hacklab/FLUJOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
FLUJOS/VISUALIZACION/node_modules/safer-eval/README.md
root 013fe673f3 flow like the river
2025-11-07 00:06:12 +01:00

166 lines
4.2 KiB
Markdown
Executable file
Raw Blame History

# safer-eval but harmful
[![NPM version](https://badge.fury.io/js/safer-eval.svg)](https://www.npmjs.com/package/safer-eval/)
> harmful as eval
This approach has proven to be HARMFUL and does not suit as repacement for eval in node and browser.
Before using this module, **ask yourself if there are no better options** than using saferEval.
It is potentially better than the bad old `eval()` but has harmful potential.
Checkout the "harmful context" tests section.
![harmful](https://raw.githubusercontent.com/commenthol/safer-eval/master/harmful.png)
**Warning:** The `saferEval` function is harmful - so you are warned!
Better packages:
- For node check [vm2](https://www.npmjs.com/package/vm2).
----
If you like to **post exploits** you found on this module, feel free to do so.
Please file an issue with your findings.
Maybe this helps then others to build a better sandbox.
----
In node the `vm` module is used to sandbox the evaluation of `code`.
The browser version `browser.js` might not be as safe as the node version
`index.js` as here no real sandboxing is available. Please consider modules like
[sandboxr](https://www.npmjs.com/package/sandboxr).
Runs on node and in modern browsers:
| | Versions |
| --- | --- |
| **node** | 8, 10, 11, 12 |
| **Chrome** | 70, 75 |
| **Firefox** | 60, 68 |
| **Edge** | 17, 18 |
| **IE** | ~~11~~ |
| **Safari** | 11, 12|
| **iOS Safari** | 11.3, 12.0 |
## Installation
```
npm install --save safer-eval
```
## Implementation recommendations
**Use strict mode**
Always use `'use strict'` mode in functions/ files calling `saferEval()`.
Otherwise a sandbox breakout may be possible.
```js
'use strict'
const saferEval = require('safer-eval')
function main () {
'use strict' //< alternative within function
const res = saferEval('new Date()')
...
}
```
**Run in worker**
Be aware that a
```js
saferEval('(function () { while (true) {} })()')
```
may run
infinitely. Consider using the module from within a worker thread which is terminated
after timeout.
**Avoid context props**
Avoid passing `context` props while deserializing data from hostile environments.
## Usage
`context` allows the definition of passed in Objects into the sandbox.
Take care, injected `code` can overwrite those passed context props!
Check the tests under "harmful context"!
**Parameters**
**code**: `String`, a string containing javascript code
**context**: `Object`, define globals, properties for evaluation context
**Returns**: `Any`, evaluated code
**Example**:
in node:
```js
'use strict' //< NEVER FORGET TO ADD STRICT MODE in file/ function
//< running `saferEval`
const saferEval = require('safer-eval')
const code = `{d: new Date('1970-01-01'), b: new Buffer('data')}`
const res = saferEval(code)
// => toString.call(res.d) = '[object Date]'
// => toString.call(res.b) = '[object Buffer]'
```
in browser:
```js
'use strict' //< NEVER FORGET TO ADD STRICT MODE in file/ function
//< running `saferEval`
const saferEval = require('safer-eval')
const code = `{d: new Date('1970-01-01'), b: function () { return navigator.userAgent }`
const res = saferEval(code, {navigator: window.navigator})
// => toString.call(res.d) = '[object Date]'
// => toString.call(res.b) = '[object Function]'
// => res.b() = "Mozilla/5.0 (..."
```
To minimize any harmful code injection carefully select the methods you allow in `context`
```js
const code = `window.btoa('Hello, world')`
// AVOID passing a GLOBAL context!!!
const res = saferEval(code, {window: window})
// BETTER - code needs only access to window.btoa
const clones = require('clones')
const context = {
window: {
btoa: clones(window.btoa, window)
}
}
const res = saferEval(code ,context)
// => res = 'SGVsbG8sIHdvcmxk'
```
## Reusing context
Use `new SaferEval()` to reuse a once created context.
```js
'use strict' //< NEVER FORGET TO ADD STRICT MODE in file/ function
//< running `saferEval`
const { SaferEval } = require('safer-eval')
const safer = new SaferEval()
const code = `{d: new Date('1970-01-01'), b: new Buffer('data')}`
const res = safer.runInContext(code)
```
## License
[MIT](./LICENSE)
[clones]: https://github.com/commenthol/clones
Reference in a new issue View git blame Copy permalink