Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Functions containing eval() where this or arguments are accessible allows eval() code to access temp vars #473

Open
overlookmotel opened this issue Jan 2, 2023 · 0 comments
Open

Functions containing eval() where this or arguments are accessible allows eval() code to access temp vars #473

overlookmotel opened this issue Jan 2, 2023 · 0 comments
Labels
bug Something isn't working eval Issue related to `eval`

Comments

@overlookmotel
Copy link
Owner

overlookmotel commented Jan 2, 2023
edited
Loading

Input:

export default (function() {
  return () => eval('[typeof _this, typeof _arguments]');
}).call({});

Current output:

module.exports = (0, eval)(`
  "use strict";
  (_this, _arguments) => function () {
    return () => eval('[typeof _this, typeof _arguments]');
  }.apply(_this, _arguments);
`)( {}, function () { return arguments; }() );

Original function returns ['undefined', 'undefined'] whereas output function returns ['object', 'object']. This is because eval() can access the temp vars which don't exist in the original.

The temp vars can be removed, solving this problem, by outputting:

export default (0, eval)(`
  "use strict";
  (function() {
    function() {
      return () => eval('[typeof _this, typeof _arguments]');
    }.apply(arguments[0], arguments[1]);
  })
`)( {}, function() { return arguments; }() );

or even something very close to the original:

export default (0, eval)(`
  "use strict";
  (function() {
    return () => eval('[typeof _this, typeof _arguments]');
  });
`).call({});

In this simple case where there are no other vars defined in the file, and output is ESM format (so no module or exports vars), output could also be identical to input. There's no need for (eval, 0)(...) wrapper, because there are no local vars to shield the eval() code from.
@overlookmotel overlookmotel added enhancement Improvements eval Issue related to `eval` bug Something isn't working and removed enhancement Improvements labels Jan 2, 2023
@overlookmotel overlookmotel mentioned this issue Jan 2, 2023
Open
@overlookmotel overlookmotel changed the title Functions containing eval() where this or arguments are accessible allows eval() code to see Livepack's intermediate vars Functions containing eval() where this or arguments are accessible allows eval() code to access temp vars Jan 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working eval Issue related to `eval`
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@overlookmotel