Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
在 032f343 中针对可能的部分危险函数做了过滤,但像 @rtcatc 评论的一样nodejs中还有许多危险函数可能导致rce。比如Function关键字
同时更多的过滤限制会导致其起到的作用减少。将pyexecjs换成node_vm2可以更安全的处理js,并且可以依赖vm2的更新。同时能执行合理的危险函数如简单的eval。
不清楚是否代码保持作者原本的预期功能。