npm - ecma-evaluator - Versions diffs - 2.0.4 → 2.0.6 - Mend

ecma-evaluator 2.0.4 → 2.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/esm/index.mjs CHANGED Viewed

@@ -1,5 +1,30 @@
 import { parse as external_acorn_parse } from "acorn";
 import globals from "globals";
+function _array_like_to_array(arr, len) {
+    if (null == len || len > arr.length) len = arr.length;
+    for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
+    return arr2;
+}
+function _array_without_holes(arr) {
+    if (Array.isArray(arr)) return _array_like_to_array(arr);
+}
+function _iterable_to_array(iter) {
+    if ("undefined" != typeof Symbol && null != iter[Symbol.iterator] || null != iter["@@iterator"]) return Array.from(iter);
+}
+function _non_iterable_spread() {
+    throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+}
+function _to_consumable_array(arr) {
+    return _array_without_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_spread();
+}
+function _unsupported_iterable_to_array(o, minLen) {
+    if (!o) return;
+    if ("string" == typeof o) return _array_like_to_array(o, minLen);
+    var n = Object.prototype.toString.call(o).slice(8, -1);
+    if ("Object" === n && o.constructor) n = o.constructor.name;
+    if ("Map" === n || "Set" === n) return Array.from(n);
+    if ("Arguments" === n || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
+}
 var mutableMethods = [
     "Array.prototype.push",
     "Array.prototype.pop",
@@ -17,6 +42,8 @@ var mutableMethods = [
     "Object.freeze",
     "Object.setPrototypeOf",
     "Object.assign",
+    "Object.prototype.__defineGetter__",
+    "Object.prototype.__defineSetter__",
     "Reflect.set",
     "Reflect.defineProperty",
     "Reflect.deleteProperty",
@@ -138,9 +165,73 @@ var mutableMethods = [
     "FormData.prototype.set",
     "Headers.prototype.append",
     "Headers.prototype.delete",
-    "Headers.prototype.set"
+    "Headers.prototype.set",
+    "Function.prototype.call",
+    "Function.prototype.apply",
+    "Function.prototype.bind",
+    "Function.prototype.constructor",
+    "Object.prototype.__lookupGetter__",
+    "Object.prototype.__lookupSetter__",
+    "Object.prototype.constructor"
 ];
-function _array_like_to_array(arr, len) {
+var dangerousMethods = [
+    "Object.getPrototypeOf",
+    "Object.getOwnPropertyDescriptor",
+    "Object.getOwnPropertyDescriptors",
+    "Object.getOwnPropertyNames",
+    "Object.getOwnPropertySymbols",
+    "Object.getOwnPropertyDescriptors"
+];
+mutableMethods.push("Object.prototype.__proto__");
+var blockedMethods = _to_consumable_array(mutableMethods).concat(_to_consumable_array(dangerousMethods));
+var blockedGlobalBuiltIns = [
+    "Function",
+    "GeneratorFunction",
+    "AsyncFunction",
+    "AsyncGeneratorFunction",
+    "eval",
+    "setTimeout",
+    "setInterval",
+    "clearTimeout",
+    "clearInterval",
+    "setImmediate",
+    "XMLHttpRequest",
+    "fetch",
+    "WebSocket",
+    "globalThis",
+    "process",
+    "require",
+    "module",
+    "exports",
+    "global",
+    "Buffer",
+    "setImmediate",
+    "clearImmediate",
+    "importScripts",
+    "Worker",
+    "SharedWorker",
+    "ServiceWorker",
+    "BroadcastChannel",
+    "MessageChannel",
+    "MessagePort",
+    "postMessage",
+    "window",
+    "document",
+    "navigator",
+    "location",
+    "localStorage",
+    "sessionStorage",
+    "indexedDB",
+    "performance",
+    "Proxy",
+    "Reflect",
+    "Atomics",
+    "WebAssembly",
+    "console",
+    "Intl",
+    "Deno"
+];
+function Evaluator_array_like_to_array(arr, len) {
     if (null == len || len > arr.length) len = arr.length;
     for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
     return arr2;
@@ -148,8 +239,8 @@ function _array_like_to_array(arr, len) {
 function _array_with_holes(arr) {
     if (Array.isArray(arr)) return arr;
 }
-function _array_without_holes(arr) {
-    if (Array.isArray(arr)) return _array_like_to_array(arr);
+function Evaluator_array_without_holes(arr) {
+    if (Array.isArray(arr)) return Evaluator_array_like_to_array(arr);
 }
 function _class_call_check(instance, Constructor) {
     if (!(instance instanceof Constructor)) throw new TypeError("Cannot call a class as a function");
@@ -185,13 +276,13 @@ function _instanceof(left, right) {
     if (null != right && "undefined" != typeof Symbol && right[Symbol.hasInstance]) return !!right[Symbol.hasInstance](left);
     return left instanceof right;
 }
-function _iterable_to_array(iter) {
+function Evaluator_iterable_to_array(iter) {
     if ("undefined" != typeof Symbol && null != iter[Symbol.iterator] || null != iter["@@iterator"]) return Array.from(iter);
 }
 function _non_iterable_rest() {
     throw new TypeError("Invalid attempt to destructure non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
 }
-function _non_iterable_spread() {
+function Evaluator_non_iterable_spread() {
     throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
 }
 function _set_prototype_of(o, p) {
@@ -202,21 +293,21 @@ function _set_prototype_of(o, p) {
     return _set_prototype_of(o, p);
 }
 function _to_array(arr) {
-    return _array_with_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_rest();
+    return _array_with_holes(arr) || Evaluator_iterable_to_array(arr) || Evaluator_unsupported_iterable_to_array(arr) || _non_iterable_rest();
 }
-function _to_consumable_array(arr) {
-    return _array_without_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_spread();
+function Evaluator_to_consumable_array(arr) {
+    return Evaluator_array_without_holes(arr) || Evaluator_iterable_to_array(arr) || Evaluator_unsupported_iterable_to_array(arr) || Evaluator_non_iterable_spread();
 }
 function _type_of(obj) {
     return obj && "undefined" != typeof Symbol && obj.constructor === Symbol ? "symbol" : typeof obj;
 }
-function _unsupported_iterable_to_array(o, minLen) {
+function Evaluator_unsupported_iterable_to_array(o, minLen) {
     if (!o) return;
-    if ("string" == typeof o) return _array_like_to_array(o, minLen);
+    if ("string" == typeof o) return Evaluator_array_like_to_array(o, minLen);
     var n = Object.prototype.toString.call(o).slice(8, -1);
     if ("Object" === n && o.constructor) n = o.constructor.name;
     if ("Map" === n || "Set" === n) return Array.from(n);
-    if ("Arguments" === n || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
+    if ("Arguments" === n || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return Evaluator_array_like_to_array(o, minLen);
 }
 function _is_native_reflect_construct() {
     try {
@@ -227,15 +318,17 @@ function _is_native_reflect_construct() {
     })();
 }
 var ERROR_MESSAGES = {
-    DELETE_NOT_SUPPORTED: "Delete operator is not allow",
-    MUTABLE_METHOD: "Mutable method is not allowed",
-    NEW_FUNCTION_NOT_ALLOWED: "Cannot use new with Function constructor",
-    NOT_A_FUNCTION: "is not a function",
-    PROPERTY_READ_ERROR: "Cannot read property",
-    VARIABLE_NOT_DEFINED: "is not defined",
-    FUNCTION_CONSTRUCTOR_NOT_ALLOWED: "Function constructor is not allowed",
-    THIS_NOT_ALLOWED: "'this' keyword is not allowed",
-    NOT_A_VALID_SYNTAX: "is not a valid syntax"
+    CAN_NOT_READ_PROPERTY: "Cannot read property of {0} (reading '{1}')",
+    IS_NOT_FUNCTION: "{0} is not a function",
+    IS_NOT_DEFINED: "{0} is not defined",
+    IS_NOT_VALID_SYNTAX: "{0} is not a valid syntax",
+    IS_NOT_ALLOWED: "{0} is not allowed"
+};
+var renderErrorMessage = function(template) {
+    var context = arguments.length > 1 && void 0 !== arguments[1] ? arguments[1] : {};
+    return template.replace(/{(\w+)}/g, function(_, key) {
+        return String(context[key]);
+    });
 };
 var BINARY_OPERATION_MAP = {
     "+": function(a, b) {
@@ -308,17 +401,15 @@ var BINARY_OPERATION_MAP = {
 function createGlobalScope() {
     var scope = Object.create(null);
     var builtin = globals.builtin;
-    Object.keys(builtin).forEach(function(key) {
-        if (key in globalThis && "eval" !== key && "globalThis" !== key) {
-            var isWritable = builtin[key];
-            Object.defineProperty(scope, key, {
-                value: globalThis[key],
-                writable: isWritable,
-                enumerable: false,
-                configurable: false
-            });
-        }
-    });
+    for(var key in builtin)if (!blockedGlobalBuiltIns.includes(key)) {
+        var isWritable = builtin[key];
+        Object.defineProperty(scope, key, {
+            value: globalThis[key],
+            writable: isWritable,
+            enumerable: false,
+            configurable: false
+        });
+    }
     Object.defineProperty(scope, "globalThis", {
         value: scope,
         writable: false,
@@ -327,14 +418,14 @@ function createGlobalScope() {
     });
     return scope;
 }
-var getMutableMethods = function() {
-    var MUTABLE_METHODS = null;
+var getBlockedMethods = function() {
+    var BLOCKED_METHODS = null;
     return function() {
-        if (MUTABLE_METHODS) return MUTABLE_METHODS;
-        var set = new Set();
+        if (BLOCKED_METHODS) return BLOCKED_METHODS;
+        var map = new Map();
         var _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = void 0;
         try {
-            for(var _iterator = mutableMethods[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
+            for(var _iterator = blockedMethods[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
                 var path = _step.value;
                 var _path_split = _to_array(path.split(".")), object = _path_split[0], properties = _path_split.slice(1);
                 var current = globalThis[object];
@@ -358,7 +449,7 @@ var getMutableMethods = function() {
                         if (_didIteratorError1) throw _iteratorError1;
                     }
                 }
-                if ("function" == typeof current) set.add(current);
+                if ("function" == typeof current) map.set(current, path);
             }
         } catch (err) {
             _didIteratorError = true;
@@ -370,8 +461,8 @@ var getMutableMethods = function() {
                 if (_didIteratorError) throw _iteratorError;
             }
         }
-        MUTABLE_METHODS = set;
-        return MUTABLE_METHODS;
+        BLOCKED_METHODS = map;
+        return BLOCKED_METHODS;
     };
 }();
 var Evaluator_Evaluator = /*#__PURE__*/ function() {
@@ -448,6 +539,10 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                         return this.handleSpreadElement(node);
                     case "ObjectExpression":
                         return this.handleObjectExpression(node);
+                    case "FunctionExpression":
+                        throw new Error(renderErrorMessage(ERROR_MESSAGES.IS_NOT_ALLOWED, [
+                            "Function expression"
+                        ]));
                     case "ArrowFunctionExpression":
                         return this.handleArrowFunctionExpression(node);
                     case "CallExpression":
@@ -456,22 +551,32 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                         return this.visit(node.test) ? this.visit(node.consequent) : this.visit(node.alternate);
                     case "NewExpression":
                         if ("Identifier" !== node.callee.type) throw new Error("Unsupported callee type '".concat(node.callee.type, "' in new expression"));
-                        if ("Function" === node.callee.name) throw new Error(ERROR_MESSAGES.NEW_FUNCTION_NOT_ALLOWED);
+                        if ("Function" === node.callee.name) throw new Error(renderErrorMessage(ERROR_MESSAGES.IS_NOT_ALLOWED, [
+                            "new Function() constructor"
+                        ]));
                         var Constructor = this.visit(node.callee);
                         var args = node.arguments.length ? node.arguments.map(function(arg) {
                             return _this.visit(arg);
                         }) : [];
-                        return _construct(Constructor, _to_consumable_array(args));
+                        return _construct(Constructor, Evaluator_to_consumable_array(args));
                     case "ChainExpression":
                         return this.visit(node.expression);
                     case "TemplateLiteral":
                         return this.handleTemplateLiteral(node);
                     case "ThisExpression":
-                        throw new Error(ERROR_MESSAGES.THIS_NOT_ALLOWED);
+                        throw new Error(renderErrorMessage(ERROR_MESSAGES.IS_NOT_ALLOWED, [
+                            "'this' expression"
+                        ]));
+                    case "WithStatement":
+                        throw new Error(renderErrorMessage(ERROR_MESSAGES.IS_NOT_ALLOWED, [
+                            "'with' statement"
+                        ]));
                     default:
                         var content = this.source.slice(node.start, node.end);
                         if (content.length > 20) content = content.slice(0, 17) + "...";
-                        throw new Error("'".concat(content, "'") + " " + ERROR_MESSAGES.NOT_A_VALID_SYNTAX);
+                        throw new Error("'".concat(content, "'") + " " + renderErrorMessage(ERROR_MESSAGES.IS_NOT_VALID_SYNTAX, [
+                            content
+                        ]));
                 }
             }
         },
@@ -520,7 +625,9 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                     case "void":
                         return void this.visit(node.argument);
                     case "delete":
-                        throw new Error(ERROR_MESSAGES.DELETE_NOT_SUPPORTED);
+                        throw new Error(renderErrorMessage(ERROR_MESSAGES.IS_NOT_ALLOWED, [
+                            "Delete operator"
+                        ]));
                     default:
                         throw new Error("Unsupported unary operator: ".concat(node.operator));
                 }
@@ -546,7 +653,9 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                         if (_didIteratorError) throw _iteratorError;
                     }
                 }
-                throw new ReferenceError("".concat(name, " ").concat(ERROR_MESSAGES.VARIABLE_NOT_DEFINED));
+                throw new ReferenceError(renderErrorMessage(ERROR_MESSAGES.IS_NOT_DEFINED, [
+                    name
+                ]));
             }
         },
         {
@@ -555,9 +664,15 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                 var object = this.visit(node.object);
                 var isStaticProperty = "Identifier" === node.property.type && !node.computed;
                 var property = isStaticProperty ? node.property.name : this.visit(node.property);
+                if (null != object && object[property] === (null == object ? void 0 : object.__proto__)) throw new Error(renderErrorMessage(ERROR_MESSAGES.IS_NOT_ALLOWED, [
+                    "Accessing prototype properties"
+                ]));
                 if (null == object) {
                     if (node.optional) return;
-                    throw new TypeError("".concat(ERROR_MESSAGES.PROPERTY_READ_ERROR, " '").concat(property, "' of ").concat(object));
+                    throw new TypeError(renderErrorMessage(ERROR_MESSAGES.CAN_NOT_READ_PROPERTY, [
+                        object,
+                        property
+                    ]));
                 }
                 return object[property];
             }
@@ -571,7 +686,7 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                     var value = this.visit(element);
                     if ("SpreadElement" === element.type) {
                         var _result;
-                        (_result = result).push.apply(_result, _to_consumable_array(value));
+                        (_result = result).push.apply(_result, Evaluator_to_consumable_array(value));
                     } else result.push(value);
                 }
                 return result;
@@ -632,18 +747,18 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
             key: "handleCallExpression",
             value: function(node) {
                 var _this = this;
-                if ("MemberExpression" === node.callee.type) {
-                    var object = this.visit(node.callee.object);
-                    if (getMutableMethods().has(object)) throw new Error(ERROR_MESSAGES.MUTABLE_METHOD);
-                }
-                var calledString = getNodeString(node.callee);
                 var func = this.visit(node.callee);
-                if ("function" != typeof func) {
-                    var isOptional = node.optional || node.callee.optional;
-                    if (null == func && isOptional) return;
-                    throw new TypeError("".concat(calledString, " ").concat(ERROR_MESSAGES.NOT_A_FUNCTION));
+                var isOptional = node.optional || node.callee.optional;
+                if (null == func && isOptional) return;
+                if (func === Function) throw new Error(renderErrorMessage(ERROR_MESSAGES.IS_NOT_ALLOWED, [
+                    "Function constructor"
+                ]));
+                if (getBlockedMethods().has(func)) {
+                    var path = getBlockedMethods().get(func);
+                    throw new Error(renderErrorMessage(ERROR_MESSAGES.IS_NOT_ALLOWED, [
+                        path
+                    ]));
                 }
-                if (func === Function) throw new Error(ERROR_MESSAGES.FUNCTION_CONSTRUCTOR_NOT_ALLOWED);
                 var args = function() {
                     if (0 === node.arguments.length) return [];
                     var result = [];
@@ -652,13 +767,18 @@ var Evaluator_Evaluator = /*#__PURE__*/ function() {
                         var value = _this.visit(element);
                         if ("SpreadElement" === element.type) {
                             var _result;
-                            (_result = result).push.apply(_result, _to_consumable_array(value));
+                            (_result = result).push.apply(_result, Evaluator_to_consumable_array(value));
                         } else result.push(value);
                     }
                     return result;
                 }();
-                if (getMutableMethods().has(func)) throw new Error(ERROR_MESSAGES.MUTABLE_METHOD);
                 var target = "MemberExpression" === node.callee.type ? this.visit(node.callee.object) : null;
+                if ("function" != typeof func) {
+                    var calledString = getNodeString(node.callee);
+                    throw new TypeError(renderErrorMessage(ERROR_MESSAGES.IS_NOT_FUNCTION, [
+                        calledString
+                    ]));
+                }
                 return func.apply(target, args);
             }
         },