Remove eval-like functionality

DataDog · Jan 17, 2025 · ef2c64c · ef2c64c
1 parent 5f41ee2
commit ef2c64c
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/crates/static-analysis-kernel/src/analysis/ddsa_lib/v8_platform.rs b/crates/static-analysis-kernel/src/analysis/ddsa_lib/v8_platform.rs
@@ -31,6 +31,8 @@ const BASE_FLAGS: &str = concat!(
     // Performance: compile JavaScript eagerly
     " --no-lazy",
     " --no-lazy-streaming",
+    // Don't allow "eval"-like functionality.
+    " --disallow-code-generation-from-strings",
 );
 
 /// An instance of the v8 platform.
@@ -122,6 +124,7 @@ pub fn initialize_v8(thread_pool_size: u32) -> V8Platform<Initialized> {
 #[cfg(test)]
 mod tests {
     use super::{initialize_v8, BASE_FLAGS};
+    use crate::analysis::ddsa_lib::test_utils::{cfg_test_v8, try_execute};
 
     /// `initialize_v8` can effectively only be called once.
     #[test]
@@ -140,4 +143,23 @@ mod tests {
     fn v8_contradictory_flags_abort() {
         assert!(BASE_FLAGS.contains("--abort-on-contradictory-flags"));
     }
+
+    /// v8 is initialized without the ability to run `eval`-like functions.
+    #[test]
+    fn v8_eval_like_disabled() {
+        let v8 = cfg_test_v8();
+        let mut rt = v8.new_runtime();
+        let scope = &mut rt.v8_handle_scope();
+        let samples = [
+            "eval('1 + 2');",
+            "new Function('a', 'b', 'return a + b;')(1, 2);",
+        ];
+        for code in samples {
+            let res = try_execute(scope, code);
+            assert_eq!(
+                res.unwrap_err(),
+                "EvalError: Code generation from strings disallowed for this context"
+            );
+        }
+    }
 }