Comments (5)
pocesar
commented on July 29, 2024
1
for executing user input, you need a sandbox or a dedicated VM
from static-eval.
hanvyj
commented on July 29, 2024
But it's not executing any code is it? It's parsing user input into something it can evaluate - but the user can't actually run any code as such? It only evaluates static input.
from static-eval.
pocesar
commented on July 29, 2024
yes, "eval" means that it's executing code. if you want to analyse the code instead of executing it, you should take a look at a parser like esprima
from static-eval.
hanvyj
commented on July 29, 2024
Esprima is required to parse the code for static-eval. It takes the parsed code, and evaluates it based on those expressions. It doesn't ever call eval on any of the code. Is it because of how it handles the FunctionExpression, i.e. using the function constructor?
It seems like a major use case would be for evaluating user provided expressions safely.
from static-eval.
pocesar
commented on July 29, 2024
the latest vulnerability, that was only discovered 2 years after the last version was released, showed how it was possible. check the #20 for the advisory with a PoC
from static-eval.
Related Issues (20)
- Doesn't handle var statements with multiple declarations
- Doesn't handle var statements with declarations but not initializations
- Does not support NewExpression
- Better error handling
- can't use with webpack HOT 2
- security issue HOT 10
- Cannot evaluate the result of "Date.now()" HOT 1
- What is the different with this and eval? HOT 4
- Function declaration invokes the function body HOT 3
- Sandbox Escape HOT 1
- Inheritance error with Slack Node SDK and NCC HOT 2
- High Severity Security vulnerability with package HOT 20
- Critical security vulnerability with package HOT 3
- Callback parameter needs an extra check
- Differences in `ReturnStatement` evaluations
- static-eval stable version HOT 1
- It does not evaluate functions HOT 1
- CVE in word-wrap HOT 1
- Would it be possible to use this with THREE.Vector3?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from static-eval.