{"id":15696666,"url":"https://github.com/azu/restrict-javascript","last_synced_at":"2025-08-29T17:38:36.789Z","repository":{"id":66143633,"uuid":"224951130","full_name":"azu/restrict-javascript","owner":"azu","description":"Define restrict JavaScript syntax and validate it.","archived":false,"fork":false,"pushed_at":"2022-08-23T13:38:44.000Z","size":51,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-08-15T13:22:56.805Z","etag":null,"topics":["ast","javascript","safe","subset","validation"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/azu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"azu"}},"created_at":"2019-11-30T02:53:59.000Z","updated_at":"2022-08-23T13:38:48.000Z","dependencies_parsed_at":"2023-03-16T10:45:15.177Z","dependency_job_id":null,"html_url":"https://github.com/azu/restrict-javascript","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/azu/restrict-javascript","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azu%2Frestrict-javascript","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azu%2Frestrict-javascript/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azu%2Frestrict-javascript/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azu%2Frestrict-javascript/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/azu","download_url":"https://codeload.github.com/azu/restrict-javascript/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azu%2Frestrict-javascript/sbom","scorecard":{"id":221557,"data":{"date":"2025-08-11","repo":{"name":"github.com/azu/restrict-javascript","commit":"945d31c1938113b6ba6e25ab6c4e7fb1c474dd00"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.1,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/5 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/azu/restrict-javascript/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/azu/restrict-javascript/ci.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/azu/.github/SECURITY.md:1","Info: Found linked content: github.com/azu/.github/SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: github.com/azu/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"20 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-6chw-6frg-f759","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c","Warn: Project is vulnerable to: GHSA-2j2x-2gpw-g8fm","Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6","Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj","Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw","Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh","Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T02:38:37.314Z","repository_id":66143633,"created_at":"2025-08-17T02:38:37.314Z","updated_at":"2025-08-17T02:38:37.314Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272733263,"owners_count":24984260,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-29T02:00:10.610Z","response_time":87,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ast","javascript","safe","subset","validation"],"created_at":"2024-10-03T19:09:37.272Z","updated_at":"2025-08-29T17:38:36.758Z","avatar_url":"https://github.com/azu.png","language":"TypeScript","funding_links":["https://github.com/sponsors/azu"],"categories":[],"sub_categories":[],"readme":"# restrict-javascript\n\nDefine restrict JavaScript syntax and validate it.\n\n## Motivation\n\nThis validation library aim to define limited JavaScript subset.\nThat subset will be safe by default.\nSafe means that does not call any untrusted function.\n\n## Do\n\nValidate following untrusted function calls and get errors. \n\n```js\nalert(\"hello\");\nalert`hello`;\nconst a = alert;\na(\"hello\");\nconst alertName = \"alert\";\nwindow[alertName](\"hello\");\n```\n\nFollowing code is passed, because it is safe.\n\n```js\n`text`;\n``` \n\n### Do Not\n\nThis validation does not provide sandbox feature.\nIt means that the code can refer to any object like `window` by default.\nIn other hands, `__proto__` and `construsctor` is restricted by default. \n\nThis validation will be used with [vm](https://nodejs.org/api/vm.html) modules.\n\n## Install\n\nInstall with [npm](https://www.npmjs.com/):\n\n    npm install restrict-javascript\n\n## Usage\n\nThis validation is used with [Espree](https://github.com/eslint/espree).\n\n:memo: Pass `loc: true` option to `espree.parse` function. It is needed to error position. \n\n```js\nimport { validateAST } from \"restrict-javascript\";\nconst espree = require(\"espree\");\nconst untrustedJSCode = `\nfunction add(x, y){\n    return x + y\n}\n\nconst total = add(1, 2);\n`;\nconst AST = espree.parse(untrustedJSCode, {\n    loc: true, // \u003c= require `loc` option\n    // Other options is optional\n    ecmaVersion: 2015\n});\nconst validationResult = validateAST(AST);\nif (!validationResult.ok) {\n    assert.deepStrictEqual(validationResult.errors, [\n            {id: 'DISALLOW_NODE_TYPE', line: 2, column: 0}, // function\n            {id: 'DISALLOW_NODE_TYPE', line: 6, column: 0}, // const\n            {id: 'DISALLOW_NODE_TYPE', line: 6, column: 6}, // =\n            {id: 'DISALLOW_UNTRUSTED_FUNCTION_CALL', line: 6, column: 14}, // add(1, 2)\n            {id: 'DISALLOW_NODE_TYPE', line: 6, column: 14} //function call node\n        ]\n    )\n}\n```\n\n### Default Options\n\nDefault Config is very strict setting.\n\nIt aim to prevent to define untrusted function/variables and invoke untrusted functions. \n\n- Disallow any function/method/class call\n    - includes normal function call, `new` expression, and Tagged Function call\n- Disallow any function/method/class declaration\n    - NG: `function`, `class`, `=\u003e`\n- Disallow any declaration variables\n    - NG: use `var`, `let`, `const`\n- Disallow any assignment variables\n    - NG: `foo = \"value\";`\n- Disallow lookup `__proto__` and `constructor` property\n\nSummary: Disallow to create functions and call functions, and lookup the above\n\nYou can add allow list by `allow*` option.\n\n### `allowFunctionNames: string[]`\n\nThis options allow calling specified function names.\n\nExample: Allow `String()` and `alert()`\n\n```js\n{\n    allowFunctionNames: [\"String\", \"alert\"]\n}\n```\n\n### `allowMethodNames: string[]`\n\nThis options allow calling specified method names.\n\nExample: Allow `Math.random()`\n\n```js\n{\n    allowMethodNames: [\"Math.random\"]\n}\n```\n\nThis options accept `?` as place holder value. `?` match any name.\n\nExample: Allow `\"string\".replace(\"a\", \"b\")`.\n`?` match `\"string\"`.\n\n```js\n{\n    allowMethodNames: [\"?.replace\"]\n}\n```\n\nNote: method chain matching.\nYou can match `[].map().filter()` by following options.\n\n```js\n{\n    allowMethodNames: [\"?.map.filter\"]\n}\n```\n\n### `allowNodeTypes: string[]`\n\nThis options allow to use specified `ESTree.Node`.\n\nDefault: allow safe Node types.\n\nThis options will be override default options. Be careful.\n\n- [estree/estree: The ESTree Spec](https://github.com/estree/estree)\n\n### `allowNodesIncludesChildren: ESTree.Node[]`\n\nThis options allow node and node's children.\nSpecify ESTree node object and match it partially.\n\nThis options allow especial patterns.\n\nFor example, You can allow `new Date().getTime()` signature by following options:\n\n```js\n{\n    allowNodesIncludesChildren: [\n        {\n            type: \"ExpressionStatement\",\n            expression: {\n                type: \"CallExpression\",\n                callee: {\n                    type: \"MemberExpression\",\n                    object: {\n                        type: \"NewExpression\",\n                        callee: {\n                            type: \"Identifier\",\n                            name: \"Date\"\n                        },\n                        arguments: []\n                    },\n                    property: {\n                        type: \"Identifier\",\n                        name: \"getTime\"\n                    },\n                    computed: false\n                },\n                arguments: []\n            }\n        }\n    ]\n}\n```\n\nSee also [test/fixtures/ok.options.allowNodesIncludesChildren/](test/fixtures/ok.options.allowNodesIncludesChildren/) \n\n:memo: Notice: This options force skip matched node, be careful treat!\n\nTips: [AST explorer](https://astexplorer.net/) is useful for the options.\n\n### `debug: boolean`\n\nEnable debug options. It is useful for debugging.\n\n- Add `node` property to each errors. \n\n## Changelog\n\nSee [Releases page](https://github.com/azu/restrict-javascript/releases).\n\n## Running tests\n\nInstall devDependencies and Run `npm test`:\n\n    npm test\n\n## Contributing\n\nPull requests and stars are always welcome.\n\nFor bugs and feature requests, [please create an issue](https://github.com/azu/restrict-javascript/issues).\n\n1. Fork it!\n2. Create your feature branch: `git checkout -b my-new-feature`\n3. Commit your changes: `git commit -am 'Add some feature'`\n4. Push to the branch: `git push origin my-new-feature`\n5. Submit a pull request :D\n\n## Author\n\n- [github/azu](https://github.com/azu)\n- [twitter/azu_re](https://twitter.com/azu_re)\n\n## License\n\nMIT © azu\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fazu%2Frestrict-javascript","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fazu%2Frestrict-javascript","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fazu%2Frestrict-javascript/lists"}