Skip to content

Member access #291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jorenbroekema wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Member access #291

jorenbroekema wants to merge 3 commits into from

Conversation

@jorenbroekema
Copy link

@jorenbroekema jorenbroekema commented Nov 25, 2025

@sei-vsarvepalli

Please take a look. I tried to incorporate the fix in the code and clean it up a little but I'm left with 2 failing tests, which also fail on your branch.
Need some helping fixing those tests (or implementation). then happy to merge.

jorenbroekema and others added 3 commits January 10, 2024 20:37
@jorenbroekema
chore: release fork to npm
ecc4e6e
@jorenbroekema @sei-vsarvepalli
fix: security issue CWE-94 -> CVE-2025-12735
1d71bb2 
Co-authored-by: Vijay Sarvepalli <vssarvepalli@cert.org>
@jorenbroekema
wip
879aa88
@jorenbroekema jorenbroekema mentioned this pull request Nov 25, 2025
Open
sei-vsarvepalli
sei-vsarvepalli reviewed Nov 25, 2025
View reviewed changes
src/evaluate.js
// function definition is included in registered functions
if (Object.values(expr.functions).includes(f)) return true;
// marked as safe already
if (f.__expr_eval_safe_def) return true;
Copy link

@sei-vsarvepalli sei-vsarvepalli Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is problematic we should remove it and move it to more reliable way. As this __expr_eval_safe_def can be user defined. It is not safe to trust it.

@sei-vsarvepalli
Copy link

sei-vsarvepalli commented Nov 25, 2025

Yeh - needs a little more work. I think

@sei-vsarvepalli

Please take a look. I tried to incorporate the fix in the code and clean it up a little but I'm left with 2 failing tests, which also fail on your branch. Need some helping fixing those tests (or implementation). then happy to merge.

See my https://github.com/sei-vsarvepalli/expr-eval-secure/tree/member-access branch that should fix all the tests and the more security problems that were found from using __expr_eval_safe_def property that can be object defined and NOT trusted.

Please test, fix any README's, indentation etc. and release at your convenience.

@sei-vsarvepalli
Copy link

sei-vsarvepalli commented Dec 1, 2025

Yeh - needs a little more work. I think

@sei-vsarvepalli
Please take a look. I tried to incorporate the fix in the code and clean it up a little but I'm left with 2 failing tests, which also fail on your branch. Need some helping fixing those tests (or implementation). then happy to merge.

See my https://github.com/sei-vsarvepalli/expr-eval-secure/tree/member-access branch that should fix all the tests and the more security problems that were found from using __expr_eval_safe_def property that can be object defined and NOT trusted.

Please test, fix any README's, indentation etc. and release at your convenience.

hello @jorenbroekema

Any questions? or any feedback you need?

@Mwpereira
Copy link

Mwpereira commented Dec 6, 2025

Hi @sei-vsarvepalli, while I appreciate the efforts of this fork, I am creating an actively maintained, community-driven fork of expr-eval to address this fix and future ones. I have also been awaiting this security patch and figured to move forward with a fork of my own. 🙂

If you would like, please open a pull request addressing this change, which you have done here, or I will go ahead and make the change by the end of the day tomorrow. expr-eval-community

Thank you!

@jorenbroekema
Copy link
Author

jorenbroekema commented Dec 7, 2025

Hi @sei-vsarvepalli, while I appreciate the efforts of this fork, I am creating an actively maintained, community-driven fork of expr-eval to address this fix and future ones. I have also been awaiting this security patch and figured to move forward with a fork of my own. 🙂

If you would like, please open a pull request addressing this change, which you have done here, or I will go ahead and make the change by the end of the day tomorrow. expr-eval-community

Thank you!

Or you could raise a PR to this branch to fix it with @sei-vsarvepalli tips, also happy to invite you as a collaborator to this one if that helps. I think more forks will just increase friction right?

I just haven't found the time (unemployed, looking for a new job, christmas holidays coming up etc.) to wrap this up myself but happy to get help on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jorenbroekema @sei-vsarvepalli @Mwpereira