Eval, literal eval, safe eval

Florian Bösch pyalot at gmail.com
Mon Dec 1 01:39:33 PST 2014


A proper solution really is a separate VM, that isolates the complete
environment watertight and by default denies all interaction except for
those which have been defined as interaction points (alas it would also see
to it a DOS attack with a while(1){} appropriately times out).

Anything else is really just a hack with security holes waiting to be
discovered.

On Mon, Dec 1, 2014 at 10:35 AM, Michał Wadas <michalwadas at gmail.com> wrote:

> Creating secure implementation of eval without creating your own
> interpreter (or sophisticated operations on AST) is almost impossible - it
> would require to copy whole environment and provide mocks to any possibly
> dangerous function.
> At least O(n^2) complexity without ES6 Map.
>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20141201/e1888306/attachment.html>


More information about the es-discuss mailing list