fix: disallow usage of Object.constructor

commenthol · commenthol · commit 1c29f6a6e304 · 2019-03-09T21:54:53.000+01:00
diff --git a/src/index.js b/src/index.js
@@ -40,8 +40,11 @@ class SaferEval {
     if (typeof code !== 'string') {
       throw new TypeError('not a string')
     }
+    let src = 'Object.constructor = function () {};\n'
+    src += 'return ' + code + ';\n'
+
     return vm.runInContext(
-      '(function () {"use strict"; return ' + code + '})()',
+      '(function () {"use strict"; ' + src + '})()',
       this._context,
       this._options
     )

Original file line number	Diff line number	Diff line change
`@@ -40,8 +40,11 @@ class SaferEval {`
`40`	`40`	`if (typeof code !== 'string') {`
`41`	`41`	`throw new TypeError('not a string')`
`42`	`42`	`}`
	`43`	`+ let src = 'Object.constructor = function () {};\n'`
	`44`	`+ src += 'return ' + code + ';\n'`
	`45`	`+`
`43`	`46`	`return vm.runInContext(`
`44`		`- '(function () {"use strict"; return ' + code + '})()',`
	`47`	`+ '(function () {"use strict"; ' + src + '})()',`
`45`	`48`	`this._context,`
`46`	`49`	`this._options`
`47`	`50`	`)`