static-eval
Advanced tools
Comparing version 2.0.5 to 2.1.0
@@ -5,2 +5,7 @@ # static-eval Change Log | ||
## 2.1.0 | ||
* Add `allowAccessToMethodsOnFunctions` option to restore 1.x behaviour so that [cwise](https://github.com/scijs/cwise) can upgrade. ([@archmoj](https://github.com/archmoj) in [#31](https://github.com/browserify/static-eval/pull/31)) | ||
Do not use this option if you are not sure that you need it, as it had previously been removed for security reasons. There is a known exploit to execute arbitrary code. Only use it on trusted inputs, like the developer's JS files in a build system. | ||
## 2.0.5 | ||
@@ -7,0 +12,0 @@ * Fix function bodies being invoked during declaration. ([@RoboPhred](https://github.com/RoboPhred) in [#30](https://github.com/browserify/static-eval/pull/30)) |
24
index.js
var unparse = require('escodegen').generate; | ||
module.exports = function (ast, vars) { | ||
module.exports = function (ast, vars, opts) { | ||
if(!opts) opts = {}; | ||
var rejectAccessToMethodsOnFunctions = !opts.allowAccessToMethodsOnFunctions; | ||
if (!vars) vars = {}; | ||
var FAIL = {}; | ||
var result = (function walk (node, noExecute) { | ||
@@ -66,3 +69,3 @@ if (node.type === 'Literal') { | ||
if (r === FAIL) return FAIL; | ||
if (op === '==') return l == r; | ||
@@ -84,3 +87,3 @@ if (op === '===') return l === r; | ||
if (op === '^') return l ^ r; | ||
return FAIL; | ||
@@ -105,3 +108,3 @@ } | ||
var ctx = node.callee.object ? walk(node.callee.object, noExecute) : FAIL; | ||
@@ -125,4 +128,5 @@ if (ctx === FAIL) ctx = null; | ||
var obj = walk(node.object, noExecute); | ||
// do not allow access to methods on Function | ||
if((obj === FAIL) || (typeof obj == 'function')){ | ||
if((obj === FAIL) || ( | ||
(typeof obj == 'function') && rejectAccessToMethodsOnFunctions | ||
)){ | ||
return FAIL; | ||
@@ -154,3 +158,3 @@ } | ||
var bodies = node.body.body; | ||
// Create a "scope" for our arguments | ||
@@ -176,3 +180,3 @@ var oldVars = {}; | ||
vars = oldVars; | ||
var keys = Object.keys(vars); | ||
@@ -205,3 +209,3 @@ var vals = keys.map(function(key) { | ||
})(ast); | ||
return result === FAIL ? undefined : result; | ||
@@ -208,0 +212,0 @@ }; |
{ | ||
"name": "static-eval", | ||
"version": "2.0.5", | ||
"description": "evaluate statically-analyzable expressions", | ||
"main": "index.js", | ||
"dependencies": { | ||
"escodegen": "^1.11.1" | ||
}, | ||
"devDependencies": { | ||
"esprima": "^3.1.3", | ||
"tape": "^4.10.1" | ||
}, | ||
"scripts": { | ||
"test": "tape test/*.js" | ||
}, | ||
"testling": { | ||
"files": "test/*.js", | ||
"browsers": [ | ||
"ie/8..latest", | ||
"ff/latest", | ||
"chrome/latest", | ||
"opera/latest", | ||
"safari/latest" | ||
] | ||
}, | ||
"repository": { | ||
"type": "git", | ||
"url": "git://github.com/browserify/static-eval.git" | ||
}, | ||
"homepage": "https://github.com/browserify/static-eval", | ||
"keywords": [ | ||
"static", | ||
"eval", | ||
"expression", | ||
"esprima", | ||
"ast", | ||
"abstract", | ||
"syntax", | ||
"tree", | ||
"analysis" | ||
], | ||
"author": { | ||
"name": "James Halliday", | ||
"email": "mail@substack.net", | ||
"url": "http://substack.net" | ||
}, | ||
"license": "MIT" | ||
"name": "static-eval", | ||
"version": "2.1.0", | ||
"description": "evaluate statically-analyzable expressions", | ||
"main": "index.js", | ||
"dependencies": { | ||
"escodegen": "^1.11.1" | ||
}, | ||
"devDependencies": { | ||
"esprima": "^3.1.3", | ||
"tape": "^4.10.1" | ||
}, | ||
"scripts": { | ||
"test": "tape test/*.js" | ||
}, | ||
"testling": { | ||
"files": "test/*.js", | ||
"browsers": [ | ||
"ie/8..latest", | ||
"ff/latest", | ||
"chrome/latest", | ||
"opera/latest", | ||
"safari/latest" | ||
] | ||
}, | ||
"repository": { | ||
"type": "git", | ||
"url": "git://github.com/browserify/static-eval.git" | ||
}, | ||
"homepage": "https://github.com/browserify/static-eval", | ||
"keywords": [ | ||
"static", | ||
"eval", | ||
"expression", | ||
"esprima", | ||
"ast", | ||
"abstract", | ||
"syntax", | ||
"tree", | ||
"analysis" | ||
], | ||
"author": { | ||
"name": "James Halliday", | ||
"email": "mail@substack.net", | ||
"url": "http://substack.net" | ||
}, | ||
"license": "MIT" | ||
} |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
19808
389