I was looking at patriksimek/vm2#32 - The implementation in vm2 have patched a lot of vulnerabilities but there are a ton of problems because of trying to prevent all backdoors.
The code of safe-eval is way too simple. #15 is a futile effort.
I just think that the name of this module is misleading. People may think (like I was) that safe-eval is reasonable secure but it is far from the truth.
In my humble opinion, safe-eval should just marked as vulnerable and the README.md should have a very noticeable disclaimer about not being safe.
The text was updated successfully, but these errors were encountered:
I was looking at patriksimek/vm2#32 - The implementation in vm2 have patched a lot of vulnerabilities but there are a ton of problems because of trying to prevent all backdoors.
According to patriksimek/vm2#32 (comment) the only way to fix this class of vulnerabilities is completely disabling
eval
with a C++ addon. And in the best case scenario you are still vulnerable to DoD attacks.The code of
safe-eval
is way too simple. #15 is a futile effort.I just think that the name of this module is misleading. People may think (like I was) that
safe-eval
is reasonable secure but it is far from the truth.In my humble opinion,
safe-eval
should just marked as vulnerable and theREADME.md
should have a very noticeable disclaimer about not being safe.The text was updated successfully, but these errors were encountered: