Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Refine csp checks for unsafeEval. #11933

Closed
wants to merge 1 commit into from
Closed

Refine csp checks for unsafeEval. #11933

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/.jshintrc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
"shallowCopy": false,
"equals": false,
"csp": false,
"unsafeEval": false,
"concat": false,
"sliceArgs": false,
"bind": false,
Expand Down
25 changes: 15 additions & 10 deletions src/Angular.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -978,22 +978,27 @@ function equals(o1, o2) {
return false;
}

var unsafeEval = function() { /* jshint ignore:line */
if (isDefined(unsafeEval.isActive_)) return unsafeEval.isActive_;

var active = true;
try {
/* jshint -W031, -W054 */
new Function('');
/* jshint +W031, +W054 */
} catch (e) {
active = false;
}
return (unsafeEval.isActive_ = active);
};
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having unsafeEval split out of csp may make it chatty in the console. I can add guards to it if you all would like.


var csp = function() {
if (isDefined(csp.isActive_)) return csp.isActive_;

var active = !!(document.querySelector('[ng-csp]') ||
document.querySelector('[data-ng-csp]'));

if (!active) {
try {
/* jshint -W031, -W054 */
new Function('');
/* jshint +W031, +W054 */
} catch (e) {
active = true;
}
}

active = active || !unsafeEval();
return (csp.isActive_ = active);
};

Expand Down
6 changes: 4 additions & 2 deletions src/ng/parse.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1698,12 +1698,14 @@ function $ParseProvider() {
var cacheExpensive = createMap();

this.$get = ['$filter', '$sniffer', function($filter, $sniffer) {
var csp = $sniffer.csp && !$sniffer.unsafeEval;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does $sniffer.csp not include !sniffer.unsafeEval?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Depending csp doesn't necessarily hit the !$niffer.unsafeEval check so this ensures that your $sniffer.csp is true and that unsafeEval is not allowed.


var $parseOptions = {
csp: $sniffer.csp,
csp: csp,
expensiveChecks: false
},
$parseOptionsExpensive = {
csp: $sniffer.csp,
csp: csp,
expensiveChecks: true
};

Expand Down
1 change: 1 addition & 0 deletions src/ng/sniffer.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ function $SnifferProvider() {
return eventSupport[event];
},
csp: csp(),
unsafeEval: unsafeEval(),
vendorPrefix: vendorPrefix,
transitions: transitions,
animations: animations,
Expand Down
1 change: 1 addition & 0 deletions test/.jshintrc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
"shallowCopy": false,
"equals": false,
"csp": false,
"unsafeEval": false,
"jq": false,
"concat": false,
"sliceArgs": false,
Expand Down
1 change: 1 addition & 0 deletions test/AngularSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -711,6 +711,7 @@ describe('angular', function() {
afterEach(function() {
window.Function = originalFunction;
delete csp.isActive_;
delete unsafeEval.isActive_;
});


Expand Down