Skip to content

--disallow-code-generation-from-strings does not work as documented #58221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ChALkeR opened this issue May 7, 2025 · 6 comments · May be fixed by #58328
Open

--disallow-code-generation-from-strings does not work as documented #58221

ChALkeR opened this issue May 7, 2025 · 6 comments · May be fixed by #58328

Comments

@ChALkeR
Copy link
Member

ChALkeR commented May 7, 2025

Doc: https://nodejs.org/docs/latest/api/cli.html#--disallow-code-generation-from-strings

It is advertised to cover built-in language features, but it doesn't cover data imports

No Node.js modules are directly imported here

// run with node and node --disallow-code-generation-from-strings
const payload = 'console.log("evaluated code from string")'
try { eval(payload) } catch (e) { console.log(e.message) }
try { new Function(payload)() } catch (e) { console.log(e.message) }
try { await import('data:text/javascript,' + payload) } catch (e) { console.log(e.message) }

Output:

% node --disallow-code-generation-from-strings 1.js
Code generation from strings disallowed for this context
Code generation from strings disallowed for this context
evaluated code from string
@ChALkeR
Copy link
Member Author

ChALkeR commented May 8, 2025

For comparison, this is what browsers do under CSP:
Image

@ChALkeR ChALkeR changed the title --disallow-code-generation-from-strings does not work as advertised --disallow-code-generation-from-strings does not work as documented May 9, 2025
@edilson258
Copy link

wait, the official nodejs docs only covers eval and new Function and those does not allow code from strings.

In the example U brought, only the last line (bellow) executes the code even with the flag --disallow-code-generation-from-strings set

try { await import('data:text/javascript,' + payload) } catch (e) { console.log(e.message) }

and the docs does not cover that

refs: https://nodejs.org/docs/latest-v16.x/api/cli.html#--disallow-code-generation-from-strings

@ChALkeR
Copy link
Member Author

ChALkeR commented May 10, 2025
edited
Loading

Doc states:

Make built-in language features like ...

  1. import() is a built-in language feature, defined in the ECMAScript specification.
  2. "like" is not exhaustive
  3. This is analogous to script-src CSP for browsers blocking unsafe-eval, and that one blocks data imports too.
  4. Having built-in import() as a dynamic eval defeats the purpose of this flag to a significant extent

@edilson258
Copy link

@ChALkeR you are right!

@mojodna @bmizerany need your opinion about this please.

@legendecas
Copy link
Member

legendecas commented May 14, 2025
edited
Loading

The flag --disallow-code-generation-from-strings only covers features that are guarded by ECMA262 host hook HostEnsureCanCompileStrings. The exhausted API list is

There are many APIs in Node.js' module system, and node:vm, that allows creating script and modules dynamically. I think the doc for --disallow-code-generation-from-strings should also explicit exclude Node.js' module APIs.

@legendecas legendecas linked a pull request May 14, 2025 that will close this issue
Open
@jimmywarting
Copy link

Um, maybe it should not cover that?
maybe import() should be restricted instead to what you can and can't import
such that you only allow imports from "self", http, https and no data: url

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

doc: clarify the scope of --disallow-code-generation-from-strings legendecas/node
4 participants
@ChALkeR @jimmywarting @legendecas @edilson258