use eval() with early throw instead of Function() to prevent script injection

James Halliday · James Halliday · commit 9aa4e66eb90e · 2014-07-14T19:52:00.000-07:00
diff --git a/index.js b/index.js
@@ -4,10 +4,11 @@ module.exports = function (src, file) {
     if (typeof src !== 'string') src = String(src);
     
     try {
-        Function(src);
+        eval('throw "STOP"; (function () { ' + src + '})()');
         return;
     }
     catch (err) {
+        if (err === 'STOP') return undefined;
         if (err.constructor.name !== 'SyntaxError') throw err;
         return errorInfo(src, file);
     }
diff --git a/test/sources/run2.js b/test/sources/run2.js
@@ -1 +1,3 @@
-}); process.exit(1); (function () {
+})();
+process.exit(1);
+(function () {

Original file line number	Diff line number	Diff line change
`@@ -4,10 +4,11 @@ module.exports = function (src, file) {`
`4`	`4`	`if (typeof src !== 'string') src = String(src);`
`5`	`5`
`6`	`6`	`try {`
`7`		`- Function(src);`
	`7`	`+ eval('throw "STOP"; (function () { ' + src + '})()');`
`8`	`8`	`return;`
`9`	`9`	`}`
`10`	`10`	`catch (err) {`
	`11`	`+ if (err === 'STOP') return undefined;`
`11`	`12`	`if (err.constructor.name !== 'SyntaxError') throw err;`
`12`	`13`	`return errorInfo(src, file);`
`13`	`14`	`}`