Security News
Highlights from the 2024 Rails Community Survey
A record 2,709 developers participated in the 2024 Ruby on Rails Community Survey, revealing key tools, practices, and trends shaping the Rails ecosystem.
Evalulate javascript like the built-in javascript eval()
method but safely.
This module uses esprima to parse the javascript AST then walks each node and evaluates the result.
Like built-in eval
, the result of the last expression will be returned. Unlike built-in, there is no access to global objects, only the context that is passed in as the second object.
Built in types such as Object
and String
are still available, but they are wrapped so that any changes to prototypes are contained in the eval instance.
var safeEval = require('notevil')
// basic math
var result = safeEval('1+2+3')
console.log(result) // 6
// context and functions
var result = safeEval('1+f(2,3)+x', {
x: 100,
f: function(a,b){
return a*b
}
})
console.log(result) // 107
// multiple statements, variables and if statements
var result = safeEval('var x = 100, y = 200; if (x > y) { "cats" } else { "dogs" }')
console.log(result) // dogs
// inner functions
var result = safeEval('[1,2,3,4].map(function(item){ return item*100 })')
console.log(result) // [100, 200, 300, 400]
var context = { x: 1, obj: {y: 2} }
// update context global
safeEval('x = 300', context)
console.log(context.x) // 300
// update property on object
safeEval('obj.y = 300', context)
console.log(context.obj.y) // 300
var func = safeEval.Function('param', 'return param * 100')
var result = func(2)
console.log(result) // 200
A .trace
property is available on error objects generated by code running inside of the sandbox. It contains an array containing the esprima node stack which has a loc
property, allowing you to get the line and column where the error occurred.
try {
safeEval('throw "some error"')
} catch (ex) {
ex.trace //=> [...esprimaAstTrace]
ex.trace[0].loc.start.line //=> 1
}
FAQs
Evalulate javascript like the built-in eval() method but safely
We found that notevil demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A record 2,709 developers participated in the 2024 Ruby on Rails Community Survey, revealing key tools, practices, and trends shaping the Rails ecosystem.
Security News
In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.