🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

static-eval

Package Overview
Dependencies
Maintainers
41
Versions
19
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

static-eval - npm Package Compare versions

Comparing version

2.0.2
to
2.0.3

10

index.js

@@ -104,7 +104,9 @@ var unparse = require('escodegen').generate;

}
if (node.property.type === 'Identifier') {
if (node.property.type === 'Identifier' && !node.computed) {
if (isUnsafeProperty(node.property.name)) return FAIL;
return obj[node.property.name];
}
var prop = walk(node.property);
if (prop === FAIL) return FAIL;
if (prop === null || prop === FAIL) return FAIL;
if (isUnsafeProperty(prop)) return FAIL;
return obj[prop];

@@ -180,1 +182,5 @@ }

};
function isUnsafeProperty(name) {
return name === 'constructor' || name === '__proto__';
}

8

package.json
{
"name": "static-eval",
"version": "2.0.2",
"version": "2.0.3",
"description": "evaluate statically-analyzable expressions",
"main": "index.js",
"dependencies": {
"escodegen": "^1.8.1"
"escodegen": "^1.11.1"
},
"devDependencies": {
"esprima": "^2.7.3",
"tape": "^4.6.0"
"esprima": "^3.1.3",
"tape": "^4.10.1"
},

@@ -13,0 +13,0 @@ "scripts": {

43

test/eval.js

@@ -82,2 +82,43 @@ var test = require('tape');

t.equal(res, undefined);
});
});
test('disallow accessing constructor or __proto__', function (t) {
t.plan(4)
var someValue = {};
var src = 'object.constructor';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, { vars: { object: someValue } });
t.equal(res, undefined);
var src = 'object["constructor"]';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, { vars: { object: someValue } });
t.equal(res, undefined);
var src = 'object.__proto__';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, { vars: { object: someValue } });
t.equal(res, undefined);
var src = 'object["__pro"+"t\x6f__"]';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, { vars: { object: someValue } });
t.equal(res, undefined);
});
test('constructor at runtime only', function(t) {
t.plan(2)
var src = '(function myTag(y){return ""[!y?"__proto__":"constructor"][y]})("constructor")("console.log(process.env)")()'
var ast = parse(src).body[0].expression;
var res = evaluate(ast);
t.equal(res, undefined);
var src = '(function(prop) { return {}[prop ? "benign" : "constructor"][prop] })("constructor")("alert(1)")()'
var ast = parse(src).body[0].expression;
var res = evaluate(ast);
t.equal(res, undefined);
});
.travis.yml

Sorry, the diff of this file is not supported yet

LICENSE

Sorry, the diff of this file is not supported yet