Security News
The Unpaid Backbone of Open Source: Solo Maintainers Face Increasing Security Demands
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
eval-sanitizer
Advanced tools
Parsing-based sanitization package for eval.
Everybody is aware of the dangers of using eval, especially when user input is involved. Nevertheless, eval is still prevalent in the npm community. This package aims at solving this problem by sanitizing the string passed to eval.
var userInput = "23; console.log('Injection Succeded')";
var sanitiz = require("eval-sanitizer");
var safeStr = sanitiz`var x = ${userInput}`; // removes console.log call
eval(safeStr); // safe to pass to eval
This package requires ECMAScript 6 quasi-literals to mark user input in the string to be sanitized. It removes all the parts of the user input that may be harmful by enforcing one of the available policies. The dynamic part of the quasi-literal is assumed to be the user input.
A policy defines constraints on the nature of the user input. Currently there are three available policies:
Example of how the used policy may be modified:
var sanitizer = require("eval-sanitizer");
sanitizer.setPolicy(sanitizer.ONLY_LITERALS);
FAQs
Parsing-based sanitization package for eval.
The npm package eval-sanitizer receives a total of 537 weekly downloads. As such, eval-sanitizer popularity was classified as not popular.
We found that eval-sanitizer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.
Security News
A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.