safer-eval - npm Package Compare versions

Comparing version 1.3.0 to 1.3.1

lib/common.js

@@ -9,2 +9,9 @@ 'use strict';
 exports.hasGlobal = hasGlobal;
+var NON_IDENTIFIER = /^\d|-|^(break|case|catch|continue|debugger|default|delete|do|else|finally|for|function|if|in|instanceof|new|return|switch|this|throw|try|typeof|var|void|while|with|class|const|enum|export|extends|import|super|implements|interface|let|package|private|protected|public|static|yield|null|true|false)$/;
+
+var isIdentifier = function isIdentifier(key) {
+  return !NON_IDENTIFIER.test(key);
+};
+
+exports.isIdentifier = isIdentifier;
 /**
@@ -28,10 +35,16 @@ * create a fresh context where nearly nothing is allowed
     eval: undefined,
-    Function: undefined // locally define all potential global vars
-
+    Function: undefined
   };
 
+  var fillContext = function fillContext(root) {
+    Object.keys(root).forEach(function (key) {
+      if (isIdentifier(key)) {
+        context[key] = undefined;
+      }
+    });
+  }; // locally define all potential global vars
+
+
   if (hasGlobal) {
-    Object.keys(global).forEach(function (key) {
-      context[key] = undefined;
-    });
+    fillContext(global);
     cloneFunctions(context);
@@ -43,5 +56,3 @@ context.Buffer = _protect('Buffer');
   if (hasWindow) {
-    Object.keys(window).forEach(function (key) {
-      context[key] = undefined;
-    });
+    fillContext(window, true);
     cloneFunctions(context);
@@ -64,3 +75,5 @@ protectBuiltInObjects(context);
   Object.keys(context || {}).forEach(function (key) {
-    newContext[key] = context[key]; // this is harmful - objects can be overwritten
+    if (isIdentifier(key)) {
+      newContext[key] = context[key]; // this is harmful - objects can be overwritten
+    }
   });
@@ -67,0 +80,0 @@ };

package.json

 {
   "name": "safer-eval",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "a safer eval",
@@ -50,3 +50,3 @@ "keywords": [
     "eslint-plugin-standard": "^4.0.0",
-    "karma": "^3.1.4",
+    "karma": "^4.0.0",
     "karma-chrome-launcher": "^2.0.0",
@@ -59,3 +59,3 @@ "karma-coverage": "^1.1.1",
     "karma-webpack": "^3.0.5",
-    "mocha": "^5.2.0",
+    "mocha": "^6.0.2",
     "nyc": "^13.1.0",
@@ -62,0 +62,0 @@ "rimraf": "^2.5.4",

src/common.js

@@ -11,2 +11,7 @@ 'use strict'
 
+const NON_IDENTIFIER = /^\d|-|^(break|case|catch|continue|debugger|default|delete|do|else|finally|for|function|if|in|instanceof|new|return|switch|this|throw|try|typeof|var|void|while|with|class|const|enum|export|extends|import|super|implements|interface|let|package|private|protected|public|static|yield|null|true|false)$/
+
+const isIdentifier = key => !NON_IDENTIFIER.test(key)
+exports.isIdentifier = isIdentifier
+
 /**
@@ -32,7 +37,13 @@ * create a fresh context where nearly nothing is allowed
 
+  const fillContext = (root) => {
+    Object.keys(root).forEach(key => {
+      if (isIdentifier(key)) {
+        context[key] = undefined
+      }
+    })
+  }
+
   // locally define all potential global vars
   if (hasGlobal) {
-    Object.keys(global).forEach(function (key) {
-      context[key] = undefined
-    })
+    fillContext(global)
     cloneFunctions(context)
@@ -43,6 +54,3 @@ context.Buffer = _protect('Buffer')
   if (hasWindow) {
-    Object.keys(window).forEach(function (key) {
-      context[key] = undefined
-    })
-
+    fillContext(window, true)
     cloneFunctions(context)
@@ -62,4 +70,6 @@ protectBuiltInObjects(context)
 exports.allow = function (context, newContext) {
-  Object.keys(context || {}).forEach(function (key) {
-    newContext[key] = context[key] // this is harmful - objects can be overwritten
+  Object.keys(context || {}).forEach(key => {
+    if (isIdentifier(key)) {
+      newContext[key] = context[key] // this is harmful - objects can be overwritten
+    }
   })
@@ -66,0 +76,0 @@ }

No alert changes

Improved metrics

Total package byte prevSize

24808

increased by4.31%

Lines of code

589

increased by3.51%

No dependency changes