From 9d683f95d3c14678d05f218e748be91e1a84023c Mon Sep 17 00:00:00 2001 From: Jan Krems Date: Sun, 11 Jan 2015 11:54:13 -0800 Subject: [PATCH] Use `vm.runInThisContext` instead of eval Fixes #17 While this gets rid of `eval` in node or in "mixed" environments like node-webkit or Atom Shell apps, it still resolves to eval when using browserify. For a solution that is compatible with CSP policies we'd need actual parsing of the literals (wish coffee-script would do it). See: * https://github.com/substack/vm-browserify/blob/bfd7c5f59edec856dc7efe0b77a4f6b2fa20f226/index.js#L105 --- lib/parse.js | 12 +++++++++--- src/parse.coffee | 13 +++++++++++-- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/lib/parse.js b/lib/parse.js index abed3c5..7cb91fc 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -31,7 +31,9 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -var defaultReviver, nodeTypeString, nodes, parse, syntaxErrorMessage; +var defaultReviver, nodeTypeString, nodes, parse, parseStringLiteral, runInThisContext, syntaxErrorMessage; + +runInThisContext = require('vm').runInThisContext; nodes = require('coffee-script').nodes; @@ -55,6 +57,10 @@ syntaxErrorMessage = function(csNode, msg) { return "Syntax error on line " + line + ", column " + column + ": " + msg; }; +parseStringLiteral = function(literal) { + return runInThisContext(literal); +}; + parse = function(source, reviver) { var coffeeAst, contextObj, isLiteral, nodeTransforms, parsed, transformKey, transformNode; if (reviver == null) { @@ -83,7 +89,7 @@ parse = function(source, reviver) { value = node.value; try { if (value[0] === "'") { - return eval(value); + return parseStringLiteral(value); } else { return JSON.parse(value); } @@ -172,7 +178,7 @@ parse = function(source, reviver) { value = csNode.base.value; switch (value[0]) { case '\'': - return eval(value); + return parseStringLiteral(value); case '"': return JSON.parse(value); default: diff --git a/src/parse.coffee b/src/parse.coffee index 8a16089..ce205f9 100644 --- a/src/parse.coffee +++ b/src/parse.coffee @@ -30,6 +30,8 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ### +{runInThisContext} = require 'vm' + {nodes} = require 'coffee-script' defaultReviver = (key, value) -> value @@ -46,6 +48,13 @@ syntaxErrorMessage = (csNode, msg) -> column = columnIdx + 1 if columnIdx? "Syntax error on line #{line}, column #{column}: #{msg}" +parseStringLiteral = (literal) -> + # In theory this could be replaced by properly resolving + # escape sequences etc. + # We trust the coffee-script lexer to make sure it's just + # a strings and running it has no side effects. + runInThisContext literal + # See: # http://www.ecma-international.org/ecma-262/5.1/#sec-15.12.2 parse = (source, reviver = defaultReviver) -> @@ -69,7 +78,7 @@ parse = (source, reviver = defaultReviver) -> {value} = node try if value[0] == "'" - eval value # we trust the lexer here + parseStringLiteral value else JSON.parse value catch err @@ -138,7 +147,7 @@ parse = (source, reviver = defaultReviver) -> when 'Value' {value} = csNode.base switch value[0] - when '\'' then eval value # we trust the lexer here + when '\'' then parseStringLiteral value when '"' then JSON.parse value else value