{"id":19621360,"url":"https://github.com/commenthol/safer-eval","last_synced_at":"2025-04-28T03:32:17.897Z","repository":{"id":45340771,"uuid":"82386853","full_name":"commenthol/safer-eval","owner":"commenthol","description":"a safer eval","archived":false,"fork":false,"pushed_at":"2021-12-20T04:13:57.000Z","size":105,"stargazers_count":20,"open_issues_count":5,"forks_count":16,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-21T13:04:31.153Z","etag":null,"topics":["eval","javascript"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/commenthol.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-02-18T12:57:03.000Z","updated_at":"2025-02-09T18:47:08.000Z","dependencies_parsed_at":"2022-09-05T15:20:08.286Z","dependency_job_id":null,"html_url":"https://github.com/commenthol/safer-eval","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fsafer-eval","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fsafer-eval/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fsafer-eval/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commenthol%2Fsafer-eval/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/commenthol","download_url":"https://codeload.github.com/commenthol/safer-eval/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251246265,"owners_count":21558762,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["eval","javascript"],"created_at":"2024-11-11T11:22:39.996Z","updated_at":"2025-04-28T03:32:17.364Z","avatar_url":"https://github.com/commenthol.png","language":"JavaScript","readme":"# safer-eval but harmful\n\n[![NPM version](https://badge.fury.io/js/safer-eval.svg)](https://www.npmjs.com/package/safer-eval/)\n\n\u003e harmful as eval\n\nThis approach has proven to be HARMFUL and does not suit as repacement for eval in node and browser. \nBefore using this module, **ask yourself if there are no better options** than using saferEval.\nIt is potentially better than the bad old `eval()` but has harmful potential.\nCheckout the \"harmful context\" tests section.\n\n![harmful](https://raw.githubusercontent.com/commenthol/safer-eval/master/harmful.png)\n\n**Warning:** The `saferEval` function is harmful - so you are warned!\n\nBetter packages:\n\n- For node check [vm2](https://www.npmjs.com/package/vm2).\n\n----\n\nIf you like to **post exploits** you found on this module, feel free to do so. \nPlease file an issue with your findings.\n\nMaybe this helps then others to build a better sandbox.\n\n----\n\nIn node the `vm` module is used to sandbox the evaluation of `code`.\n\nThe browser version `browser.js` might not be as safe as the node version\n`index.js` as here no real sandboxing is available. Please consider modules like\n[sandboxr](https://www.npmjs.com/package/sandboxr).\n\nRuns on node and in modern browsers:\n\n|                | Versions |\n| ---            | ---      |\n| **node**       | 8, 10, 11, 12 |\n| **Chrome**     | 70, 75 |\n| **Firefox**    | 60, 68 |\n| **Edge**       | 17, 18 |\n| **IE**         | ~~11~~ |\n| **Safari**     | 11, 12|\n| **iOS Safari** | 11.3, 12.0 |\n\n## Installation\n\n```\nnpm install --save safer-eval\n```\n\n## Implementation recommendations\n\n**Use strict mode**\n\nAlways use `'use strict'` mode in functions/ files calling `saferEval()`.\nOtherwise a sandbox breakout may be possible.\n\n```js\n\n'use strict'\nconst saferEval = require('safer-eval')\n\nfunction main () {\n  'use strict' //\u003c alternative within function\n  const res = saferEval('new Date()')\n  ...\n}\n\n```\n\n**Run in worker**\n\nBe aware that a\n\n```js\nsaferEval('(function () { while (true) {} })()')\n```\n\nmay run\ninfinitely. Consider using the module from within a worker thread which is terminated\nafter timeout.\n\n**Avoid context props**\n\nAvoid passing `context` props while deserializing data from hostile environments.\n\n## Usage\n\n`context` allows the definition of passed in Objects into the sandbox.\nTake care, injected `code` can overwrite those passed context props!\nCheck the tests under \"harmful context\"!\n\n**Parameters**\n\n**code**: `String`, a string containing javascript code\n\n**context**: `Object`, define globals, properties for evaluation context\n\n**Returns**: `Any`, evaluated code\n\n**Example**:\n\nin node:\n\n```js\n'use strict' //\u003c NEVER FORGET TO ADD STRICT MODE in file/ function\n             //\u003c running `saferEval`\nconst saferEval = require('safer-eval')\nconst code = `{d: new Date('1970-01-01'), b: new Buffer('data')}`\nconst res = saferEval(code)\n// =\u003e toString.call(res.d) = '[object Date]'\n// =\u003e toString.call(res.b) = '[object Buffer]'\n```\n\nin browser:\n\n```js\n'use strict' //\u003c NEVER FORGET TO ADD STRICT MODE in file/ function\n             //\u003c running `saferEval`\nconst saferEval = require('safer-eval')\nconst code = `{d: new Date('1970-01-01'), b: function () { return navigator.userAgent }`\nconst res = saferEval(code, {navigator: window.navigator})\n// =\u003e toString.call(res.d) = '[object Date]'\n// =\u003e toString.call(res.b) = '[object Function]'\n// =\u003e res.b() = \"Mozilla/5.0 (...\"\n```\n\nTo minimize any harmful code injection carefully select the methods you allow in `context`\n\n```js\nconst code = `window.btoa('Hello, world')`\n\n// AVOID passing a GLOBAL context!!!\nconst res = saferEval(code, {window: window})\n\n// BETTER - code needs only access to window.btoa\nconst clones = require('clones')\nconst context = {\n  window: {\n    btoa: clones(window.btoa, window)\n  }\n}\nconst res = saferEval(code ,context)\n// =\u003e res = 'SGVsbG8sIHdvcmxk'\n```\n\n## Reusing context\n\nUse `new SaferEval()` to reuse a once created context.\n\n```js\n'use strict' //\u003c NEVER FORGET TO ADD STRICT MODE in file/ function\n             //\u003c running `saferEval`\nconst { SaferEval } = require('safer-eval')\nconst safer = new SaferEval()\nconst code = `{d: new Date('1970-01-01'), b: new Buffer('data')}`\nconst res = safer.runInContext(code)\n```\n\n## License\n\n[MIT](./LICENSE)\n\n[clones]: https://github.com/commenthol/clones\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcommenthol%2Fsafer-eval","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcommenthol%2Fsafer-eval","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcommenthol%2Fsafer-eval/lists"}