static-eval - npm Package Compare versions

Comparing version 2.0.2 to 2.0.3

index.js

@@ -104,7 +104,9 @@ var unparse = require('escodegen').generate;
             }
-            if (node.property.type === 'Identifier') {
+            if (node.property.type === 'Identifier' && !node.computed) {
+                if (isUnsafeProperty(node.property.name)) return FAIL;
                 return obj[node.property.name];
             }
             var prop = walk(node.property);
-            if (prop === FAIL) return FAIL;
+            if (prop === null || prop === FAIL) return FAIL;
+            if (isUnsafeProperty(prop)) return FAIL;
             return obj[prop];
@@ -180,1 +182,5 @@ }
 };
+
+function isUnsafeProperty(name) {
+    return name === 'constructor' || name === '__proto__';
+}

package.json

 {
   "name": "static-eval",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "description": "evaluate statically-analyzable expressions",
   "main": "index.js",
   "dependencies": {
-    "escodegen": "^1.8.1"
+    "escodegen": "^1.11.1"
   },
   "devDependencies": {
-    "esprima": "^2.7.3",
-    "tape": "^4.6.0"
+    "esprima": "^3.1.3",
+    "tape": "^4.10.1"
   },
@@ -13,0 +13,0 @@ "scripts": {

test/eval.js

@@ -82,2 +82,43 @@ var test = require('tape');
     t.equal(res, undefined);
-});
+});
+
+test('disallow accessing constructor or __proto__', function (t) {
+    t.plan(4)
+
+    var someValue = {};
+
+    var src = 'object.constructor';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, { vars: { object: someValue } });
+    t.equal(res, undefined);
+
+    var src = 'object["constructor"]';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, { vars: { object: someValue } });
+    t.equal(res, undefined);
+
+    var src = 'object.__proto__';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, { vars: { object: someValue } });
+    t.equal(res, undefined);
+
+    var src = 'object["__pro"+"t\x6f__"]';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, { vars: { object: someValue } });
+    t.equal(res, undefined);
+});
+
+
+test('constructor at runtime only', function(t) {
+    t.plan(2)
+
+    var src = '(function myTag(y){return ""[!y?"__proto__":"constructor"][y]})("constructor")("console.log(process.env)")()'
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast);
+    t.equal(res, undefined);
+
+    var src = '(function(prop) { return {}[prop ? "benign" : "constructor"][prop] })("constructor")("alert(1)")()'
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast);
+    t.equal(res, undefined);
+});

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

16049

increased by11.78%

Lines of code

324

increased by12.89%

Number of medium supply chain risk alerts

1

decreased by-50%

Dependency changes

• Updatedescodegen@^1.11.1