Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent arbitrary js code execution
PR-URL: #16
  • Loading branch information
tshemsedinov committed May 17, 2022
1 parent 2dd5efe commit 625c23d
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Expand Up @@ -2,6 +2,8 @@

## [Unreleased][unreleased]

- Prevent arbitrary js code execution

## [0.0.1][] - 2022-05-13

- First simple implementation
Expand Down
14 changes: 13 additions & 1 deletion lib/sheet.js
Expand Up @@ -2,8 +2,20 @@

const metavm = require('metavm');

const wrap = (target) =>
new Proxy(target, {
get: (target, prop) => {
if (prop === 'constructor') return null;
const value = target[prop];
if (typeof value === 'number') return value;
return wrap(value);
},
});

const math = wrap(Math);

const getValue = (target, prop) => {
if (prop === 'Math') return Math;
if (prop === 'Math') return math;
const { expressions, data } = target;
if (!expressions.has(prop)) return data.get(prop);
const expression = expressions.get(prop);
Expand Down
16 changes: 16 additions & 0 deletions test/unit.js
Expand Up @@ -48,3 +48,19 @@ metatests.test('JavaScript Math', async (test) => {
test.strictSame(sheet.values['I1'], Math.sin(Math.sqrt(Math.pow(100, -2))));
test.end();
});

metatests.test('Prevent arbitrary js code execution', async (test) => {
const sheet = new Sheet();
sheet.cells['A1'] =
'=Math.constructor.constructor("console.log(\\"Hello, World!\\")")();';
try {
const res = sheet.values['A1'];
test.strictSame(res, undefined);
} catch (error) {
test.strictSame(
error.message,
`Cannot read property '${'constructor'}' of null`
);
}
test.end();
});

0 comments on commit 625c23d

Please sign in to comment.