kitten.sh / evalish
Mirror: A maybe slightly safer-ish wrapper around eval Function constructors
fork atom

Readd proxy for global object

kitten.sh 779a7efb a99680b5

options
unified split
Changed files
+26 -2
src
index.ts
+26 -2
src/index.ts 
···

       
10

       
 

       
  eval: true,


     

       
11

       
 

       
  module: true,


     

       
12

       
 

       
  exports: true,


     

       

       

       
     

       
13

       
 

       
  __filename: true,


     

       
14

       
 

       
  __dirname: true,


     

       
15

       
 

       
  console: true,


     
···

       
51

       
 

       
  const keys = Object.getOwnPropertyNames(target)


     

       
52

       
 

       
  for (let i = 0; i < keys.length; i++) {


     

       
53

       
 

       
    const key = keys[i];


     

       
54

       
-

       
    if (key !== 'prototype') {


     

       

       

       
     

       

       

       
     

       

       

       
     

       
55

       
 

       
      Object.defineProperty(standin, key, {


     

       
56

       
 

       
        enumerable: true,


     

       
57

       
 

       
        get: safeKey(target, key)


     
···

       
134

       
 

       
  // It _might_ be safe to expose the Function constructor like this... who knows


     

       
135

       
 

       
  safeGlobal!.Function = SafeFunction;


     

       
136

       
 

       
  // Lastly, we also disallow certain property accesses on the safe global


     

       
137

       
-

       
  return (safeGlobal = mask(safeGlobal!));


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
138

       
 

       
}


     

       
139

       
 

       



     

       
140

       
 

       
interface SafeFunction {


     
···

       
10

       
 

       
  eval: true,


     

       
11

       
 

       
  module: true,


     

       
12

       
 

       
  exports: true,


     

       
13

       
+

       
  makeSafeGlobal: true,


     

       
14

       
 

       
  __filename: true,


     

       
15

       
 

       
  __dirname: true,


     

       
16

       
 

       
  console: true,


     
···

       
52

       
 

       
  const keys = Object.getOwnPropertyNames(target)


     

       
53

       
 

       
  for (let i = 0; i < keys.length; i++) {


     

       
54

       
 

       
    const key = keys[i];


     

       
55

       
+

       
    if (


     

       
56

       
+

       
      key !== 'prototype' &&


     

       
57

       
+

       
      (typeof standin !== 'function' || (key !== 'arguments' && key !== 'caller'))


     

       
58

       
+

       
    ) {


     

       
59

       
 

       
      Object.defineProperty(standin, key, {


     

       
60

       
 

       
        enumerable: true,


     

       
61

       
 

       
        get: safeKey(target, key)


     
···

       
138

       
 

       
  // It _might_ be safe to expose the Function constructor like this... who knows


     

       
139

       
 

       
  safeGlobal!.Function = SafeFunction;


     

       
140

       
 

       
  // Lastly, we also disallow certain property accesses on the safe global


     

       
141

       
+

       
  // Wrap any given target with a Proxy preventing access to unscopables


     

       
142

       
+

       
  if (typeof Proxy === 'function') {


     

       
143

       
+

       
    // Wrap the target in a Proxy that disallows access to some keys


     

       
144

       
+

       
    return (safeGlobal = new Proxy(safeGlobal!, {


     

       
145

       
+

       
      // Return a value, if it's allowed to be returned and mask this value


     

       
146

       
+

       
      get(target, _key) {


     

       
147

       
+

       
        const key = safeKey(target, _key);


     

       
148

       
+

       
        return key !== undefined ? target[key] : undefined;


     

       
149

       
+

       
      },


     

       
150

       
+

       
      has(_target, _key) {


     

       
151

       
+

       
        return true;


     

       
152

       
+

       
      },


     

       
153

       
+

       
      set: noop,


     

       
154

       
+

       
      deleteProperty: noop,


     

       
155

       
+

       
      defineProperty: noop,


     

       
156

       
+

       
      getOwnPropertyDescriptor: noop,


     

       
157

       
+

       
    }));


     

       
158

       
+

       
  } else {


     

       
159

       
+

       
    // NOTE: Some property accesses may leak through here without the Proxy


     

       
160

       
+

       
    return (safeGlobal = mask(safeGlobal));


     

       
161

       
+

       
  }


     

       
162

       
 

       
}


     

       
163

       
 

       



     

       
164

       
 

       
interface SafeFunction {