Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about eval and CSP #42

Closed
tonto7973 opened this issue Jan 8, 2022 · 5 comments
Closed

Question about eval and CSP #42

tonto7973 opened this issue Jan 8, 2022 · 5 comments

Comments

@tonto7973
Copy link

Hello,

I've got a tiny question (or feature request). Is there a way to enforce CSP when executing script using Yantra?

E.g. consider the following code:

CoreScript.Evaluate("new Function(\"return this\")()");

returns undefined.

I am wondering if there is a way to configure yantra to throw an exception when doing dynamic JavaScript evaluation, e.g. eval(str), new Function(str)() or string arguments for setTimeout and setInterval functions?

Many thanks.
@ackava
Copy link
Contributor

ackava commented Jan 9, 2022

We actually forgot to add support for string parameter in setTimeout and setInterval methods, so they will not work anyway.
We are evaluating how to add CSP support, meanwhile you can override eval and function as shown below.

var context = new JSContext();
context[KeyStrings.eval] = new JSFunction((in Arguments a) => throw context.NewTypeError("Not supported"));
context["Function"] = new JSFunction((in Arguments a) => throw context.NewTypeError("Not supported"));

Let me know if you face some issue.

@tonto7973
Copy link
Author

Hello,
I've tried the approach you outlined. eval works fine, but I'm getting an exception when defining Function:

YantraJS.Core.JSException
  HResult=0x80131500
  Message=Cannot modify property Function of [object Object]
  Source=YantraJS.Core
  StackTrace:
at Item in /home/runner/work/yantra/yantra/YantraJS.Core/Core/Object/JSObject.cs:line 459

Using version 1.1.220.
Not sure if there is any othe rworkaround.
Thanks.

@ackava
Copy link
Contributor

ackava commented Jan 17, 2022
edited
Loading

@tonto7973

I have added EvalEvent inside JSContext which lets you throw an exception as shown below. You can ignore earlier approach.

var context = new JSContext();
context.EvalEvent += (s, e) => throw context.NewTypeError("Eval not supported");

This should work. This event will be fired in eval and in Function constructor.

@tonto7973
Copy link
Author

Hi @ackava, this helped. Many thanks.

@ackava ackava closed this as completed Jan 26, 2022
@ackava ackava reopened this Jan 26, 2022
@ackava
Copy link
Contributor

ackava commented Jan 26, 2022

@tonto7973

We are happy that we were able to help you, please do not forget to put star and please promote our Engine on social media and on your blog when you get a chance.

@ackava ackava closed this as completed Jan 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ackava @tonto7973