xissy / node-grooveshark-streaming

A node.js module for getting a music streaming url from Grooveshark without any API authentication.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Do you really trust Grooveshark at this point?

qgustavor opened this issue · comments

The library is evaluating code from Grooveshark without any sandboxing as saw here:

# $ is cheerio in the context of html5.grooveshark.com
jsString = $('script').eq(2).text()
# ...
eval jsString

It allows arbitrary code execution: if Grooveshark was malicious they can change their code in order to do anything as the user which is executing the script. It can be simple as:

while(this.process); // will crash node, but isn't evil
this.process&&require('child_process').exec('calc') // evil… or, well, it's just an example

No one will turn on dSploit and watch out for gplayer users somewhere in order to exploit that, but better be safe.

Yup, good point. I am not using this module now. Any pull-request will be appreciated.

Grooveshark was closed two years ago...