Unsafe use of eval #18
Description
Even though the comment says the eval in lib/serialization.js is harmless:
function deserializeFromGUI(data) {
var res;
data = data.replace(/^.+=[^{]+/, '');
eval('res = ' + data);
return res;
}I think it is still a big security risk. Allowing someone to manipulate your database with a tool like mongo-edit should not allow arbitrary code execution on the server where the app is deployed. Imagine the impact of combining something like this with XSS (See the book "Hacking: The Next Generation" for details on such a complex attack)! I suggest using some validation on the data using regexs or using a sanitization package like:
https://www.npmjs.com/package/eval-sanitizer