[Pkg-javascript-commits] [node-syntax-error] 18/47: use eval() with early throw instead of Function() to prevent script injection
Bastien Roucariès
rouca at moszumanska.debian.org
Fri Aug 25 19:29:59 UTC 2017
This is an automated email from the git hooks/post-receive script.
rouca pushed a commit to branch master
in repository node-syntax-error.
commit 9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309
Author: James Halliday <mail at substack.net>
Date: Mon Jul 14 19:52:00 2014 -0700
use eval() with early throw instead of Function() to prevent script injection
---
index.js | 3 ++-
test/sources/run2.js | 4 +++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/index.js b/index.js
index 43dbdf4..9acae6b 100644
--- a/index.js
+++ b/index.js
@@ -4,10 +4,11 @@ module.exports = function (src, file) {
if (typeof src !== 'string') src = String(src);
try {
- Function(src);
+ eval('throw "STOP"; (function () { ' + src + '})()');
return;
}
catch (err) {
+ if (err === 'STOP') return undefined;
if (err.constructor.name !== 'SyntaxError') throw err;
return errorInfo(src, file);
}
diff --git a/test/sources/run2.js b/test/sources/run2.js
index f301d32..88c7b94 100644
--- a/test/sources/run2.js
+++ b/test/sources/run2.js
@@ -1 +1,3 @@
-}); process.exit(1); (function () {
+})();
+process.exit(1);
+(function () {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-javascript/node-syntax-error.git
More information about the Pkg-javascript-commits
mailing list