Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
notevil
Advanced tools
Readme
Evalulate javascript like the built-in javascript eval()
method but safely.
This module uses esprima to parse the javascript AST then walks each node and evaluates the result.
Like built-in eval
, the result of the last expression will be returned. Unlike built-in, there is no access to global objects, only the context that is passed in as the second object.
Built in types such as Object
and String
are still available, but they are wrapped so that any changes to prototypes are contained in the eval instance.
var safeEval = require('notevil')
// basic math
var result = safeEval('1+2+3')
console.log(result) // 6
// context and functions
var result = safeEval('1+f(2,3)+x', {
x: 100,
f: function(a,b){
return a*b
}
})
console.log(result) // 107
// multiple statements, variables and if statements
var result = safeEval('var x = 100, y = 200; if (x > y) { "cats" } else { "dogs" }')
console.log(result) // dogs
// inner functions
var result = safeEval('[1,2,3,4].map(function(item){ return item*100 })')
console.log(result) // [100, 200, 300, 400]
var context = { x: 1, obj: {y: 2} }
// update context global
safeEval('x = 300', context)
console.log(context.x) // 300
// update property on object
safeEval('obj.y = 300', context)
console.log(context.obj.y) // 300
var func = safeEval.Function('param', 'return param * 100')
var result = func(2)
console.log(result) // 200
A .trace
property is available on error objects generated by code running inside of the sandbox. It contains an array containing the esprima node stack which has a loc
property, allowing you to get the line and column where the error occurred.
try {
safeEval('throw "some error"')
} catch (ex) {
ex.trace //=> [...esprimaAstTrace]
ex.trace[0].loc.start.line //=> 1
}
FAQs
Evalulate javascript like the built-in eval() method but safely
The npm package notevil receives a total of 6,799 weekly downloads. As such, notevil popularity was classified as popular.
We found that notevil demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.