fix(store-devtools): replace direct with indirect eval (#4216)

rainerhahnekamp · web-flow · commit 1df0eb5d50fe · 2024-01-31T15:07:19.000+01:00
Closes #4213
diff --git a/modules/store-devtools/spec/extension.spec.ts b/modules/store-devtools/spec/extension.spec.ts
@@ -4,6 +4,7 @@ import {
   ReduxDevtoolsExtensionConnection,
   ReduxDevtoolsExtensionConfig,
   REDUX_DEVTOOLS_EXTENSION,
+  ExtensionActionTypes,
 } from './../src/extension';
 import { Action } from '@ngrx/store';
 
@@ -182,6 +183,36 @@ describe('DevtoolsExtension', () => {
     );
   });
 
+  for (const { payload, name } of [
+    {
+      payload: "{type: '[Books] Rent', id: 5, customerId: 12}",
+      name: 'evaluates payload because of string',
+    },
+    {
+      payload: { type: '[Books] Rent', id: 5, customerId: 12 },
+      name: 'passes payload through if not of type string',
+    },
+  ]) {
+    it(`should handle an unlifted action (dispatched by DevTools) - ${name}`, () => {
+      const { devtoolsExtension, extensionConnection } = testSetup({
+        config: createConfig({}),
+      });
+      let unwrappedAction: Action | undefined = undefined;
+      devtoolsExtension.actions$.subscribe((action) => {
+        return (unwrappedAction = action);
+      });
+
+      const [callback] = extensionConnection.subscribe.calls.mostRecent().args;
+      callback({ type: ExtensionActionTypes.START });
+      callback({ type: ExtensionActionTypes.ACTION, payload });
+      expect(unwrappedAction).toEqual({
+        type: '[Books] Rent',
+        id: 5,
+        customerId: 12,
+      });
+    });
+  }
+
   describe('notify', () => {
     it('should send notification with default options', () => {
       const { devtoolsExtension, reduxDevtoolsExtension } = testSetup({
diff --git a/modules/store-devtools/src/extension.ts b/modules/store-devtools/src/extension.ts
@@ -247,7 +247,8 @@ export class DevtoolsExtension {
   }
 
   private unwrapAction(action: Action) {
-    return typeof action === 'string' ? eval(`(${action})`) : action;
+    // indirect eval according to https://esbuild.github.io/content-types/#direct-eval
+    return typeof action === 'string' ? (0, eval)(`(${action})`) : action;
   }
 
   private getExtensionConfig(config: StoreDevtoolsConfig) {

Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,8 @@ export class DevtoolsExtension {`
`247`	`247`	`}`
`248`	`248`
`249`	`249`	`private unwrapAction(action: Action) {`
`250`		- return typeof action === 'string' ? eval(`(${action})`) : action;
	`250`	`+ // indirect eval according to https://esbuild.github.io/content-types/#direct-eval`
	`251`	+ return typeof action === 'string' ? (0, eval)(`(${action})`) : action;
`251`	`252`	`}`
`252`	`253`
`253`	`254`	`private getExtensionConfig(config: StoreDevtoolsConfig) {`