safer-eval
Advanced tools
Comparing version 1.3.0 to 1.3.1
@@ -9,2 +9,9 @@ 'use strict'; | ||
exports.hasGlobal = hasGlobal; | ||
var NON_IDENTIFIER = /^\d|-|^(break|case|catch|continue|debugger|default|delete|do|else|finally|for|function|if|in|instanceof|new|return|switch|this|throw|try|typeof|var|void|while|with|class|const|enum|export|extends|import|super|implements|interface|let|package|private|protected|public|static|yield|null|true|false)$/; | ||
var isIdentifier = function isIdentifier(key) { | ||
return !NON_IDENTIFIER.test(key); | ||
}; | ||
exports.isIdentifier = isIdentifier; | ||
/** | ||
@@ -28,10 +35,16 @@ * create a fresh context where nearly nothing is allowed | ||
eval: undefined, | ||
Function: undefined // locally define all potential global vars | ||
Function: undefined | ||
}; | ||
var fillContext = function fillContext(root) { | ||
Object.keys(root).forEach(function (key) { | ||
if (isIdentifier(key)) { | ||
context[key] = undefined; | ||
} | ||
}); | ||
}; // locally define all potential global vars | ||
if (hasGlobal) { | ||
Object.keys(global).forEach(function (key) { | ||
context[key] = undefined; | ||
}); | ||
fillContext(global); | ||
cloneFunctions(context); | ||
@@ -43,5 +56,3 @@ context.Buffer = _protect('Buffer'); | ||
if (hasWindow) { | ||
Object.keys(window).forEach(function (key) { | ||
context[key] = undefined; | ||
}); | ||
fillContext(window, true); | ||
cloneFunctions(context); | ||
@@ -64,3 +75,5 @@ protectBuiltInObjects(context); | ||
Object.keys(context || {}).forEach(function (key) { | ||
newContext[key] = context[key]; // this is harmful - objects can be overwritten | ||
if (isIdentifier(key)) { | ||
newContext[key] = context[key]; // this is harmful - objects can be overwritten | ||
} | ||
}); | ||
@@ -67,0 +80,0 @@ }; |
{ | ||
"name": "safer-eval", | ||
"version": "1.3.0", | ||
"version": "1.3.1", | ||
"description": "a safer eval", | ||
@@ -50,3 +50,3 @@ "keywords": [ | ||
"eslint-plugin-standard": "^4.0.0", | ||
"karma": "^3.1.4", | ||
"karma": "^4.0.0", | ||
"karma-chrome-launcher": "^2.0.0", | ||
@@ -59,3 +59,3 @@ "karma-coverage": "^1.1.1", | ||
"karma-webpack": "^3.0.5", | ||
"mocha": "^5.2.0", | ||
"mocha": "^6.0.2", | ||
"nyc": "^13.1.0", | ||
@@ -62,0 +62,0 @@ "rimraf": "^2.5.4", |
@@ -11,2 +11,7 @@ 'use strict' | ||
const NON_IDENTIFIER = /^\d|-|^(break|case|catch|continue|debugger|default|delete|do|else|finally|for|function|if|in|instanceof|new|return|switch|this|throw|try|typeof|var|void|while|with|class|const|enum|export|extends|import|super|implements|interface|let|package|private|protected|public|static|yield|null|true|false)$/ | ||
const isIdentifier = key => !NON_IDENTIFIER.test(key) | ||
exports.isIdentifier = isIdentifier | ||
/** | ||
@@ -32,7 +37,13 @@ * create a fresh context where nearly nothing is allowed | ||
const fillContext = (root) => { | ||
Object.keys(root).forEach(key => { | ||
if (isIdentifier(key)) { | ||
context[key] = undefined | ||
} | ||
}) | ||
} | ||
// locally define all potential global vars | ||
if (hasGlobal) { | ||
Object.keys(global).forEach(function (key) { | ||
context[key] = undefined | ||
}) | ||
fillContext(global) | ||
cloneFunctions(context) | ||
@@ -43,6 +54,3 @@ context.Buffer = _protect('Buffer') | ||
if (hasWindow) { | ||
Object.keys(window).forEach(function (key) { | ||
context[key] = undefined | ||
}) | ||
fillContext(window, true) | ||
cloneFunctions(context) | ||
@@ -62,4 +70,6 @@ protectBuiltInObjects(context) | ||
exports.allow = function (context, newContext) { | ||
Object.keys(context || {}).forEach(function (key) { | ||
newContext[key] = context[key] // this is harmful - objects can be overwritten | ||
Object.keys(context || {}).forEach(key => { | ||
if (isIdentifier(key)) { | ||
newContext[key] = context[key] // this is harmful - objects can be overwritten | ||
} | ||
}) | ||
@@ -66,0 +76,0 @@ } |
24808
589