From b0c226a13f24441ab2d800615337dc843161acac Mon Sep 17 00:00:00 2001 From: Andre Medeiros Date: Thu, 20 Dec 2018 11:55:04 -0500 Subject: [PATCH] feature: disallow eval and require in cockpit --- src/lib/core/modules/coderunner/codeRunner.js | 2 +- src/lib/core/modules/coderunner/runCode.js | 15 +++++++++++++-- test_apps/test_app/test/namesystem_spec.js | 6 +++--- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/src/lib/core/modules/coderunner/codeRunner.js b/src/lib/core/modules/coderunner/codeRunner.js index fa1b2f2a4..2288c69d4 100644 --- a/src/lib/core/modules/coderunner/codeRunner.js +++ b/src/lib/core/modules/coderunner/codeRunner.js @@ -80,7 +80,7 @@ class CodeRunner { code = `(async function() {${instructions.join(';')}})();`; } - let result = this.runCode.doEval(code, tolerateError); + let result = this.runCode.doEval(code, tolerateError, forConsoleOnly); if (forConsoleOnly && this.ipc.isServer()) { this.commands.push({code}); diff --git a/src/lib/core/modules/coderunner/runCode.js b/src/lib/core/modules/coderunner/runCode.js index e5dd781b8..0f25cd676 100644 --- a/src/lib/core/modules/coderunner/runCode.js +++ b/src/lib/core/modules/coderunner/runCode.js @@ -1,6 +1,8 @@ const vm = require('vm'); const fs = require('../../fs'); +const noop = function() {}; + class RunCode { constructor({logger}) { this.logger = logger; @@ -12,9 +14,15 @@ class RunCode { }); } - doEval(code, tolerateError = false) { + doEval(code, tolerateError = false, forConsoleOnly = false) { + // Check if we want this code to run on the console or by user input. If it is by + // user input, we disallow `require` and `eval`. + let context = (forConsoleOnly) ? this.context : Object.assign({}, this.context, { + eval: noop, require: noop + }); + try { - return vm.runInNewContext(code, this.context); + return vm.runInNewContext(code, context); } catch(e) { if (!tolerateError) { this.logger.error(e.message); @@ -24,6 +32,9 @@ class RunCode { } registerVar(varName, code) { + // Disallow `eval` and `require`, just in case. + if(code === eval || code === require) return; + // TODO: Update all the code being dependent of web3 // To identify, look at the top of the file for something like: // /*global web3*/ diff --git a/test_apps/test_app/test/namesystem_spec.js b/test_apps/test_app/test/namesystem_spec.js index bdf857e65..aeffbca3b 100644 --- a/test_apps/test_app/test/namesystem_spec.js +++ b/test_apps/test_app/test/namesystem_spec.js @@ -24,13 +24,13 @@ describe("ENS functions", function() { it('should allow directives in ENS subdomains', async function() { const myTokenAddress = await EmbarkJS.Names.resolve('mytoken.embark.eth'); assert.strictEqual(MyToken.options.address, myTokenAddress); - + const myToken2Address = await EmbarkJS.Names.resolve('MyToken2.embark.eth'); assert.strictEqual(MyToken2.options.address, myToken2Address); - + const myTokenName = await EmbarkJS.Names.lookup(MyToken.options.address.toLowerCase()); assert.strictEqual(myTokenName, 'mytoken.embark.eth'); - + const myToken2Name = await EmbarkJS.Names.lookup(MyToken2.options.address.toLowerCase()); assert.strictEqual(myToken2Name, 'MyToken2.embark.eth'); });