UNPKG

argencoders-notevil

Version:

Evaluate javascript like the built-in eval() method but safely

github.com/mmckegg/notevil

mmckegg/notevil

118 lines (104 loc) 3.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
var safeEval = require('../') var test = require('tape') test('attempt override prototype method', function(t){ var original = Array.prototype.map safeEval('Array.prototype.map = function(){ return "HACK" }', { Array: Array }) t.equal(Array.prototype.map, original, 'prototype method not changed') t.end() }) test('attempt to set __proto__', function(t){ var x = ['test'] var original = Object.getPrototypeOf(x) safeEval('x.__proto__ = {newProto: true}', { x: original }) t.equal(Object.getPrototypeOf(x), original, '__proto__ not changed') t.end() }) test('try to access this via constructor', function(t){ var result = safeEval("[].slice.constructor('return this')()") t.equal(result, null) t.end() }) test('try to access this via constructor and bind', function(t){ var result = safeEval("[].slice.constructor.bind()('return this')()") t.equal(result, null) t.end() }) test('infinite recursion', function(t){ t.throws(function(){ safeEval('function test() { test() }; test()') }) t.end() }) test('infinite for loop', function(t){ t.throws(function(){ safeEval('for (;true;){}') }) t.end() }) test('infinite while loop', function(t){ t.throws(function(){ safeEval('while (true){}') }) t.end() }) test('set wrapped string prototype', function(t){ var code = 'String.prototype.makeLouder = function() { return this + "!" }; "test".makeLouder()' t.equal(safeEval(code), 'test!') t.throws(function(){ "test".makeLouder() }, 'original string prototype untouched') t.end() }) test('set wrapped object prototype', function(t){ var code = 'Object.prototype.wibblify = function() { return "~" + this.value + "~" }; ({value: "test"}).wibblify()' t.equal(safeEval(code), '~test~') t.throws(function(){ ({value: "test"}).wibblify() }, 'original object prototype untouched') t.end() }) test('set wrapped object prototype by object.__proto__', function(t){ var code = '({}).__proto__.wibblify = function() { return "~" + this.value + "~" }; ({value: "test"}).wibblify()' t.equal(safeEval(code), '~test~') t.throws(function(){ ({value: "test"}).wibblify() }, 'original object prototype untouched') t.end() }) test('prevent access to Function via function call', function(t){ var code = "" + "function fn() {};" + "var constructorProperty = Object.getOwnPropertyDescriptors(fn.__proto__).constructor;" + "var properties = Object.values(constructorProperty);" + "properties.pop();" + "properties.pop();" + "properties.pop();" + "var Function = properties.pop();" + "(Function('return this'))()" t.notEqual(safeEval(code), global) t.equal(safeEval(code), null) t.end() }) test('prevent access to Function via function call (bound)', function(t){ var code = "" + "function fn() {};" + "var constructorProperty = Object.getOwnPropertyDescriptors(fn.__proto__).constructor;" + "var properties = Object.values(constructorProperty);" + "properties.pop();" + "properties.pop();" + "properties.pop();" + "var Func = properties.map(function (x) {return x.bind(x, 'return this')}).pop();" + "(Func())()" t.notEqual(safeEval(code), global) t.equal(safeEval(code), null) t.end() }) test('prevent access to Function prototype', function(t){ safeEval("try{a[b];}catch(e){e.constructor.constructor('return __proto__.arguments.callee.__proto__.polluted=true')()};") t.equal(Function.polluted, undefined) t.end() })