Permalink
Browse files

Fixed: security issue due to the usage of ``eval()``.

This is to avoid an arbitrary code execution.
  Now operations are resolved using

[``math-expression-evaluator``](https://github.com/redhivesoftware/math-
expression-evaluator)
  • Loading branch information...
MoOx committed Aug 22, 2016
1 parent da7bce7 commit aebe8f7adce937c0fec4c1315e4113ef74cadb6a
Showing with 12 additions and 2 deletions.
  1. +5 −0 CHANGELOG.md
  2. +6 −1 index.js
  3. +1 −1 package.json
@@ -1,3 +1,8 @@
- Fixed: security issue due to the usage of ``eval()``.
This is to avoid an arbitrary code execution.
Now operations are resolved using
[``math-expression-evaluator``](https://github.com/redhivesoftware/math-expression-evaluator)

This comment has been minimized.

@fengmk2

fengmk2 Aug 22, 2016

@MoOx math-expression-evaluator has a serious bug redhivesoftware/math-expression-evaluator#2 and it break Array.prototype.indexOf, can we revert this commit before math-expression-evaluator publish a new version?

This comment has been minimized.

@MoOx

MoOx Aug 22, 2016

Owner

The security issue is (imo) more dangerous than this bug.
You can still use npm shrinkwrap until the PR is merged and released.

This comment has been minimized.

@f111fei

f111fei Aug 22, 2016

@MoOx in my case, npm shrinkwrap only add the dependencies, we remove all of the devDependencies from npm-shrinkwrap.json.

This comment has been minimized.

@TheSpyder

TheSpyder Aug 22, 2016

Don't underestimate how many people rely on postcss-calc. A broken indexOf is a very serious thing. If my PR to math-expression-evaluator is merged quickly, great, but if left unchecked this may turn into another leftpad. Someone's already linked my issue here to a failure in cssnano.

This comment has been minimized.

@MoOx

MoOx Aug 22, 2016

Owner

This change has been introduced BECAUSE many people rely on postcss-calc.


# 1.2.4 - 2016-06-09

- Fixed: zero values are not unitless anymore.
@@ -3,6 +3,7 @@
*/
var balanced = require("balanced-match")
var reduceFunctionCall = require("reduce-function-call")
var mexp = require("math-expression-evaluator")

/**
* Constantes
@@ -31,6 +32,10 @@ function reduceCSSCalc(value, decimalPrecision) {
stack = 0
decimalPrecision = Math.pow(10, decimalPrecision === undefined ? 5 : decimalPrecision)

// CSS allow to omit 0 for 0.* values,
// but math-expression-evaluator does not
value = value.replace(/\s(\.[0-9])/g, " 0$1")

/**
* Evaluates an expression
*
@@ -72,7 +77,7 @@ function reduceCSSCalc(value, decimalPrecision) {
var result

try {
result = eval(toEvaluate)
result = mexp.eval(toEvaluate)
}
catch (e) {
return functionIdentifier + "(" + expression + ")"
@@ -1,4 +1,3 @@

{
"name": "reduce-css-calc",
"version": "1.2.4",
@@ -16,6 +15,7 @@
],
"dependencies": {
"balanced-match": "^0.1.0",
"math-expression-evaluator": "^1.2.9",
"reduce-function-call": "^1.0.1"
},
"devDependencies": {

0 comments on commit aebe8f7

Please sign in to comment.