better-eval - npm Package Compare versions

better-eval

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Comparing version 1.2.3 to 1.2.4

package.json

		{
		"name": "better-eval",
		"version": "1.2.3",
		"version": "1.2.4",
		"description": "🔧 An alternative to the 'eval' function in JavaScript that is faster, easier/better to use, and has less security issues.",
		@@ -5,0 +5,0 @@ "main": "src/index.js",

README.md

		@@ -5,3 +5,3 @@ # 🔧 better-eval

		The eval function in JavaScript sucks, and there lacks alternatives that provide the same simplicity that the original eval function had. better-eval solves this problem by adressing the security and spped issues, while delivering the same easy-to-use API.
		The eval function in JavaScript sucks, and there lacks alternatives that provide the same simplicity that the original eval function had. better-eval solves this problem by adressing the security and speed issues, while delivering the same easy-to-use API.

		@@ -8,0 +8,0 @@ <a href="https://www.producthunt.com/posts/better-eval?utm_source=badge-featured&utm_medium=badge&utm_souce=badge-better-eval" target="_blank"><img src="https://api.producthunt.com/widgets/embed-image/v1/featured.svg?post_id=327967&theme=light" alt="better-eval - 🔧 An alternative to 'eval' that is just better! \| Product Hunt" style="width: 250px; height: 54px;" width="250" height="54" /></a>

src/blackList.js

		@@ -21,2 +21,3 @@ // blacklisted variables (no fn) to be passed in through vars param in betterEval


		module.exports = {
		@@ -23,0 +24,0 @@ blackListedVariablesNode,

src/clearContext.js

		@@ -5,13 +5,19 @@ /**
		function clearContext() {
		// nonunique variable cancel outs
		// nonunique variable cancel outs (cant be pre-checked)
		require = null;
		module = null;

		// all constructors on this
		const keys = Object.getOwnPropertyNames(this).concat(["constructor"]);

		// go through keys, killing bad functions
		keys.forEach((key) => {
		const item = this[key];
		// no null
		if (!item) return;
		// no fn
		if (typeof Object.getPrototypeOf(item).constructor === "function") {
		Object.getPrototypeOf(item).constructor = undefined;
		}
		// no constructor fn
		if (typeof item.constructor === "function") {
		@@ -23,4 +29,5 @@ this[key].constructor = undefined;

		// convert to string so can run in vm
		const insertedClearContext = `${clearContext.toString()}; clearContext()`;

		module.exports = insertedClearContext;

src/core.js

		@@ -12,6 +12,6 @@ "use strict";
		* @description takes code to execute and exexcutes it safely!
		* @param {string} code - Code to be executed.
		* @param {object} insertedVariables - Variables from your code to pass into the execution context. Passed in like: {variableName, variableValue}
		* @param {object} vmOptions - The options for how to run the VM to execute the code (more info in vm pkg docs).
		* @returns {any} if your evaluated code returns a value, then betterEval will return it to you.
		* @param {string} code - code to be executed.
		* @param {object} insertedVariables - variables from your code to pass into the execution context. passed in like: {variableName, variableValue}
		* @param {object} vmOptions - the options for how to run the VM to execute the code (more info in vm pkg docs).
		* @returns {any} if your evaluated code returns a value, then betterEval will return that.
		*/
		@@ -45,2 +45,1 @@ function betterEval(code, insertedVariables = null, vmOptions = {}) {
		module.exports = betterEval;

src/index.js

		@@ -1,2 +0,8 @@
		/** Index File - Better Eval */
		/*!
		* better-eval
		* Copyright(c) 2022 Bharadwaj Duggaraju
		* MIT Licensed
		*/
		"use strict";

		module.exports = require("./core");

src/parseInsertedVariables.js

		@@ -6,7 +6,22 @@ const { blackListedVariablesNode } = require("./blackList");
		* @param {'local' \| 'vm'} execContext
		* @description parses user variables into context and prevents mal variables and objects (lv 1).
		* @returns {object} sandbox context with user variables.
		*/
		function parseInsertedVariables(vars, sandbox) {
		// all keys of passed in variables
		Object.keys(vars).forEach(function (key) {
		if (blackListedVariablesNode.includes(vars[key])) return;
		sandbox[key] = vars[key];
		if (blackListedVariablesNode.includes(vars[key])) return; // case 1: mal variable top level

		if (typeof vars[key] === "object") {
		// case 2: mal variable obj
		Object.keys(vars[key]).forEach((k) => {
		if (blackListedVariablesNode.includes(vars[key][k])) {
		vars[key][k] = null;
		}
		});
		}

		/** next: nested (recursion) */

		sandbox[key] = vars[key]; // add var to context if good
		});
		@@ -13,0 +28,0 @@

		@@ -5,3 +5,3 @@ # 🔧 better-eval

		The eval function in JavaScript sucks, and there lacks alternatives that provide the same simplicity that the original eval function had. better-eval solves this problem by adressing the security and spped issues, while delivering the same easy-to-use API.
		The eval function in JavaScript sucks, and there lacks alternatives that provide the same simplicity that the original eval function had. better-eval solves this problem by adressing the security and speed issues, while delivering the same easy-to-use API.

		@@ -8,0 +8,0 @@ <a href="https://www.producthunt.com/posts/better-eval?utm_source=badge-featured&utm_medium=badge&utm_souce=badge-better-eval" target="_blank"><img src="https://api.producthunt.com/widgets/embed-image/v1/featured.svg?post_id=327967&theme=light" alt="better-eval - 🔧 An alternative to 'eval' that is just better! \| Product Hunt" style="width: 250px; height: 54px;" width="250" height="54" /></a>

Improved metrics