Do you really trust Grooveshark at this point?
qgustavor opened this issue · comments
The library is evaluating code from Grooveshark without any sandboxing as saw here:
# $ is cheerio in the context of html5.grooveshark.com
jsString = $('script').eq(2).text()
# ...
eval jsString
It allows arbitrary code execution: if Grooveshark was malicious they can change their code in order to do anything as the user which is executing the script. It can be simple as:
while(this.process); // will crash node, but isn't evil
this.process&&require('child_process').exec('calc') // evil… or, well, it's just an example
No one will turn on dSploit and watch out for gplayer users somewhere in order to exploit that, but better be safe.
Yup, good point. I am not using this module now. Any pull-request will be appreciated.
Grooveshark was closed two years ago...