Description
In version 7.6.0 javascript restrictions have been enabled for Cloud ( Capella clusters as part of MB-60136
If js-restrictions is set to true, javascript constructs that may allow for code injection or Speculative execution attacks (like Spectre) have been removed:
- MB-53136, MB-57535 - removing code injection constructs
- MB-52924 - restrict time granularity
These changes should be documented to let the users be aware of such changes.
Example for code injection:
function evaluate() {
|
var q = select jscode from <bucket> where meta().id = <docid>;
|
let iter = q[Symbol.iterator]();
|
let code = iter.next();
|
let result = eval(code);
|
}
|
With the latest changes, the aforementioned code won't compile as the Symbol "eval" has been removed from the language.
Similarly:
function dynamicfunction() {
|
var q = select jscode from <bucket> where meta().id = <docid>;
|
let iter = q[Symbol.iterator]();
|
let code = iter.next();
|
return new Function("inject", code);
|
}
|
|
function evaluate() {
|
dynamicfunction();
|
}
|
"Function" construct has been removed.
Granularity of the Date object has been reduced to 1 second.
Functions like Date.Now(); will return current timestamp up to the last second.
Consider a few examples to illustrate where the change in timestamp granularity behaviour can cause impact.
In the Javascript code - the Date.now() function will not return the current time with millisecond granularity. But rather granularity to the last second.
1. The function executes a SQL++ query to insert a document with a field containing the current timestamp.
function addOrder() {
|
let curr = Date.now();
|
N1QL('INSERT INTO orders VALUES (uuid(),{"time":'+ curr +'})') |
}
|
2. The function simulates sleep by blocking execution by the number of milliseconds passed as a function parameter:
function sleep(milliseconds) {
|
let init = Date.now();
|
let curr = null; |
do { |
curr = Date.now();
|
} while (curr - init < milliseconds); |
}
|
More details in the MB.