Is using EVAL / feval method risky?

EVAL method in javaScript is strongly discuragged as a risky function. However, object declaration stronly use it. Is it risky?

• AyMINE doesn't use eval() it uses feval = universal Function
  • What it is feval?
  • Safety measures
• API for client objects
  • Data objects
  • Attributes
  • Functional API
  • Global eval methods
  • User object

Client object programming is part of globally describes system orchestration. See chapter about orchestration for ore details.

Event the devleoper portal says, that "Executing JavaScript from a string is an enormous security risk."

Why we use it?

AyMINE doesn't use eval() it uses feval = universal Function

There is significant differnce between eval and universal Function. This is also described in the developer portal but the major difference in the safety aspect is not obvious:

• eval() method is processed as a globall function with possiblity to work with everything around – with pages, calling methods etc. In a nutshell, it can do anything
• Function() method can only process method in the scope, that is allowed by the function call. It can never tough data or functions that are not explictelly allowed.

What it is feval?

feval is the concept how to process object client methods defined by the object declartion files. It manages orchestration as well as dynamic calculation of views.

Thanks to the feval concept, AyMINE is extendible without necessity to recompile the client application or mobile application for each change. It is also flexible to provide different behvaiour for various clients

Safety measures

AyMINE adopted other strong control mechanisms to make function 100% controlled:

• Scripts evaluated in the feval method are neve uploaded to the system and never editable directly within the application. In a nutshell, there is no way how to send untrusted code to the evaluation
• Scripts are never shared among clients or users. They are part of the code and under the developer's control. User cannot affect them. Simply, no one can affect the code evaluated elsewhere than ot its own computer
• Scripts have strictly controlled environment. They have access only to the feval API that 100% isolate the scripts from the application. Definitelly, it interacts with application and even with user (there are methods for dialogs) but everything is managed over the defined API.
• Script never manages server rights. Simply, thay don't manage anything on server because they are evaluated by client local computer. However, even when user would change script on its own local station, it would never affects control of the access rights manages by the back-end.

API for client objects

API for client objects and script has data parts and functional objects.

Data objects

Data object principally allows access to some data but alos contains functions for manipuliations with data.

Principal data object

Scripts are always linked with single object and the object is available under the name obj.

Object also contains several methods to get

• counter fileds
• icons
• object description

Functionality supported by data object is described here.

Translation strings

Evaluation method can access translation related with the object. It can translate string to the language that user has selected – it may not change the language or choose what language to use for translation. Translations are used for the UI automation and therefore there is no reason for language control.

Trnaslations are accessible throught the object lang.

Attributes

Views and methods have imput attribues. There are available as a object attr.

Functional API

Functional API is available through 3 objects

Global eval methods

API is encapsualted in theg = globalEval with access to the methods that are not linked with used objects.

• Date and time manipulation
• System settings

User object

API under the object user encapslates user specific information and function

• User ID
• Client ID
• User settings