Fix code execution

[yoshino-s]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-expression-eval/

⚙️ Description *

Althrough we have decleared in the README.MD that do not use this package with user-provided inputs, but after i exam some project with this project, i found that many developers still use in that way, which may lead to some serious security problem. So I think that we still need to do some basic thing to prevent some dangerous action in the package itself.

💻 Technical Description *

With (1).constructor.constructor we can get an Function constructor, which we can construct an function with any code in it, and call it will lead to a RCE

🐛 Proof of Concept (PoC) *

// PoC.js
const {compile} = require("expression-eval");
var payload = "(1).constructor.constructor('', 'return process')()"
console.log(compile(payload)()); // will return process

🔥 Proof of Fix (PoF) *

// PoC.js
const {compile} = require("expression-eval");
var payload = "(1).constructor.constructor('', 'return process')()"
console.log(compile(payload)()); // will throw an error

[huntr-helper]

👋 Hello, @donmccurdy. @yoshino-s has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

---

☎️ Need further support?

Come and join us on our community Discord!

---

❓@donmccurdy - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

[donmccurdy]

Although I do not think this is a package-level vulnerability, and the proposed fix does not fully eliminate it, I do think it's worthwhile to merge this fix into the repository, thanks! Further discussion in donmccurdy#52.

@huntr-helper - LGTM