UNPKG

safe-expr-eval

Version:

Secure expression evaluator - Drop-in replacement for expr-eval without CVE-2025-12735 vulnerability

github.com/alecasg555/safe-expr-eval

alecasg555/safe-expr-eval

109 lines (77 loc) 3.26 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Security Policy ## Supported Versions We release patches for security vulnerabilities for the following versions: | Version | Supported | | ------- | ------------------ | | 1.x.x | :white_check_mark: | ## Reporting a Vulnerability We take the security of `safe-expr-eval` seriously. If you discover a security vulnerability, please follow these steps: ### How to Report 1. **DO NOT** open a public issue 2. Report security issues through GitHub Security Advisories: https://github.com/alecasg555/safe-expr-eval/security/advisories/new 3. Include: - Description of the vulnerability - Steps to reproduce - Potential impact - Suggested fix (if any) ### What to Expect - **Initial Response**: Within 48 hours - **Status Update**: Within 7 days - **Fix Timeline**: Depends on severity - Critical: Within 7 days - High: Within 14 days - Medium: Within 30 days - Low: Next release cycle ### Disclosure Policy - We will coordinate disclosure with you - Security advisories will be published after a fix is available - Credit will be given to reporters (unless anonymity is requested) ## Security Best Practices When using `safe-expr-eval`: 1. **Validate Input**: Always validate expressions from untrusted sources 2. **Limit Variables**: Only expose necessary variables to expressions 3. **Sanitize Functions**: Be careful when adding custom functions 4. **Error Handling**: Implement proper error handling around evaluation 5. **Rate Limiting**: Consider rate limiting for user-provided expressions ### Example: Safe Usage ```typescript import { Parser } from 'safe-expr-eval'; function evaluateUserExpression(expr: string, data: object) { // 1. Validate expression length if (expr.length > 1000) { throw new Error('Expression too long'); } // 2. Create parser with limited scope const parser = new Parser(); // 3. Only expose safe functions parser.functions.abs = Math.abs; parser.functions.min = Math.min; parser.functions.max = Math.max; // 4. Wrap in try-catch try { return parser.evaluate(expr, data); } catch (error) { console.error('Evaluation error:', error); return null; } } ``` ## Known Security Considerations ### What We Protect Against**Code Injection**: No `eval()` or `Function()` constructor used ✅ **Prototype Pollution**: Proper object handling ✅ **Denial of Service**: Limited recursion depth ✅ **Type Confusion**: Strong type checking ### What You Should Protect Against ⚠️ **Untrusted Functions**: Be careful when adding custom functions ⚠️ **Resource Exhaustion**: Implement timeouts for complex expressions ⚠️ **Sensitive Data**: Don't expose sensitive variables to untrusted expressions ## Security Updates Subscribe to security updates by: - Watching this repository - Following our [releases](https://github.com/alecasg555/safe-expr-eval/releases) - Checking [npm advisories](https://www.npmjs.com/advisories) ## Acknowledgments We appreciate the security research community's efforts in making our software more secure. Responsible disclosure is valued and acknowledged. --- Last updated: November 2025