Skip to content
Permalink
Browse files

cli: whitelist new V8 flag in NODE_OPTIONS

Explicitly whitelists --disallow-code-generation-from-strings in
NODE_OPTIONS as a new V8 flag. This flag prevents strings like eval()
from performing code generation.

PR-URL: #30094
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information...
codebytere committed Oct 23, 2019
1 parent 511f67b commit 1d89c5d1e16d67962db2735efc601b48bd78255d
Showing with 20 additions and 0 deletions.
  1. +10 −0 doc/api/cli.md
  2. +5 −0 doc/node.1
  3. +4 −0 src/node_options.cc
  4. +1 −0 test/parallel/test-cli-node-options.js
@@ -127,6 +127,15 @@ added: v12.0.0
Specify the file name of the CPU profile generated by `--cpu-prof`.

### `--disallow-code-generation-from-strings`
<!-- YAML
added: v9.8.0
-->

Make built-in language features like `eval` and `new Function` that generate
code from strings throw an exception instead. This does not affect the Node.js
`vm` module.

### `--enable-fips`
<!-- YAML
added: v6.0.0
@@ -1079,6 +1088,7 @@ Node.js options that are allowed are:
V8 options that are allowed are:
<!-- node-options-v8 start -->
* `--abort-on-uncaught-exception`
* `--disallow-code-generation-from-strings`
* `--interpreted-frames-native-stack`
* `--max-old-space-size`
* `--perf-basic-prof-only-functions`
@@ -100,6 +100,11 @@ The default is
File name of the V8 CPU profile generated with
.Fl -cpu-prof
.
.It Fl -disallow-code-generation-from-strings
Make built-in language features like `eval` and `new Function` that generate
code from strings throw an exception instead. This does not affect the Node.js
`vm` module.
.
.It Fl -enable-fips
Enable FIPS-compliant crypto at startup.
Requires Node.js to be built with
@@ -589,6 +589,10 @@ PerIsolateOptionsParser::PerIsolateOptionsParser(
V8Option{},
kAllowedInEnvironment);
AddOption("--stack-trace-limit", "", V8Option{}, kAllowedInEnvironment);
AddOption("--disallow-code-generation-from-strings",
"disallow eval and friends",
V8Option{},
kAllowedInEnvironment);

#ifdef NODE_REPORT
AddOption("--report-uncaught-exception",
@@ -60,6 +60,7 @@ if (common.hasCrypto) {

// V8 options
expect('--abort_on-uncaught_exception', 'B\n');
expect('--disallow-code-generation-from-strings', 'B\n');
expect('--max-old-space-size=0', 'B\n');
expect('--stack-trace-limit=100',
/(\s*at f \(\[eval\]:1:\d*\)\r?\n){100}/,

0 comments on commit 1d89c5d

Please sign in to comment.
You can’t perform that action at this time.