JavaScript expression parsing and evaluation.

Powered by jsep.

Install:

npm install --save expression-eval

Import:

// ES6
import { parse, eval } from 'expression-eval';
// CommonJS
const { parse, eval } = require('expression-eval');
// UMD / standalone script
const { parse, eval } = window.expressionEval;

import { parse } from 'expression-eval';
const ast = parse('1 + foo');

The result of the parse is an AST (abstract syntax tree), like:

{
  "type": "BinaryExpression",
  "operator": "+",
  "left": {
    "type": "Literal",
    "value": 1,
    "raw": "1"
  },
  "right": {
    "type": "Identifier",
    "name": "foo"
  }
}

import { parse, eval } from 'expression-eval';
const ast = parse('a + b / c'); // abstract syntax tree (AST)
const value = eval(ast, {a: 2, b: 2, c: 5}); // 2.4

Alternatively, use evalAsync for asynchronous evaluation.

import { compile } from 'expression-eval';
const fn = compile('foo.bar + 10');
fn({foo: {bar: 'baz'}}); // 'baz10'

Alternatively, use compileAsync for asynchronous compilation.

Although this package does avoid the use of eval(), it cannot guarantee that user-provided expressions, or user-provided inputs to evaluation, will not modify the state or behavior of your application. Always use caution when combining user input and dynamic evaluation, and avoid it where possible.

For example:

const ast = expr.parse('foo[bar](baz)()');
expr.eval(ast, {
  foo: String,
  bar: 'constructor',
  baz: 'console.log("im in ur logs");'
});
// Prints: "im in ur logs"

The kinds of expressions that can expose vulnerabilities can be more subtle than this, and are sometimes possible even in cases where users only provide primitive values as inputs to pre-defined expressions.

MIT License.