server side is a bit of an unusual ask, but perhaps you have an application that you’d like to be highly user-configurable, like you want to support fields that are supplied as complex mathematical formulae, or with complex if/else conditions.

Now, this opens a Pandora’s box of problems. What happens if someone writes malicious or simply bad code that could potentially damage or expose private data on your server, in which case, it’s good to run this in an isolated environment like Lambda (Running under a least-privilege IAM Role)

So, I first create a super simple lambda function as follows

exports.handler = async (event) => {
     const response = {
         statusCode: 200,
         body: JSON.stringify(eval(event.body)),
     };
     return response;
 };

And then create an API gateway as a Trigger, which means that I can now evaluate Javascript on the server side, using a CURL command as follows;

curl -X POST "https://xxxxxx.execute-api.eu-west-1.amazonaws.com/eval" -d "1+5" -H "Content-Type: application/json"

Where xxxx is dynamically assigned during the API gateway setup, and eval was the name of my Lambda function

The result of “1+5” is returned as “6” in the response.

Now, be aware, that the inner workings of your lambda can be exposed by executing Javascript like “process.env”, but as long as the Lambda itself has little permissions, then the damage it can do is limited also. Also, the running time and memory limits are capped, so it is unlikely to cost much.

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: