From: Claude Petit <p...@webmail.us> Sent: Wednesday, June 20, 2018 2:23 PM To: 'mikesam...@gmail.com' <mikesam...@gmail.com> Cc: 'es-discuss' <es-discuss@mozilla.org> Subject: RE: Proposal: safeEval Thanks, How would this compare to https://github.com/tc39/proposal-frozen-realms ? I was not aware of that proposal or didn’t pay attention.I think “safeEval” provides ACLs, while your proposal don’t. I'm not sure how to run @doodad-js/safeeval in node That’s a Doodad module, and it must be loaded by Doodad before usage. Anyway, that’s not important. What does it do for inputs like Sure, as I told you, that’s very incomplete. I’m just bringing the idea. But I’ll fix that issues if they are present. Claude From: Mike Samuel <mikesam...@gmail.com <mailto:mikesam...@gmail.com> > Sent: Wednesday, June 20, 2018 9:51 AM To: dooda...@gmail.com <mailto:dooda...@gmail.com> Cc: es-discuss <es-discuss@mozilla.org <mailto:es-discuss@mozilla.org> > Subject: Re: Proposal: safeEval How would this compare to https://github.com/tc39/proposal-frozen-realms ? I'm not sure how to run @doodad-js/safeeval in node since require doesn't provide obvious access to safeeval, but the code seems to do AST filtering. What does it do for inputs like safeEval(' 0..constructor.constructor("alert(1)")() ') safeEval(' 0[x][x]`alert(1)`() ', { x: 'constructor' }) safeEval(' 0[x][y] = null ', { x: 'prototype', y: 'toString' }) On Tue, Jun 19, 2018 at 10:29 PM doodad-js Admin <dooda...@gmail.com <mailto:dooda...@gmail.com> > wrote: Hi, I take a chance to valorize “eval” again by proposing “safeEval”. function safeEval(expression, [locals], [options]) { ...... }; So that you can: safeEval(“1 + a”, {a: 2}); // returns “3” safeEval(“1 + a()”, {a: function() {return 2}}, {allowFunctions: true}); // also returns “3” but: safeEval(“1 + a()”, {a: function() { return 2}}); // throws whatever you want because “allowFunctions” is denied etc. Note that local variables are specified in argument. Also note that “options” mainly gives/denies permissions. I’m not sure if we should be whitelisting or blacklisting features there though, or a mix of default enabled and disabled ones... Very incomplete, but as for inspiration (and very useful to me): https://www.npmjs.com/package/@doodad-js/safeeval Claude <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free. <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> www.avg.com _______________________________________________ es-discuss mailing list es-discuss@mozilla.org <mailto:es-discuss@mozilla.org> https://mail.mozilla.org/listinfo/es-discuss --- This email has been checked for viruses by AVG. https://www.avg.com
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss