Clean up vulnerability on function prototype in browser

We were calling the function with fn.apply(0, ...) which caused the `this` object to be a number, leaking the Number prototype into the environment and allowing access to outside variables. We instead now use an object with no prototype. It incidentally tackles part of #9 in the browser context.
espadrine · Oct 2, 2021 · 823f112 · 823f112
1 parent f57ae5f
commit 823f112
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/localeval.js b/localeval.js
@@ -221,7 +221,7 @@ if (node_js) {
           + '\nreturn eval(' + sourceStr + ')'));
     f.displayName = 'sandbox';
     alienate();
-    var ret = f.apply(0, builtins.concat(sandbox));
+    var ret = f.apply(Object.create(null), builtins.concat(sandbox));
     unalienate();
     return ret;
   };