Force rewritten eval() to use global scope when original is in global scope. #89
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
attempt to detect if eval() is called from a global scope by adding a function that loads '!arguments.callee.caller' to the wrapped eval. if eval is global, then call assigned eval `var ge = eval; ge(...)` to force global context again. This is to support usecase where a global eval(), eg. placed directly in <script> is evaluated in a local scope, causing declared functions and variables to not be global. not perfect (safari may have false negatives) but solves rewriting issue related to global eval()
ikreymer
added a commit
to webrecorder/wabac.js
that referenced
this pull request
Jun 15, 2022
…ler' test to see if it is in global scope and run eval() in global scope to work in combination with webrecorder/wombat#89
Member
Author
|
See webrecorder/wabac.js#71 for corresponding fixes in wabac.js It adds rewriting of: by prepending additional arguments and a new function call. |
…' in try/catch in case in strict mode, and if so, set isGlobal to false
Member
Author
|
In strict mode, and handling the |
ikreymer
added a commit
to webrecorder/wabac.js
that referenced
this pull request
Jun 15, 2022
* eval improvements: eval() rewriting to pass '.eval(this, arguments, ...)' to allow wombat to test if eval is should be evaluated in local or global scope, to work in to work in combination with webrecorder/wombat#89 (requires wombat 3.3.7)
ikreymer
added a commit
to webrecorder/wabac.js
that referenced
this pull request
Jun 15, 2022
live proxy config fixes: - strip out current self origin from x-orig-location if included, using a relative location - support array list and dict list of live proxy origins dsrules: raise maxbitrate for twitter video to 5000000 to match pywb/browsertrix-crawler, save maxbitrate used if save option provided multiwacz loading change: - compute and hash of wacz to collection path (instead of page id) - attempt to load from same wacz, if available, otherwise look in all waczs blockloaders: support for non-http fetch (#67) - rename HttpRangeLoader -> FetchRangeLoader to indicate support beyond http but with fetch - check if fetch protocol matches current location protocol, if so, use fetchloader - check if fetch() to custom protocol returns, assume fetch is supported, if fetch throws an exception, assume it's not supported remotewarcproxy: Fix kiwix loading (fixes #69) - get actual prefix from config.prefix instead of sourceUrl, which now stores original 'prefix:...' id - readd 'process/browser' for standalone build - update webpack 5 to latest eval improvements (#71): - add tests ensuring '_eval' and '$eval' are not rewritten - support eval being global-scope aware - update eval rewriting to pass '.eval(this, arguments, ...)' to WB_wombat_runEval2 (from wombat 3.3.7) to allow wombat to determine if eval is should be evaluated in local or global scope, (see: webrecorder/wombat#89 for more details) dependency update: wombat 3.3.7, warcio 1.5.1, latest webpack 5
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The eval() rewriting can sometimes result in the following scenario:
is rewritten to (simplified) effectively:
The rewriting is done in this way to keep the eval() in this same local scope, but if the eval() is actually in the global scope, ideally, it should be kept there!
Fortunately, it seems that there is a mostly reliable way to detect a function in global scope by checking if
arguments.caller.calleeis null, eg:The above seems to work in Chrome and Firefox. In Safari 14.x, the last one also prints 'true', so there is at least one false positive. However, this seems to be fixed in Safari 15.x.
As an additional sanity checked, the
thiscan also be checked to ensure that it matches the current window (as an additional guard for arrow function false positive).Also fortunately, the eval() automatically evaluates in the global scope if eval is called indirectly after assignment.
This allows for this kind of setup:
This PR implements this functionality, along with change in server-side rewriting which rewrites:
eval(...->.eval(this, !arguments.callee.caller, ....I think this should work w/o breaking anything, but want to leave this up for any feedback..
(Sample site fixed by this: http://svlavra.dn.ua/)