comparing v0.1.6 and main on kitten.sh/evalish

+26

.github/workflows/mirror.yml

···

       1
       1
       +
       # Mirrors to https://tangled.sh/@kitten.sh (knot.kitten.sh)

     

       2
       2
       +
       name: Mirror (Git Backup)

     

       3
       3
       +
       on:

     

       4
       4
       +
         push:

     

       5
       5
       +
           branches:

     

       6
       6
       +
             - main

     

       7
       7
       +
       jobs:

     

       8
       8
       +
         mirror:

     

       9
       9
       +
           runs-on: ubuntu-latest

     

       10
       10
       +
           steps:

     

       11
       11
       +
             - name: Checkout repository

     

       12
       12
       +
               uses: actions/checkout@v4

     

       13
       13
       +
               with:

     

       14
       14
       +
                 fetch-depth: 0

     

       15
       15
       +
                 fetch-tags: true

     

       16
       16
       +
             - name: Mirror

     

       17
       17
       +
               env:

     

       18
       18
       +
                 MIRROR_SSH_KEY: ${{ secrets.MIRROR_SSH_KEY }}

     

       19
       19
       +
                 GIT_SSH_COMMAND: 'ssh -o StrictHostKeyChecking=yes'

     

       20
       20
       +
               run: |

     

       21
       21
       +
                 mkdir -p ~/.ssh

     

       22
       22
       +
                 echo "$MIRROR_SSH_KEY" > ~/.ssh/id_rsa

     

       23
       23
       +
                 chmod 600 ~/.ssh/id_rsa

     

       24
       24
       +
                 ssh-keyscan -H knot.kitten.sh >> ~/.ssh/known_hosts

     

       25
       25
       +
                 git remote add mirror "git@knot.kitten.sh:kitten.sh/${GITHUB_REPOSITORY#*/}"

     

       26
       26
       +
                 git push --mirror mirror

+2 -1

package.json

···

       2
       2
        
         "name": "evalish",

     

       3
       3
        
         "description": "A maybe slightly safer-ish wrapper around eval Function constructors",

     

       4
       4
        
         "DISCLAIMER": "Please maybe try something else first.. Please.",

     

       5
       5
       -
         "version": "0.1.6",

     

       5
       5
       +
         "version": "0.1.8",

     

       6
       6
        
         "main": "dist/evalish.js",

     

       7
       7
        
         "module": "dist/evalish.mjs",

     

       8
       8
        
         "types": "dist/types/index.d.ts",

     
···

       57
       57
        
           "@rollup/plugin-buble": "^0.21.3",

     

       58
       58
        
           "@rollup/plugin-commonjs": "^21.0.2",

     

       59
       59
        
           "@rollup/plugin-node-resolve": "^13.1.3",

     

       60
       60
       +
           "@types/node": "^18.0.6",

     

       60
       61
        
           "@types/react": "^17.0.42",

     

       61
       62
        
           "husky-v4": "^4.3.8",

     

       62
       63
        
           "lint-staged": "^12.3.7",

+88 -30

src/index.ts

···

       8
       8
        
         require: true,

     

       9
       9
        
         Function: true,

     

       10
       10
        
         eval: true,

     

       11
       11
       +
         process: true,

     

       11
       12
        
         module: true,

     

       12
       13
        
         exports: true,

     

       13
       14
        
         makeSafeGlobal: true,

     
···

       17
       18
        
       };

     

       18
       19
        
       

     

       19
       20
        
       const noop = function () {} as any;

     

       21
       21
       +
       const _freeze = Object.freeze;

     

       22
       22
       +
       const _seal = Object.seal;

     

       23
       23
       +
       const _keys = Object.keys;

     

       24
       24
       +
       const _getOwnPropertyNames = Object.getOwnPropertyNames;

     

       25
       25
       +
       const _getOwnPropertyDescriptor = Object.getOwnPropertyDescriptor;

     

       26
       26
       +
       const _defineProperty = Object.defineProperty;

     

       27
       27
       +
       const _create = Object.create;

     

       28
       28
       +
       const _slice = Array.prototype.slice;

     

       20
       29
        
       

     

       21
       30
        
       type Object = Record<string | symbol, unknown>;

     

       22
       31
        
       

     
···

       32
       41
        
       }

     

       33
       42
        
       

     

       34
       43
        
       function freeze(target: Object): Object {

     

       35
       35
       -
         return typeof Object.freeze === 'function'

     

       36
       36
       -
           ? Object.freeze(target)

     

       37
       37
       -
           : target;

     

       44
       44
       +
         try { _freeze(target); } catch (_error) {}

     

       45
       45
       +
         try { _seal(target); } catch (_error) {}

     

       46
       46
       +
         return target;

     

       38
       47
        
       }

     

       39
       48
        
       

     

       49
       49
       +
       const masked = new Set();

     

       50
       50
       +
       

     

       40
       51
        
       // Wrap any given target with a masking object preventing access to prototype properties

     

       41
       41
       -
       function mask(target: any) {

     

       52
       52
       +
       function mask(target: any, toplevel: boolean) {

     

       42
       53
        
         if (

     

       43
       54
        
           target == null ||

     

       44
       55
        
           (typeof target !== 'function' && typeof target !== 'object')

     
···

       46
       57
        
           // If the target isn't a function or object then skip

     

       47
       58
        
           return target;

     

       48
       59
        
         }

     

       60
       60
       +
       

     

       61
       61
       +
         if (!('constructor' in target)) {

     

       62
       62
       +
           toplevel = false;

     

       63
       63
       +
         }

     

       64
       64
       +
       

     

       65
       65
       +
         if (toplevel && masked.has(target)) {

     

       66
       66
       +
           return target;

     

       67
       67
       +
         } else if (toplevel) {

     

       68
       68
       +
           masked.add(target);

     

       69
       69
       +
         }

     

       70
       70
       +
       

     

       49
       71
        
         // Create a stand-in object or function

     

       50
       50
       -
         const standin =

     

       51
       51
       -
           typeof target === 'function'

     

       72
       72
       +
         let standin = target;

     

       73
       73
       +
         if (!toplevel) {

     

       74
       74
       +
           standin = typeof target === 'function'

     

       52
       75
        
             ? (function (this: any) {

     

       53
       53
       -
                 return target.apply(this, arguments);

     

       76
       76
       +
                 if (new.target === undefined) {

     

       77
       77
       +
                   return target.apply(this, arguments);

     

       78
       78
       +
                 } else {

     

       79
       79
       +
                   const args = _slice.call(arguments);

     

       80
       80
       +
                   args.unshift(null);

     

       81
       81
       +
                   return new (target.bind.apply(target, args));

     

       82
       82
       +
                 }

     

       54
       83
        
               })

     

       55
       55
       -
             : Object.create(null);

     

       84
       84
       +
             : _create(null);

     

       85
       85
       +
         }

     

       86
       86
       +
       

     

       56
       87
        
         // Copy all known keys over to the stand-in and recursively apply `withProxy`

     

       57
       88
        
         // Prevent unsafe keys from being accessed

     

       58
       89
        
         const keys = ["__proto__", "constructor"];

     
···

       60
       91
        
           // Chromium already restricts access to certain globals in an

     

       61
       92
        
           // iframe, this try catch block is to avoid

     

       62
       93
        
           // "Failed to enumerate the properties of 'Storage': access is denied for this document"

     

       63
       63
       -
           keys.push(...Object.getOwnPropertyNames(target));

     

       64
       64
       -
         } catch (e) {}

     

       94
       94
       +
           keys.push(..._getOwnPropertyNames(target));

     

       95
       95
       +
         } catch (_error) {

     

       96
       96
       +
           keys.push(..._keys(target));

     

       97
       97
       +
         }

     

       65
       98
        
       

     

       99
       99
       +
         const seen = new Set();

     

       66
       100
        
         for (let i = 0; i < keys.length; i++) {

     

       67
       101
        
           const key = keys[i];

     

       68
       68
       -
           if (

     

       102
       102
       +
           if (seen.has(key)) {

     

       103
       103
       +
             continue;

     

       104
       104
       +
           } else if (

     

       69
       105
        
             key !== 'prototype' &&

     

       70
       106
        
             (typeof standin !== 'function' || (key !== 'arguments' && key !== 'caller'))

     

       71
       107
        
           ) {

     

       72
       72
       -
             Object.defineProperty(standin, key, {

     

       73
       73
       -
               enumerable: true,

     

       74
       74
       -
               get: safeKey(target, key)

     

       75
       75
       -
                 ? () => {

     

       76
       76
       -
                     return typeof target[key] === 'function' ||

     

       77
       77
       -
                       typeof target[key] === 'object'

     

       78
       78
       -
                       ? mask(target[key])

     

       79
       79
       -
                       : target[key];

     

       108
       108
       +
             seen.add(key);

     

       109
       109
       +
             const descriptor = _getOwnPropertyDescriptor(standin, key) || {};

     

       110
       110
       +
             if (descriptor.configurable) {

     

       111
       111
       +
               _defineProperty(standin, key, {

     

       112
       112
       +
                 enumerable: descriptor.enumerable,

     

       113
       113
       +
                 configurable: descriptor.configurable,

     

       114
       114
       +
                 get: (() => {

     

       115
       115
       +
                   if (!safeKey(target, key)) {

     

       116
       116
       +
                     return noop;

     

       117
       117
       +
                   } if (toplevel) {

     

       118
       118
       +
                     try {

     

       119
       119
       +
                       const value = mask(target[key], false);

     

       120
       120
       +
                       return () => value;

     

       121
       121
       +
                     } catch (_error) {

     

       122
       122
       +
                       return noop;

     

       123
       123
       +
                     }

     

       124
       124
       +
                   } else {

     

       125
       125
       +
                     return () => mask(target[key], false);

     

       80
       126
        
                   }

     

       81
       81
       -
                 : noop,

     

       82
       82
       -
             });

     

       127
       127
       +
                 })(),

     

       128
       128
       +
               });

     

       129
       129
       +
             }

     

       83
       130
        
           }

     

       84
       131
        
         }

     

       85
       85
       -
         if (standin.prototype != null)

     

       86
       86
       -
           standin.prototype = freeze(Object.create(null));

     

       87
       87
       -
         return freeze(standin);

     

       132
       132
       +
       

     

       133
       133
       +
         if (standin.prototype != null) {

     

       134
       134
       +
           standin.prototype = _create(null);

     

       135
       135
       +
         }

     

       136
       136
       +
       

     

       137
       137
       +
         return toplevel ? standin : freeze(standin);

     

       88
       138
        
       }

     

       89
       139
        
       

     

       90
       140
        
       let safeGlobal: Record<string | symbol, unknown> | void;

     
···

       103
       153
        
       

     

       104
       154
        
         // Get all available global names on `globalThis` and remove keys that are

     

       105
       155
        
         // explicitly ignored

     

       106
       106
       -
         const trueGlobalKeys = Object.getOwnPropertyNames(trueGlobal).filter(

     

       156
       156
       +
         const trueGlobalKeys = _getOwnPropertyNames(trueGlobal).filter(

     

       107
       157
        
           key => !ignore[key]

     

       108
       158
        
         );

     

       109
       159
        
       

     
···

       122
       172
        
             document.head.appendChild(iframe);

     

       123
       173
        
             // We copy over all known globals (as seen on the original `globalThis`)

     

       124
       174
        
             // from the new global we receive from the iframe

     

       125
       125
       -
             vmGlobals = Object.create(null);

     

       175
       175
       +
             vmGlobals = _create(null);

     

       126
       176
        
             for (let i = 0, l = trueGlobalKeys.length; i < l; i++) {

     

       127
       177
        
               const key = trueGlobalKeys[i];

     

       128
       178
        
               vmGlobals[key] = iframe.contentWindow![key];

     
···

       133
       183
        
           } finally {

     

       134
       184
        
             if (iframe) iframe.remove();

     

       135
       185
        
           }

     

       186
       186
       +
         } else if (typeof require === 'function') {

     

       187
       187
       +
           vmGlobals = _create(null);

     

       188
       188
       +
           const scriptGlobal = new (require('vm').Script)('exports = globalThis').runInNewContext({}).exports;

     

       189
       189
       +
           for (let i = 0, l = trueGlobalKeys.length; i < l; i++) {

     

       190
       190
       +
             const key = trueGlobalKeys[i];

     

       191
       191
       +
             vmGlobals[key] = scriptGlobal[key];

     

       192
       192
       +
           }

     

       136
       193
        
         }

     

       137
       194
        
       

     

       138
       138
       -
         safeGlobal = Object.create(null);

     

       195
       195
       +
         safeGlobal = _create(null);

     

       139
       196
        
       

     

       140
       197
        
         // The safe global is initialised by copying all values from either `globalThis`

     

       141
       198
        
         // or the isolated global. They're wrapped using `withProxy` which further disallows

     

       142
       199
        
         // certain key accesses

     

       143
       200
        
         for (let i = 0, l = trueGlobalKeys.length; i < l; i++) {

     

       144
       201
        
           const key = trueGlobalKeys[i];

     

       145
       145
       -
           safeGlobal[key] = mask(vmGlobals[key]);

     

       202
       202
       +
           safeGlobal[key] = mask(vmGlobals[key], true);

     

       146
       203
        
         }

     

       147
       204
        
       

     

       148
       205
        
         // We then reset all globals that are present on `globalThis` directly

     
···

       151
       208
        
         for (const key in ignore) safeGlobal[key] = undefined;

     

       152
       209
        
         // It _might_ be safe to expose the Function constructor like this... who knows

     

       153
       210
        
         safeGlobal!.Function = SafeFunction;

     

       211
       211
       +
       

     

       154
       212
        
         // Lastly, we also disallow certain property accesses on the safe global

     

       155
       213
        
         // Wrap any given target with a Proxy preventing access to unscopables

     

       156
       214
        
         if (typeof Proxy === 'function') {

     
···

       159
       217
        
             // Return a value, if it's allowed to be returned and mask this value

     

       160
       218
        
             get(target, _key) {

     

       161
       219
        
               const key = safeKey(target, _key);

     

       162
       162
       -
               return key !== undefined ? target[key] : undefined;

     

       220
       220
       +
               return !ignore[_key] && key !== undefined ? target[key] : undefined;

     

       163
       221
        
             },

     

       164
       222
        
             has(_target, _key) {

     

       165
       223
        
               return true;

     
···

       171
       229
        
           }));

     

       172
       230
        
         } else {

     

       173
       231
        
           // NOTE: Some property accesses may leak through here without the Proxy

     

       174
       174
       -
           return (safeGlobal = mask(safeGlobal));

     

       232
       232
       +
           return freeze(safeGlobal!);

     

       175
       233
        
         }

     

       176
       234
        
       }

     

       177
       235

+1 -1

tsconfig.json

···

       1
       1
        
       {

     

       2
       2
        
         "compilerOptions": {

     

       3
       3
       -
           "types": [],

     

       3
       3
       +
           "types": ["node"],

     

       4
       4
        
           "baseUrl": "./",

     

       5
       5
        
           "esModuleInterop": true,

     

       6
       6
        
           "forceConsistentCasingInFileNames": true,

yarn.lock

···

       136
       136
        
         resolved "https://registry.yarnpkg.com/@types/node/-/node-18.0.4.tgz#48aedbf35efb3af1248e4cd4d792c730290cd5d6"

     

       137
       137
        
         integrity sha512-M0+G6V0Y4YV8cqzHssZpaNCqvYwlCiulmm0PwpNLF55r/+cT8Ol42CHRU1SEaYFH2rTwiiE1aYg/2g2rrtGdPA==

     

       138
       138
        
       

     

       139
       139
       +
       "@types/node@^18.0.6":

     

       140
       140
       +
         version "18.0.6"

     

       141
       141
       +
         resolved "https://registry.yarnpkg.com/@types/node/-/node-18.0.6.tgz#0ba49ac517ad69abe7a1508bc9b3a5483df9d5d7"

     

       142
       142
       +
         integrity sha512-/xUq6H2aQm261exT6iZTMifUySEt4GR5KX8eYyY+C4MSNPqSh9oNIP7tz2GLKTlFaiBbgZNxffoR3CVRG+cljw==

     

       143
       143
       +
       

     

       139
       144
        
       "@types/parse-json@^4.0.0":

     

       140
       145
        
         version "4.0.0"

     

       141
       146
        
         resolved "https://registry.yarnpkg.com/@types/parse-json/-/parse-json-4.0.0.tgz#2f8bb441434d163b35fb8ffdccd7138927ffb8c0"

Compare changes