Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Function('return this')() does not comply with no-unsafe-eval #4

Open
frankwaldal opened this issue Sep 20, 2021 · 0 comments
Open

Function('return this')() does not comply with no-unsafe-eval #4

frankwaldal opened this issue Sep 20, 2021 · 0 comments

Comments

@frankwaldal
Copy link

Hi! 馃憢

Firstly, thanks for your work on this project! 馃檪

Today I used patch-package to patch @nextpay/grpc-node-status-proto@2.0.2 for the project I'm working on.

The global variable Function('return this')(); doesn't comply with CSP no-unsafe-eval rule.
This is the same issue described in these two issues with the protobuf package: protocolbuffers/protobuf#6770 and protocolbuffers/protobuf#5464

We're patching our project with the following diff included from patch-package:

diff --git a/node_modules/@nextpay/grpc-node-status-proto/dist/google/code_pb.js b/node_modules/@nextpay/grpc-node-status-proto/dist/google/code_pb.js
index a2279f8..bdeec1d 100644
--- a/node_modules/@nextpay/grpc-node-status-proto/dist/google/code_pb.js
+++ b/node_modules/@nextpay/grpc-node-status-proto/dist/google/code_pb.js
@@ -9,7 +9,7 @@
 
 var jspb = require('google-protobuf');
 var goog = jspb;
-var global = Function('return this')();
+var global = (function() { return this || window || global || self; }).call(null);
 
 goog.exportSymbol('proto.google.rpc.Code', null, global);
 /**
diff --git a/node_modules/@nextpay/grpc-node-status-proto/dist/google/error_details_pb.js b/node_modules/@nextpay/grpc-node-status-proto/dist/google/error_details_pb.js
index 21b1308..47cb470 100644
--- a/node_modules/@nextpay/grpc-node-status-proto/dist/google/error_details_pb.js
+++ b/node_modules/@nextpay/grpc-node-status-proto/dist/google/error_details_pb.js
@@ -9,7 +9,7 @@
 
 var jspb = require('google-protobuf');
 var goog = jspb;
-var global = Function('return this')();
+var global = (function() { return this || window || global || self; }).call(null);
 
 var google_protobuf_duration_pb = require('google-protobuf/google/protobuf/duration_pb.js');
 goog.object.extend(proto, google_protobuf_duration_pb);
diff --git a/node_modules/@nextpay/grpc-node-status-proto/dist/google/status_pb.js b/node_modules/@nextpay/grpc-node-status-proto/dist/google/status_pb.js
index 2fb8b04..40d7347 100644
--- a/node_modules/@nextpay/grpc-node-status-proto/dist/google/status_pb.js
+++ b/node_modules/@nextpay/grpc-node-status-proto/dist/google/status_pb.js
@@ -9,7 +9,7 @@
 
 var jspb = require('google-protobuf');
 var goog = jspb;
-var global = Function('return this')();
+var global = (function() { return this || window || global || self; }).call(null);
 
 var google_protobuf_any_pb = require('google-protobuf/google/protobuf/any_pb.js');
 goog.object.extend(proto, google_protobuf_any_pb);

This issue body was partially generated by patch-package.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@frankwaldal