fix(store-devtools): replace direct with indirect eval (#4216)

Closes #4213
ngrx · Jan 31, 2024 · 1df0eb5 · 1df0eb5
1 parent fa45d92
commit 1df0eb5
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/modules/store-devtools/spec/extension.spec.ts b/modules/store-devtools/spec/extension.spec.ts
@@ -4,6 +4,7 @@ import {
   ReduxDevtoolsExtensionConnection,
   ReduxDevtoolsExtensionConfig,
   REDUX_DEVTOOLS_EXTENSION,
+  ExtensionActionTypes,
 } from './../src/extension';
 import { Action } from '@ngrx/store';
 
@@ -182,6 +183,36 @@ describe('DevtoolsExtension', () => {
     );
   });
 
+  for (const { payload, name } of [
+    {
+      payload: "{type: '[Books] Rent', id: 5, customerId: 12}",
+      name: 'evaluates payload because of string',
+    },
+    {
+      payload: { type: '[Books] Rent', id: 5, customerId: 12 },
+      name: 'passes payload through if not of type string',
+    },
+  ]) {
+    it(`should handle an unlifted action (dispatched by DevTools) - ${name}`, () => {
+      const { devtoolsExtension, extensionConnection } = testSetup({
+        config: createConfig({}),
+      });
+      let unwrappedAction: Action | undefined = undefined;
+      devtoolsExtension.actions$.subscribe((action) => {
+        return (unwrappedAction = action);
+      });
+
+      const [callback] = extensionConnection.subscribe.calls.mostRecent().args;
+      callback({ type: ExtensionActionTypes.START });
+      callback({ type: ExtensionActionTypes.ACTION, payload });
+      expect(unwrappedAction).toEqual({
+        type: '[Books] Rent',
+        id: 5,
+        customerId: 12,
+      });
+    });
+  }
+
   describe('notify', () => {
     it('should send notification with default options', () => {
       const { devtoolsExtension, reduxDevtoolsExtension } = testSetup({

diff --git a/modules/store-devtools/src/extension.ts b/modules/store-devtools/src/extension.ts
@@ -247,7 +247,8 @@ export class DevtoolsExtension {
   }
 
   private unwrapAction(action: Action) {
-    return typeof action === 'string' ? eval(`(${action})`) : action;
+    // indirect eval according to https://esbuild.github.io/content-types/#direct-eval
+    return typeof action === 'string' ? (0, eval)(`(${action})`) : action;
   }
 
   private getExtensionConfig(config: StoreDevtoolsConfig) {