FW: Proposal: safeEval

doodad-js Admin doodadjs at gmail.com
Wed Jun 20 18:26:13 UTC 2018 

 

 

From: Claude Petit <petc at webmail.us> 
Sent: Wednesday, June 20, 2018 2:23 PM
To: 'mikesamuel at gmail.com' <mikesamuel at gmail.com>
Cc: 'es-discuss' <es-discuss at mozilla.org>
Subject: RE: Proposal: safeEval

 

Thanks,

 

How would this compare to https://github.com/tc39/proposal-frozen-realms ?

 

I was not aware of that proposal or didn’t pay attention.I think “safeEval” provides ACLs, while your proposal don’t.

 

I'm not sure how to run @doodad-js/safeeval in node

 

That’s a Doodad module, and it must be loaded by Doodad before usage. Anyway, that’s not important.

 

What does it do for inputs like

 

Sure, as I told you, that’s very incomplete. I’m just bringing the idea. But I’ll fix that issues if they are present.

 

 

Claude

 

From: Mike Samuel <mikesamuel at gmail.com <mailto:mikesamuel at gmail.com> > 
Sent: Wednesday, June 20, 2018 9:51 AM
To: doodadjs at gmail.com <mailto:doodadjs at gmail.com> 
Cc: es-discuss <es-discuss at mozilla.org <mailto:es-discuss at mozilla.org> >
Subject: Re: Proposal: safeEval

 

How would this compare to https://github.com/tc39/proposal-frozen-realms ?

 

I'm not sure how to run @doodad-js/safeeval in node since require doesn't

provide obvious access to safeeval, but the code seems to do AST filtering.

What does it do for inputs like

 

    safeEval(' 0..constructor.constructor("alert(1)")() ')

    safeEval(' 0[x][x]`alert(1)`() ', { x: 'constructor' })

    safeEval(' 0[x][y] = null ', { x: 'prototype', y: 'toString' })

 

 

 

On Tue, Jun 19, 2018 at 10:29 PM doodad-js Admin <doodadjs at gmail.com <mailto:doodadjs at gmail.com> > wrote:

Hi,

 

I take a chance to valorize “eval” again by proposing “safeEval”.

 

function safeEval(expression, [locals], [options]) {

                ......

};

 

So that you can:

 

safeEval(“1 + a”, {a: 2});    // returns “3”

safeEval(“1 + a()”, {a: function() {return 2}}, {allowFunctions: true});    // also returns “3”

 

but:

 

safeEval(“1 + a()”, {a: function() { return 2}});    // throws whatever you want because “allowFunctions” is denied

 

etc.

 

Note that local variables are specified in argument. Also note that “options” mainly gives/denies permissions. I’m not sure if we should be whitelisting or blacklisting features there though, or a mix of default enabled and disabled ones...

 

Very incomplete, but as for inspiration (and very useful to me): https://www.npmjs.com/package/@doodad-js/safeeval

 

 

Claude

 

 


 <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 

Virus-free.  <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com 

_______________________________________________
es-discuss mailing list
es-discuss at mozilla.org <mailto:es-discuss at mozilla.org> 
https://mail.mozilla.org/listinfo/es-discuss



---
This email has been checked for viruses by AVG.
https://www.avg.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20180620/12bb4f0e/attachment-0001.html>

More information about the es-discuss mailing list