https://github.com/commenthol/safer-eval

a safer eval
https://github.com/commenthol/safer-eval

eval javascript

Last synced: 10 months ago
JSON representation

a safer eval

• Host: GitHub
• URL: https://github.com/commenthol/safer-eval
• Owner: commenthol
• License: mit
• Created: 2017-02-18T12:57:03.000Z (about 9 years ago)
• Default Branch: master
• Last Pushed: 2021-12-20T04:13:57.000Z (about 4 years ago)
• Last Synced: 2025-04-21T13:04:31.153Z (10 months ago)
• Topics: eval, javascript
• Language: JavaScript
• Homepage:
• Size: 103 KB
• Stars: 20
• Watchers: 4
• Forks: 16
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# safer-eval but harmful

[![NPM version](https://badge.fury.io/js/safer-eval.svg)](https://www.npmjs.com/package/safer-eval/)

> harmful as eval

This approach has proven to be HARMFUL and does not suit as repacement for eval in node and browser. 

Before using this module, **ask yourself if there are no better options** than using saferEval.

It is potentially better than the bad old `eval()` but has harmful potential.

Checkout the "harmful context" tests section.

![harmful](https://raw.githubusercontent.com/commenthol/safer-eval/master/harmful.png)

**Warning:** The `saferEval` function is harmful - so you are warned!

Better packages:

- For node check [vm2](https://www.npmjs.com/package/vm2).

----

If you like to **post exploits** you found on this module, feel free to do so. 

Please file an issue with your findings.

Maybe this helps then others to build a better sandbox.

----

In node the `vm` module is used to sandbox the evaluation of `code`.

The browser version `browser.js` might not be as safe as the node version

`index.js` as here no real sandboxing is available. Please consider modules like

[sandboxr](https://www.npmjs.com/package/sandboxr).

Runs on node and in modern browsers:

|                | Versions |

| ---            | ---      |

| **node**       | 8, 10, 11, 12 |

| **Chrome**     | 70, 75 |

| **Firefox**    | 60, 68 |

| **Edge**       | 17, 18 |

| **IE**         | ~~11~~ |

| **Safari**     | 11, 12|

| **iOS Safari** | 11.3, 12.0 |

## Installation

```

npm install --save safer-eval

```

## Implementation recommendations

**Use strict mode**

Always use `'use strict'` mode in functions/ files calling `saferEval()`.

Otherwise a sandbox breakout may be possible.

```js

'use strict'

const saferEval = require('safer-eval')

function main () {

  'use strict' //< alternative within function

  const res = saferEval('new Date()')

  ...

}

```

**Run in worker**

Be aware that a

```js

saferEval('(function () { while (true) {} })()')

```

may run

infinitely. Consider using the module from within a worker thread which is terminated

after timeout.

**Avoid context props**

Avoid passing `context` props while deserializing data from hostile environments.

## Usage

`context` allows the definition of passed in Objects into the sandbox.

Take care, injected `code` can overwrite those passed context props!

Check the tests under "harmful context"!

**Parameters**

**code**: `String`, a string containing javascript code

**context**: `Object`, define globals, properties for evaluation context

**Returns**: `Any`, evaluated code

**Example**:

in node:

```js

'use strict' //< NEVER FORGET TO ADD STRICT MODE in file/ function

             //< running `saferEval`

const saferEval = require('safer-eval')

const code = `{d: new Date('1970-01-01'), b: new Buffer('data')}`

const res = saferEval(code)

// => toString.call(res.d) = '[object Date]'

// => toString.call(res.b) = '[object Buffer]'

```

in browser:

```js

'use strict' //< NEVER FORGET TO ADD STRICT MODE in file/ function

             //< running `saferEval`

const saferEval = require('safer-eval')

const code = `{d: new Date('1970-01-01'), b: function () { return navigator.userAgent }`

const res = saferEval(code, {navigator: window.navigator})

// => toString.call(res.d) = '[object Date]'

// => toString.call(res.b) = '[object Function]'

// => res.b() = "Mozilla/5.0 (..."

```

To minimize any harmful code injection carefully select the methods you allow in `context`

```js

const code = `window.btoa('Hello, world')`

// AVOID passing a GLOBAL context!!!

const res = saferEval(code, {window: window})

// BETTER - code needs only access to window.btoa

const clones = require('clones')

const context = {

  window: {

    btoa: clones(window.btoa, window)

  }

}

const res = saferEval(code ,context)

// => res = 'SGVsbG8sIHdvcmxk'

```

## Reusing context

Use `new SaferEval()` to reuse a once created context.

```js

'use strict' //< NEVER FORGET TO ADD STRICT MODE in file/ function

             //< running `saferEval`

const { SaferEval } = require('safer-eval')

const safer = new SaferEval()

const code = `{d: new Date('1970-01-01'), b: new Buffer('data')}`

const res = safer.runInContext(code)

```

## License

[MIT](./LICENSE)

[clones]: https://github.com/commenthol/clones