-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v8: introduce v8.emitCodeGenFromStringEvent() #34863
Conversation
This introduces emitCodeGenFromStringEvent in the v8 module to intercept calls made to eval and Function constructor.
I will need to think about this more but my initial thought here is that this should be scoped to vm contexts. |
Wouldn’t it be easier to do the same thing we do for e.g. the signal events, that is, use |
@devsnek that's a very fair point. I considered it too. AFAIK, @addaleax I explored a bit in this direction. The issue I met was that the flow of disabling it is pretty sensitive: Given that this is a bit niche, I went with this simpler API. But what you suggest is a good UX IMO so I'm open to move toward that (I will maybe need a hand to decide where to put this state I'm mentionning). |
I'm really just not sure that this should exist at the scope of the main node context. Probably at worst it can leak implementation details between libraries. |
@devsnek do you think there could be another way to audit calls made to |
@vdeturckheim a native addon perhaps? |
@devsnek IMO it can be useful to many to have such in core - the user experience of native addons can be pretty complicated in some cases. Also,this makes a feature of V8 available in userland more than creating a new feature. |
@addaleax I think I have a solution actually. I will update soon with something that follows your suggestion 😄 |
closing as it is a double of #35157 |
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAs of today, it is not possible to intercept calls made to
eval
as the method can't really be monkeypatched without breaking its behavior.Thanksfully there is an API in V8 that can be used to place a callback when code is generated from string (
eval
andnew Function(string)
. This PR introduces a way to listen on theses events from userland.If the
--disallow-code-generation-from-strings
flag is used, callingemitCodeGenFromStringEvent
will have no effect as calls toeval
andnew Function
will fail anyway.After calling
v8.emitCodeGenFromStringEvent()
, each time a call is made toeval
ornew function
, ancodeGenerationFromString
event will be emitted on process with the code as argument.cc @fraxken @bmeck @cjihrig @targos :)