ecma-evaluator 2.0.2 → 2.0.5

package/dist/cjs/index.cjs

@@ -29,6 +29,9 @@ __webpack_require__.d(__webpack_exports__, {
     evalTemplate: function() {
         return evalTemplate;
     },
+    TemplateParser: function() {
+        return TemplateParser_TemplateParser;
+    },
     evalExpression: function() {
         return evalExpression;
     },
@@ -38,6 +41,31 @@ __webpack_require__.d(__webpack_exports__, {
 });
 var external_acorn_namespaceObject = require("acorn");
 var external_globals_namespaceObject = require("globals");
+function _array_like_to_array(arr, len) {
+    if (null == len || len > arr.length) len = arr.length;
+    for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
+    return arr2;
+}
+function _array_without_holes(arr) {
+    if (Array.isArray(arr)) return _array_like_to_array(arr);
+}
+function _iterable_to_array(iter) {
+    if ("undefined" != typeof Symbol && null != iter[Symbol.iterator] || null != iter["@@iterator"]) return Array.from(iter);
+}
+function _non_iterable_spread() {
+    throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+}
+function _to_consumable_array(arr) {
+    return _array_without_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_spread();
+}
+function _unsupported_iterable_to_array(o, minLen) {
+    if (!o) return;
+    if ("string" == typeof o) return _array_like_to_array(o, minLen);
+    var n = Object.prototype.toString.call(o).slice(8, -1);
+    if ("Object" === n && o.constructor) n = o.constructor.name;
+    if ("Map" === n || "Set" === n) return Array.from(n);
+    if ("Arguments" === n || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
+}
 var mutableMethods = [
     "Array.prototype.push",
     "Array.prototype.pop",
@@ -55,6 +83,8 @@ var mutableMethods = [
     "Object.freeze",
     "Object.setPrototypeOf",
     "Object.assign",
+    "Object.prototype.__defineGetter__",
+    "Object.prototype.__defineSetter__",
     "Reflect.set",
     "Reflect.defineProperty",
     "Reflect.deleteProperty",
@@ -176,9 +206,73 @@ var mutableMethods = [
     "FormData.prototype.set",
     "Headers.prototype.append",
     "Headers.prototype.delete",
-    "Headers.prototype.set"
+    "Headers.prototype.set",
+    "Function.prototype.call",
+    "Function.prototype.apply",
+    "Function.prototype.bind",
+    "Function.prototype.constructor",
+    "Object.prototype.__lookupGetter__",
+    "Object.prototype.__lookupSetter__",
+    "Object.prototype.constructor"
 ];
-function _array_like_to_array(arr, len) {
+var dangerousMethods = [
+    "Object.getPrototypeOf",
+    "Object.getOwnPropertyDescriptor",
+    "Object.getOwnPropertyDescriptors",
+    "Object.getOwnPropertyNames",
+    "Object.getOwnPropertySymbols",
+    "Object.getOwnPropertyDescriptors"
+];
+mutableMethods.push("Object.prototype.__proto__");
+var blockedMethods = _to_consumable_array(mutableMethods).concat(_to_consumable_array(dangerousMethods));
+var blockedGlobalBuiltIns = [
+    "Function",
+    "GeneratorFunction",
+    "AsyncFunction",
+    "AsyncGeneratorFunction",
+    "eval",
+    "setTimeout",
+    "setInterval",
+    "clearTimeout",
+    "clearInterval",
+    "setImmediate",
+    "XMLHttpRequest",
+    "fetch",
+    "WebSocket",
+    "globalThis",
+    "process",
+    "require",
+    "module",
+    "exports",
+    "global",
+    "Buffer",
+    "setImmediate",
+    "clearImmediate",
+    "importScripts",
+    "Worker",
+    "SharedWorker",
+    "ServiceWorker",
+    "BroadcastChannel",
+    "MessageChannel",
+    "MessagePort",
+    "postMessage",
+    "window",
+    "document",
+    "navigator",
+    "location",
+    "localStorage",
+    "sessionStorage",
+    "indexedDB",
+    "performance",
+    "Proxy",
+    "Reflect",
+    "Atomics",
+    "WebAssembly",
+    "console",
+    "Intl",
+    "Deno"
+];
+function Evaluator_array_like_to_array(arr, len) {
     if (null == len || len > arr.length) len = arr.length;
     for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
     return arr2;
@@ -186,8 +280,8 @@ function _array_like_to_array(arr, len) {
 function _array_with_holes(arr) {
     if (Array.isArray(arr)) return arr;
 }
-function _array_without_holes(arr) {
-    if (Array.isArray(arr)) return _array_like_to_array(arr);
+function Evaluator_array_without_holes(arr) {
+    if (Array.isArray(arr)) return Evaluator_array_like_to_array(arr);
 }
 function _class_call_check(instance, Constructor) {
     if (!(instance instanceof Constructor)) throw new TypeError("Cannot call a class as a function");
@@ -223,13 +317,13 @@ function _instanceof(left, right) {
     if (null != right && "undefined" != typeof Symbol && right[Symbol.hasInstance]) return !!right[Symbol.hasInstance](left);
     return left instanceof right;
 }
-function _iterable_to_array(iter) {
+function Evaluator_iterable_to_array(iter) {
     if ("undefined" != typeof Symbol && null != iter[Symbol.iterator] || null != iter["@@iterator"]) return Array.from(iter);
 }
 function _non_iterable_rest() {
     throw new TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
 }
-function _non_iterable_spread() {
+function Evaluator_non_iterable_spread() {
     throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
 }
 function _set_prototype_of(o, p) {
@@ -240,21 +334,21 @@ function _set_prototype_of(o, p) {
     return _set_prototype_of(o, p);
 }
 function _to_array(arr) {
-    return _array_with_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_rest();
+    return _array_with_holes(arr) || Evaluator_iterable_to_array(arr) || Evaluator_unsupported_iterable_to_array(arr) || _non_iterable_rest();
 }
-function _to_consumable_array(arr) {
-    return _array_without_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_spread();
+function Evaluator_to_consumable_array(arr) {
+    return Evaluator_array_without_holes(arr) || Evaluator_iterable_to_array(arr) || Evaluator_unsupported_iterable_to_array(arr) || Evaluator_non_iterable_spread();
 }
 function _type_of(obj) {
     return obj && "undefined" != typeof Symbol && obj.constructor === Symbol ? "symbol" : typeof obj;
 }
-function _unsupported_iterable_to_array(o, minLen) {
+function Evaluator_unsupported_iterable_to_array(o, minLen) {
     if (!o) return;
-    if ("string" == typeof o) return _array_like_to_array(o, minLen);
+    if ("string" == typeof o) return Evaluator_array_like_to_array(o, minLen);
     var n = Object.prototype.toString.call(o).slice(8, -1);
     if ("Object" === n && o.constructor) n = o.constructor.name;
     if ("Map" === n || "Set" === n) return Array.from(n);
-    if ("Arguments" === n || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
+    if ("Arguments" === n || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return Evaluator_array_like_to_array(o, minLen);
 }
 function _is_native_reflect_construct() {
     try {
@@ -266,14 +360,17 @@ function _is_native_reflect_construct() {
 }
 var ERROR_MESSAGES = {
     DELETE_NOT_SUPPORTED: "Delete operator is not allow",
-    MUTABLE_METHOD: "Mutable method is not allowed",
     NEW_FUNCTION_NOT_ALLOWED: "Cannot use new with Function constructor",
     NOT_A_FUNCTION: "is not a function",
     PROPERTY_READ_ERROR: "Cannot read property",
     VARIABLE_NOT_DEFINED: "is not defined",
     FUNCTION_CONSTRUCTOR_NOT_ALLOWED: "Function constructor is not allowed",
     THIS_NOT_ALLOWED: "'this' keyword is not allowed",
-    NOT_A_VALID_SYNTAX: "is not a valid syntax"
+    NOT_A_VALID_SYNTAX: "is not a valid syntax",
+    ACCESSING_PROTOTYPE_NOT_ALLOWED: "Accessing prototype properties is not allowed",
+    WITH_NOT_ALLOWED: "'with' statement is not allowed",
+    FUNCTION_EXPRESSION_NOT_ALLOWED: "Function expressions are not allowed",
+    METHOD_NOT_ALLOWED: "is not allowed"
 };
 var BINARY_OPERATION_MAP = {
     "+": function(a, b) {
@@ -346,17 +443,15 @@ var BINARY_OPERATION_MAP = {
 function createGlobalScope() {
     var scope = Object.create(null);
     var builtin = external_globals_namespaceObject.builtin;
-    Object.keys(builtin).forEach(function(key) {
-        if (key in globalThis && "eval" !== key && "globalThis" !== key) {
-            var isWritable = builtin[key];
-            Object.defineProperty(scope, key, {
-                value: globalThis[key],
-                writable: isWritable,
-                enumerable: false,
-                configurable: false
-            });
-        }
-    });
+    for(var key in builtin)if (!blockedGlobalBuiltIns.includes(key)) {
+        var isWritable = builtin[key];
+        Object.defineProperty(scope, key, {
+            value: globalThis[key],
+            writable: isWritable,
+            enumerable: false,
+            configurable: false
+        });
+    }
     Object.defineProperty(scope, "globalThis", {
         value: scope,
         writable: false,
@@ -365,14 +460,14 @@ function createGlobalScope() {
     });
     return scope;
 }
-var getMutableMethods = function() {
-    var MUTABLE_METHODS = null;
+var getBlockedMethods = function() {
+    var BLOCKED_METHODS = null;
     return function() {
-        if (MUTABLE_METHODS) return MUTABLE_METHODS;
-        var set = new Set();
+        if (BLOCKED_METHODS) return BLOCKED_METHODS;
+        var map = new Map();
         var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = void 0;
         try {
-            for(var _iterator = mutableMethods[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
+            for(var _iterator = blockedMethods[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
                 var path = _step.value;
                 var _path_split = _to_array(path.split(".")), object = _path_split[0], properties = _path_split.slice(1);
                 var current = globalThis[object];
@@ -396,7 +491,7 @@ var getMutableMethods = function() {
                         if (_didIteratorError1) throw _iteratorError1;
                     }
                 }
-                if ("function" == typeof current) set.add(current);
+                if ("function" == typeof current) map.set(current, path);
             }
         } catch (err) {
             _didIteratorError = true;
@@ -408,8 +503,8 @@ var getMutableMethods = function() {
                 if (_didIteratorError) throw _iteratorError;
             }
         }
-        MUTABLE_METHODS = set;
-        return MUTABLE_METHODS;
+        BLOCKED_METHODS = map;
+        return BLOCKED_METHODS;
     };
 }();
 var Evaluator_Evaluator = /*#__PURE__*/ function() {
@@ -480,14 +575,14 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                         return node.value;
                     case "MemberExpression":
                         return this.handleMemberExpression(node);
-                    case "ObjectExpression":
-                        return this.handleObjectExpression(node);
                     case "ArrayExpression":
                         return this.handleArrayExpression(node);
                     case "SpreadElement":
                         return this.handleSpreadElement(node);
                     case "ObjectExpression":
                         return this.handleObjectExpression(node);
+                    case "FunctionExpression":
+                        throw new Error(ERROR_MESSAGES.FUNCTION_EXPRESSION_NOT_ALLOWED);
                     case "ArrowFunctionExpression":
                         return this.handleArrowFunctionExpression(node);
                     case "CallExpression":
@@ -501,13 +596,15 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                         var args = node.arguments.length ? node.arguments.map(function(arg) {
                             return _this.visit(arg);
                         }) : [];
-                        return _construct(Constructor, _to_consumable_array(args));
+                        return _construct(Constructor, Evaluator_to_consumable_array(args));
                     case "ChainExpression":
                         return this.visit(node.expression);
                     case "TemplateLiteral":
                         return this.handleTemplateLiteral(node);
                     case "ThisExpression":
                         throw new Error(ERROR_MESSAGES.THIS_NOT_ALLOWED);
+                    case "WithStatement":
+                        throw new Error(ERROR_MESSAGES.WITH_NOT_ALLOWED);
                     default:
                         var content = this.source.slice(node.start, node.end);
                         if (content.length > 20) content = content.slice(0, 17) + "...";
@@ -595,6 +692,7 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                 var object = this.visit(node.object);
                 var isStaticProperty = "Identifier" === node.property.type && !node.computed;
                 var property = isStaticProperty ? node.property.name : this.visit(node.property);
+                if (null != object && object[property] === (null == object ? void 0 : object.__proto__)) throw new Error(ERROR_MESSAGES.ACCESSING_PROTOTYPE_NOT_ALLOWED);
                 if (null == object) {
                     if (node.optional) return;
                     throw new TypeError("".concat(ERROR_MESSAGES.PROPERTY_READ_ERROR, " '").concat(property, "' of ").concat(object));
@@ -602,6 +700,21 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                 return object[property];
             }
         },
+        {
+            key: "handleArrayExpression",
+            value: function(node) {
+                var result = [];
+                for(var i = 0; i < node.elements.length; i++){
+                    var element = node.elements.at(i);
+                    var value = this.visit(element);
+                    if ("SpreadElement" === element.type) {
+                        var _result;
+                        (_result = result).push.apply(_result, Evaluator_to_consumable_array(value));
+                    } else result.push(value);
+                }
+                return result;
+            }
+        },
         {
             key: "handleObjectExpression",
             value: function(node) {
@@ -631,21 +744,6 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                 return obj;
             }
         },
-        {
-            key: "handleArrayExpression",
-            value: function(node) {
-                var result = [];
-                for(var i = 0; i < node.elements.length; i++){
-                    var element = node.elements.at(i);
-                    var value = this.visit(element);
-                    if ("SpreadElement" === element.type) {
-                        var _result;
-                        (_result = result).push.apply(_result, _to_consumable_array(value));
-                    } else result.push(value);
-                }
-                return result;
-            }
-        },
         {
             key: "handleSpreadElement",
             value: function(node) {
@@ -672,10 +770,6 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
             key: "handleCallExpression",
             value: function(node) {
                 var _this = this;
-                if ("MemberExpression" === node.callee.type) {
-                    var object = this.visit(node.callee.object);
-                    if (getMutableMethods().has(object)) throw new Error(ERROR_MESSAGES.MUTABLE_METHOD);
-                }
                 var calledString = getNodeString(node.callee);
                 var func = this.visit(node.callee);
                 if ("function" != typeof func) {
@@ -684,6 +778,10 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                     throw new TypeError("".concat(calledString, " ").concat(ERROR_MESSAGES.NOT_A_FUNCTION));
                 }
                 if (func === Function) throw new Error(ERROR_MESSAGES.FUNCTION_CONSTRUCTOR_NOT_ALLOWED);
+                if (getBlockedMethods().has(func)) {
+                    var path = getBlockedMethods().get(func);
+                    throw new Error("".concat(path, " ").concat(ERROR_MESSAGES.METHOD_NOT_ALLOWED));
+                }
                 var args = function() {
                     if (0 === node.arguments.length) return [];
                     var result = [];
@@ -692,12 +790,11 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                         var value = _this.visit(element);
                         if ("SpreadElement" === element.type) {
                             var _result;
-                            (_result = result).push.apply(_result, _to_consumable_array(value));
+                            (_result = result).push.apply(_result, Evaluator_to_consumable_array(value));
                         } else result.push(value);
                     }
                     return result;
                 }();
-                if (getMutableMethods().has(func)) throw new Error(ERROR_MESSAGES.MUTABLE_METHOD);
                 var target = "MemberExpression" === node.callee.type ? this.visit(node.callee.object) : null;
                 return func.apply(target, args);
             }
@@ -936,10 +1033,12 @@ function evalTemplate(template, context, templateParserOptions) {
     return result;
 }
 exports.Evaluator = __webpack_exports__.Evaluator;
+exports.TemplateParser = __webpack_exports__.TemplateParser;
 exports.evalExpression = __webpack_exports__.evalExpression;
 exports.evalTemplate = __webpack_exports__.evalTemplate;
 for(var __webpack_i__ in __webpack_exports__)if (-1 === [
     "Evaluator",
+    "TemplateParser",
     "evalExpression",
     "evalTemplate"
 ].indexOf(__webpack_i__)) exports[__webpack_i__] = __webpack_exports__[__webpack_i__];