feature: disallow eval and require in cockpit

2025-02-04 01:44:24 +00:00 · 2018-12-20 11:55:04 -05:00 · 2018-12-20 11:55:04 -05:00 · b0c226a13f
commit b0c226a13f
parent af48788ab5
3 changed files with 17 additions and 6 deletions
--- a/src/lib/core/modules/coderunner/codeRunner.js
+++ b/src/lib/core/modules/coderunner/codeRunner.js
@ -80,7 +80,7 @@ class CodeRunner {

      code = `(async function() {${instructions.join(';')}})();`;
    }
-    let result = this.runCode.doEval(code, tolerateError);
+    let result = this.runCode.doEval(code, tolerateError, forConsoleOnly);

    if (forConsoleOnly && this.ipc.isServer()) {
      this.commands.push({code});
--- a/src/lib/core/modules/coderunner/runCode.js
+++ b/src/lib/core/modules/coderunner/runCode.js
@ -1,6 +1,8 @@
 const vm = require('vm');
 const fs = require('../../fs');

+const noop = function() {};
+
 class RunCode {
  constructor({logger}) {
    this.logger = logger;
@ -12,9 +14,15 @@ class RunCode {
    });
  }

-  doEval(code, tolerateError = false) {
+  doEval(code, tolerateError = false, forConsoleOnly = false) {
+    // Check if we want this code to run on the console or by user input. If it is by
+    // user input, we disallow `require` and `eval`.
+    let context = (forConsoleOnly) ? this.context : Object.assign({}, this.context, {
+      eval: noop, require: noop
+    });
+
    try {
-      return vm.runInNewContext(code, this.context);
+      return vm.runInNewContext(code, context);
    } catch(e) {
      if (!tolerateError) {
        this.logger.error(e.message);
@ -24,6 +32,9 @@ class RunCode {
  }

  registerVar(varName, code) {
+    // Disallow `eval` and `require`, just in case.
+    if(code === eval || code === require) return;
+
    // TODO: Update all the code being dependent of web3
    // To identify, look at the top of the file for something like:
    // /*global web3*/