Proposal: safeEval

Mike Samuel mikesamuel at gmail.com
Wed Jun 20 13:51:26 UTC 2018 

How would this compare to https://github.com/tc39/proposal-frozen-realms ?

I'm not sure how to run @doodad-js/safeeval in node since require doesn't
provide obvious access to safeeval, but the code seems to do AST filtering.
What does it do for inputs like

    safeEval(' 0..constructor.constructor("alert(1)")() ')
    safeEval(' 0[x][x]`alert(1)`() ', { x: 'constructor' })
    safeEval(' 0[x][y] = null ', { x: 'prototype', y: 'toString' })



On Tue, Jun 19, 2018 at 10:29 PM doodad-js Admin <doodadjs at gmail.com> wrote:

> Hi,
>
>
>
> I take a chance to valorize “eval” again by proposing “safeEval”.
>
>
>
> function safeEval(expression, [locals], [options]) {
>
>                 ......
>
> };
>
>
>
> So that you can:
>
>
>
> safeEval(“1 + a”, {a: 2});    // returns “3”
>
> safeEval(“1 + a()”, {a: function() {return 2}}, {allowFunctions:
> true});    // also returns “3”
>
>
>
> but:
>
>
>
> safeEval(“1 + a()”, {a: function() { return 2}});    // throws whatever
> you want because “allowFunctions” is denied
>
>
>
> etc.
>
>
>
> Note that local variables are specified in argument. Also note that
> “options” mainly gives/denies permissions. I’m not sure if we should be
> whitelisting or blacklisting features there though, or a mix of default
> enabled and disabled ones...
>
>
>
> Very incomplete, but as for inspiration (and very useful to me):
> https://www.npmjs.com/package/@doodad-js/safeeval
>
>
>
>
>
> Claude
>
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
> www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_-6456435073511435867_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20180620/38f96a66/attachment.html>

More information about the es-discuss mailing list