cloudscraper - npm Package Compare versions

Comparing version 4.1.0 to 4.1.1

CHANGELOG.md

 ## Change Log
+### 4.1.1 (11/05/2019)
+- Improve CF challenge security by nullifying VM context's prototype chain.
 
@@ -3,0 +5,0 @@ ### v4.1.0 (02/05/2019)

lib/sandbox.js

@@ -12,6 +12,36 @@ 'use strict';
 
+const VM_ENV = `
+  (function (global) {
+    const cache = Object.create(null);
+    const keys = [];
+    const { body, href } = global;
+    
+    Object.defineProperties(global, {
+      document: {
+        value: {
+          createElement: function () {
+            return { firstChild: { href: href } };
+          },
+          getElementById: function (id) {
+            if (keys.indexOf(id) === -1) {
+              const re = new RegExp(' id=[\\'"]?' + id + '[^>]*>([^<]*)');
+              const match = body.match(re);
+      
+              keys.push(id);
+              cache[id] = match === null ? match : { innerHTML: match[1] };
+            }
+      
+            return cache[id];
+          }
+        }
+      },
+      location: { value: { reload: function () {} } }  
+    })
+  }(this));
+`;
+
 module.exports = { eval: evaluate, Context };
 
 function evaluate (code, ctx) {
-  return vm.runInNewContext(code, ctx, VM_OPTIONS);
+  return vm.runInNewContext(VM_ENV + code, ctx, VM_OPTIONS);
 }
@@ -23,30 +53,13 @@
 
-  const body = options.body;
-  const href = 'http://' + options.hostname + '/';
-  const cache = Object.create(null);
-  const keys = [];
+  const atob = Object.setPrototypeOf(function (str) {
+    try {
+      return Buffer.from(str, 'base64').toString('binary');
+    } catch (e) {}
+  }, null);
 
-  this.atob = function (str) {
-    return Buffer.from(str, 'base64').toString('binary');
-  };
-
-  // Used for eval during onRedirectChallenge
-  this.location = { reload: function () {} };
-
-  this.document = {
-    createElement: function () {
-      return { firstChild: { href: href } };
-    },
-    getElementById: function (id) {
-      if (keys.indexOf(id) === -1) {
-        const re = new RegExp(' id=[\'"]?' + id + '[^>]*>([^<]*)');
-        const match = body.match(re);
-
-        keys.push(id);
-        cache[id] = match === null ? match : { innerHTML: match[1] };
-      }
-
-      return cache[id];
-    }
-  };
+  return Object.setPrototypeOf({
+    body: options.body,
+    href: 'http://' + options.hostname + '/',
+    atob
+  }, null);
 }

package.json

 {
   "name": "cloudscraper",
-  "version": "4.1.0",
+  "version": "4.1.1",
   "description": "Bypasses cloudflare's anti-ddos page",
   "main": "index.js",
   "engines": {
-    "node": ">=6"
+    "node": ">=8"
   },
@@ -51,3 +51,3 @@ "files": [
     "eslint-plugin-json": "^1.4.0",
-    "eslint-plugin-node": "^8.0.1",
+    "eslint-plugin-node": "^9.0.1",
     "eslint-plugin-promise": "^4.0.1",
@@ -54,0 +54,0 @@ "eslint-plugin-standard": "^4.0.0",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

76540

increased by0.57%

Lines of code

1029

increased by1.28%

No dependency changes