feature: disallow eval and require in cockpit

This commit is contained in:
Andre Medeiros 2018-12-20 11:55:04 -05:00 committed by Iuri Matias
parent af48788ab5
commit b0c226a13f
3 changed files with 17 additions and 6 deletions

View File

@ -80,7 +80,7 @@ class CodeRunner {
code = `(async function() {${instructions.join(';')}})();`; code = `(async function() {${instructions.join(';')}})();`;
} }
let result = this.runCode.doEval(code, tolerateError); let result = this.runCode.doEval(code, tolerateError, forConsoleOnly);
if (forConsoleOnly && this.ipc.isServer()) { if (forConsoleOnly && this.ipc.isServer()) {
this.commands.push({code}); this.commands.push({code});

View File

@ -1,6 +1,8 @@
const vm = require('vm'); const vm = require('vm');
const fs = require('../../fs'); const fs = require('../../fs');
const noop = function() {};
class RunCode { class RunCode {
constructor({logger}) { constructor({logger}) {
this.logger = logger; this.logger = logger;
@ -12,9 +14,15 @@ class RunCode {
}); });
} }
doEval(code, tolerateError = false) { doEval(code, tolerateError = false, forConsoleOnly = false) {
// Check if we want this code to run on the console or by user input. If it is by
// user input, we disallow `require` and `eval`.
let context = (forConsoleOnly) ? this.context : Object.assign({}, this.context, {
eval: noop, require: noop
});
try { try {
return vm.runInNewContext(code, this.context); return vm.runInNewContext(code, context);
} catch(e) { } catch(e) {
if (!tolerateError) { if (!tolerateError) {
this.logger.error(e.message); this.logger.error(e.message);
@ -24,6 +32,9 @@ class RunCode {
} }
registerVar(varName, code) { registerVar(varName, code) {
// Disallow `eval` and `require`, just in case.
if(code === eval || code === require) return;
// TODO: Update all the code being dependent of web3 // TODO: Update all the code being dependent of web3
// To identify, look at the top of the file for something like: // To identify, look at the top of the file for something like:
// /*global web3*/ // /*global web3*/

View File

@ -24,13 +24,13 @@ describe("ENS functions", function() {
it('should allow directives in ENS subdomains', async function() { it('should allow directives in ENS subdomains', async function() {
const myTokenAddress = await EmbarkJS.Names.resolve('mytoken.embark.eth'); const myTokenAddress = await EmbarkJS.Names.resolve('mytoken.embark.eth');
assert.strictEqual(MyToken.options.address, myTokenAddress); assert.strictEqual(MyToken.options.address, myTokenAddress);
const myToken2Address = await EmbarkJS.Names.resolve('MyToken2.embark.eth'); const myToken2Address = await EmbarkJS.Names.resolve('MyToken2.embark.eth');
assert.strictEqual(MyToken2.options.address, myToken2Address); assert.strictEqual(MyToken2.options.address, myToken2Address);
const myTokenName = await EmbarkJS.Names.lookup(MyToken.options.address.toLowerCase()); const myTokenName = await EmbarkJS.Names.lookup(MyToken.options.address.toLowerCase());
assert.strictEqual(myTokenName, 'mytoken.embark.eth'); assert.strictEqual(myTokenName, 'mytoken.embark.eth');
const myToken2Name = await EmbarkJS.Names.lookup(MyToken2.options.address.toLowerCase()); const myToken2Name = await EmbarkJS.Names.lookup(MyToken2.options.address.toLowerCase());
assert.strictEqual(myToken2Name, 'MyToken2.embark.eth'); assert.strictEqual(myToken2Name, 'MyToken2.embark.eth');
}); });