New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Issues #18

Merged
merged 2 commits into from Oct 5, 2017

Conversation

Projects
None yet
2 participants
@matt-
Contributor

matt- commented Oct 5, 2017

This should address the unsafe code in ExpressionStatement / FunctionExpression blocks:

var src = '(function(){console.log(process.pid)})()';

As well as the issue described at #4. The current fix for this is to not all any member expressions to resolve from a function.

[1,2,3].map // will be allowed
[1,2,3].map.constructor // should be blocked

I believe the next step should be to try to refactor out the dynamic Function call completely.

@substack substack merged commit fca6227 into substack:master Oct 5, 2017

@substack

This comment has been minimized.

Owner

substack commented Oct 5, 2017

Thanks for the patch. I've released this as 2.0.0 because there are some package such as static-module that break with these changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment