Mirror: A maybe slightly safer-ish wrapper around eval Function constructors
Readd proxy for global object
+26
-2
+26
-2
src/index.ts
+26
-2
src/index.ts
···
10
10
eval: true,
11
11
module: true,
12
12
exports: true,
13
+
makeSafeGlobal: true,
13
14
__filename: true,
14
15
__dirname: true,
15
16
console: true,
···
51
52
const keys = Object.getOwnPropertyNames(target)
52
53
for (let i = 0; i < keys.length; i++) {
53
54
const key = keys[i];
54
-
if (key !== 'prototype') {
55
+
if (
56
+
key !== 'prototype' &&
57
+
(typeof standin !== 'function' || (key !== 'arguments' && key !== 'caller'))
58
+
) {
55
59
Object.defineProperty(standin, key, {
56
60
enumerable: true,
57
61
get: safeKey(target, key)
···
134
138
// It _might_ be safe to expose the Function constructor like this... who knows
135
139
safeGlobal!.Function = SafeFunction;
136
140
// Lastly, we also disallow certain property accesses on the safe global
137
-
return (safeGlobal = mask(safeGlobal!));
141
+
// Wrap any given target with a Proxy preventing access to unscopables
142
+
if (typeof Proxy === 'function') {
143
+
// Wrap the target in a Proxy that disallows access to some keys
144
+
return (safeGlobal = new Proxy(safeGlobal!, {
145
+
// Return a value, if it's allowed to be returned and mask this value
146
+
get(target, _key) {
147
+
const key = safeKey(target, _key);
148
+
return key !== undefined ? target[key] : undefined;
149
+
},
150
+
has(_target, _key) {
151
+
return true;
152
+
},
153
+
set: noop,
154
+
deleteProperty: noop,
155
+
defineProperty: noop,
156
+
getOwnPropertyDescriptor: noop,
157
+
}));
158
+
} else {
159
+
// NOTE: Some property accesses may leak through here without the Proxy
160
+
return (safeGlobal = mask(safeGlobal));
161
+
}
138
162
}
139
163
140
164
interface SafeFunction {