Comments (5)
for executing user input, you need a sandbox or a dedicated VM
from static-eval.
But it's not executing any code is it? It's parsing user input into something it can evaluate - but the user can't actually run any code as such? It only evaluates static input.
from static-eval.
yes, "eval" means that it's executing code. if you want to analyse the code instead of executing it, you should take a look at a parser like esprima
from static-eval.
Esprima is required to parse the code for static-eval. It takes the parsed code, and evaluates it based on those expressions. It doesn't ever call eval
on any of the code. Is it because of how it handles the FunctionExpression
, i.e. using the function constructor?
It seems like a major use case would be for evaluating user provided expressions safely.
from static-eval.
the latest vulnerability, that was only discovered 2 years after the last version was released, showed how it was possible. check the #20 for the advisory with a PoC
from static-eval.
Related Issues (20)
- Doesn't handle var statements with multiple declarations
- Doesn't handle var statements with declarations but not initializations
- Does not support NewExpression
- Better error handling
- can't use with webpack HOT 2
- security issue HOT 10
- Cannot evaluate the result of "Date.now()" HOT 1
- What is the different with this and eval? HOT 4
- Function declaration invokes the function body HOT 3
- Sandbox Escape HOT 1
- Inheritance error with Slack Node SDK and NCC HOT 2
- High Severity Security vulnerability with package HOT 20
- Critical security vulnerability with package HOT 3
- Callback parameter needs an extra check
- Differences in `ReturnStatement` evaluations
- static-eval stable version HOT 1
- It does not evaluate functions HOT 1
- CVE in word-wrap HOT 1
- Would it be possible to use this with THREE.Vector3?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from static-eval.