Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps(package): Update static-eval to 2.0 #35

Closed
wants to merge 1 commit into from
Closed

deps(package): Update static-eval to 2.0 #35

wants to merge 1 commit into from

Conversation

danez
Copy link

@danez danez commented Oct 20, 2017
edited

@danez
Copy link
Author

danez commented Oct 20, 2017

Tests fail

❯ yarn test                         
yarn run v1.2.1
$ tape test/*.js
TAP version 13
# assign
ok 1 should be equal
ok 2 should be equal
ok 3 should be equal
# assign comma
ok 4 should be equal
ok 5 should be equal
ok 6 should be equal
# readFileSync
ok 7 should be equal
ok 8 should be equal
# readFileSync attribute
ok 9 should be equal
ok 10 should be equal
# readFileSync attribute with multiple vars
ok 11 should be equal
ok 12 should be equal
# readFileSync attribute with multiple require vars
ok 13 should be equal
ok 14 should be equal
# readFileSync attribute with multiple require vars including an uninitalized var
ok 15 should be equal
ok 16 should be equal
# readFileSync attribute with multiple require vars x5
ok 17 should be equal
ok 18 should be equal
# readFileSync with bracket notation
ok 19 should be equal
ok 20 should be equal
# readFileSync attribute bracket notation
ok 21 should be equal
ok 22 should be equal
# function
ok 23 should be equal
# fs.readFile
not ok 24 should be equal
  ---
    operator: equal
    expected:
      'process.nextTick(function(){(function (err, src) {\n    console.log(src)\n})(null,"beep boop\\n")})'
    actual:
      'fs.readFile(__dirname + \'/x.txt\', function (err, src) {\n    console.log(src)\n})'
    at: ConcatStream.<anonymous> (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/index.js:36:43)
  ...
undefined:4
fs.readFile(__dirname + '/x.txt', function (err, src) {
^

ReferenceError: fs is not defined
    at eval (eval at <anonymous> (/Users/danieltschinder/Documents/Github/static-module/test/fs.js:20:9), <anonymous>:4:1)
    at /Users/danieltschinder/Documents/Github/static-module/test/fs.js:20:35
    at ConcatStream.<anonymous> (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/index.js:36:43)
    at emitNone (events.js:110:20)
    at ConcatStream.emit (events.js:207:7)
    at finishMaybe (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/node_modules/readable-stream/lib/_stream_writable.js:607:14)
    at endWritable (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/node_modules/readable-stream/lib/_stream_writable.js:615:3)
    at ConcatStream.Writable.end (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/node_modules/readable-stream/lib/_stream_writable.js:571:41)
    at DuplexWrapper.onend (/Users/danieltschinder/Documents/Github/static-module/node_modules/duplexer2/node_modules/readable-stream/lib/_stream_readable.js:537:10)
    at Object.onceWrapper (events.js:314:30)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

@dryajov dryajov mentioned this pull request Oct 20, 2017
Merged
@ByCnck ByCnck mentioned this pull request Oct 23, 2017
Closed
@avindra avindra mentioned this pull request Oct 31, 2017
Closed
@daviddias
Copy link

👍

@yoshuawuyts yoshuawuyts mentioned this pull request Nov 14, 2017
Closed
goto-bus-stop added a commit that referenced this pull request Nov 18, 2017
@goto-bus-stop
use proxy value for callbacks when static-eval fails
8d7ba21 
builds on #35, but when static-eval cannot evaluate a callback function
because it is unsafe, this passes a proxy value. when the proxy callback
function is called, it throws an error, but when it is stringified (eg
in the generated output) it'll work.

this works with brfs, i haven't tried others yet.
@goto-bus-stop goto-bus-stop mentioned this pull request Nov 18, 2017
Merged
@goto-bus-stop
Copy link
Member

yeah--latest static-eval no longer supports all callbacks. I'm not sure which are supported and which are not but that's what was changed to fix the security issue. i tried working around that limitation in #38

goto-bus-stop added a commit that referenced this pull request Nov 18, 2017
@goto-bus-stop
use proxy value for callbacks when static-eval fails
1cf8155 
builds on #35, but when static-eval cannot evaluate a callback function
because it is unsafe, this passes a proxy value. when the proxy callback
function is called, it throws an error, but when it is stringified (eg
in the generated output) it'll work.

this works with brfs, i haven't tried others yet.
goto-bus-stop added a commit that referenced this pull request Nov 19, 2017
@goto-bus-stop
use proxy value for callbacks when static-eval fails
a0de110 
builds on #35, but when static-eval cannot evaluate a callback function
because it is unsafe, this passes a proxy value. when the proxy callback
function is called, it throws an error, but when it is stringified (eg
in the generated output) it'll work.

this works with brfs, i haven't tried others yet.
goto-bus-stop added a commit that referenced this pull request Nov 19, 2017
@goto-bus-stop
update static-eval, closes #34, #35 (#38)
33245c6 
* deps(package): Update static-eval to 2.0

Fixes https://nodesecurity.io/advisories/548

* use proxy value for callbacks when static-eval fails

builds on #35, but when static-eval cannot evaluate a callback function
because it is unsafe, this passes a proxy value. when the proxy callback
function is called, it throws an error, but when it is stringified (eg
in the generated output) it'll work.

this works with brfs, i haven't tried others yet.

* make sure `callee` exists

* ci: remove node 0.8, add new versions
@yoshuawuyts
Copy link

@goto-bus-stop looks like #38 fixes most of it?

@goto-bus-stop
Copy link
Member

Yep! Thought this would autoclose. Thanks for the reminder

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@danez @daviddias @goto-bus-stop @yoshuawuyts