static-eval - npm Package Compare versions

Comparing version 2.0.5 to 2.1.0

CHANGELOG.md

		@@ -5,2 +5,7 @@ # static-eval Change Log

		## 2.1.0
		* Add `allowAccessToMethodsOnFunctions` option to restore 1.x behaviour so that [cwise](https://github.com/scijs/cwise) can upgrade. ([@archmoj](https://github.com/archmoj) in [#31](https://github.com/browserify/static-eval/pull/31))

		Do not use this option if you are not sure that you need it, as it had previously been removed for security reasons. There is a known exploit to execute arbitrary code. Only use it on trusted inputs, like the developer's JS files in a build system.

		## 2.0.5
		@@ -7,0 +12,0 @@ * Fix function bodies being invoked during declaration. ([@RoboPhred](https://github.com/RoboPhred) in [#30](https://github.com/browserify/static-eval/pull/30))

index.js

		var unparse = require('escodegen').generate;

		module.exports = function (ast, vars) {
		module.exports = function (ast, vars, opts) {
		if(!opts) opts = {};
		var rejectAccessToMethodsOnFunctions = !opts.allowAccessToMethodsOnFunctions;

		if (!vars) vars = {};
		var FAIL = {};


		var result = (function walk (node, noExecute) {
		@@ -66,3 +69,3 @@ if (node.type === 'Literal') {
		if (r === FAIL) return FAIL;


		if (op === '==') return l == r;
		@@ -84,3 +87,3 @@ if (op === '===') return l === r;
		if (op === '^') return l ^ r;


		return FAIL;
		@@ -105,3 +108,3 @@ }



		var ctx = node.callee.object ? walk(node.callee.object, noExecute) : FAIL;
		@@ -125,4 +128,5 @@ if (ctx === FAIL) ctx = null;
		var obj = walk(node.object, noExecute);
		// do not allow access to methods on Function
		if((obj === FAIL) \|\| (typeof obj == 'function')){
		if((obj === FAIL) \|\| (
		(typeof obj == 'function') && rejectAccessToMethodsOnFunctions
		)){
		return FAIL;
		@@ -154,3 +158,3 @@ }
		var bodies = node.body.body;


		// Create a "scope" for our arguments
		@@ -176,3 +180,3 @@ var oldVars = {};
		vars = oldVars;


		var keys = Object.keys(vars);
		@@ -205,3 +209,3 @@ var vals = keys.map(function(key) {
		})(ast);


		return result === FAIL ? undefined : result;
		@@ -208,0 +212,0 @@ };

package.json

		{
		"name": "static-eval",
		"version": "2.0.5",
		"description": "evaluate statically-analyzable expressions",
		"main": "index.js",
		"dependencies": {
		"escodegen": "^1.11.1"
		},
		"devDependencies": {
		"esprima": "^3.1.3",
		"tape": "^4.10.1"
		},
		"scripts": {
		"test": "tape test/*.js"
		},
		"testling": {
		"files": "test/*.js",
		"browsers": [
		"ie/8..latest",
		"ff/latest",
		"chrome/latest",
		"opera/latest",
		"safari/latest"
		]
		},
		"repository": {
		"type": "git",
		"url": "git://github.com/browserify/static-eval.git"
		},
		"homepage": "https://github.com/browserify/static-eval",
		"keywords": [
		"static",
		"eval",
		"expression",
		"esprima",
		"ast",
		"abstract",
		"syntax",
		"tree",
		"analysis"
		],
		"author": {
		"name": "James Halliday",
		"email": "mail@substack.net",
		"url": "http://substack.net"
		},
		"license": "MIT"
		"name": "static-eval",
		"version": "2.1.0",
		"description": "evaluate statically-analyzable expressions",
		"main": "index.js",
		"dependencies": {
		"escodegen": "^1.11.1"
		},
		"devDependencies": {
		"esprima": "^3.1.3",
		"tape": "^4.10.1"
		},
		"scripts": {
		"test": "tape test/*.js"
		},
		"testling": {
		"files": "test/*.js",
		"browsers": [
		"ie/8..latest",
		"ff/latest",
		"chrome/latest",
		"opera/latest",
		"safari/latest"
		]
		},
		"repository": {
		"type": "git",
		"url": "git://github.com/browserify/static-eval.git"
		},
		"homepage": "https://github.com/browserify/static-eval",
		"keywords": [
		"static",
		"eval",
		"expression",
		"esprima",
		"ast",
		"abstract",
		"syntax",
		"tree",
		"analysis"
		],
		"author": {
		"name": "James Halliday",
		"email": "mail@substack.net",
		"url": "http://substack.net"
		},
		"license": "MIT"
		}

.travis.yml

Sorry, the diff of this file is not supported yet

New alerts