deps(package): Update static-eval to 2.0 #35

danez · 2017-10-20T13:14:49Z

Fixes https://nodesecurity.io/advisories/548

Fixes #34

Fixes https://nodesecurity.io/advisories/548

danez · 2017-10-20T13:20:23Z

Tests fail

❯ yarn test                         
yarn run v1.2.1
$ tape test/*.js
TAP version 13
# assign
ok 1 should be equal
ok 2 should be equal
ok 3 should be equal
# assign comma
ok 4 should be equal
ok 5 should be equal
ok 6 should be equal
# readFileSync
ok 7 should be equal
ok 8 should be equal
# readFileSync attribute
ok 9 should be equal
ok 10 should be equal
# readFileSync attribute with multiple vars
ok 11 should be equal
ok 12 should be equal
# readFileSync attribute with multiple require vars
ok 13 should be equal
ok 14 should be equal
# readFileSync attribute with multiple require vars including an uninitalized var
ok 15 should be equal
ok 16 should be equal
# readFileSync attribute with multiple require vars x5
ok 17 should be equal
ok 18 should be equal
# readFileSync with bracket notation
ok 19 should be equal
ok 20 should be equal
# readFileSync attribute bracket notation
ok 21 should be equal
ok 22 should be equal
# function
ok 23 should be equal
# fs.readFile
not ok 24 should be equal
  ---
    operator: equal
    expected:
      'process.nextTick(function(){(function (err, src) {\n    console.log(src)\n})(null,"beep boop\\n")})'
    actual:
      'fs.readFile(__dirname + \'/x.txt\', function (err, src) {\n    console.log(src)\n})'
    at: ConcatStream.<anonymous> (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/index.js:36:43)
  ...
undefined:4
fs.readFile(__dirname + '/x.txt', function (err, src) {
^

ReferenceError: fs is not defined
    at eval (eval at <anonymous> (/Users/danieltschinder/Documents/Github/static-module/test/fs.js:20:9), <anonymous>:4:1)
    at /Users/danieltschinder/Documents/Github/static-module/test/fs.js:20:35
    at ConcatStream.<anonymous> (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/index.js:36:43)
    at emitNone (events.js:110:20)
    at ConcatStream.emit (events.js:207:7)
    at finishMaybe (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/node_modules/readable-stream/lib/_stream_writable.js:607:14)
    at endWritable (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/node_modules/readable-stream/lib/_stream_writable.js:615:3)
    at ConcatStream.Writable.end (/Users/danieltschinder/Documents/Github/static-module/node_modules/concat-stream/node_modules/readable-stream/lib/_stream_writable.js:571:41)
    at DuplexWrapper.onend (/Users/danieltschinder/Documents/Github/static-module/node_modules/duplexer2/node_modules/readable-stream/lib/_stream_readable.js:537:10)
    at Object.onceWrapper (events.js:314:30)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

daviddias · 2017-11-10T10:26:26Z

👍

builds on #35, but when static-eval cannot evaluate a callback function because it is unsafe, this passes a proxy value. when the proxy callback function is called, it throws an error, but when it is stringified (eg in the generated output) it'll work. this works with brfs, i haven't tried others yet.

goto-bus-stop · 2017-11-18T22:48:17Z

yeah--latest static-eval no longer supports all callbacks. I'm not sure which are supported and which are not but that's what was changed to fix the security issue. i tried working around that limitation in #38

builds on #35, but when static-eval cannot evaluate a callback function because it is unsafe, this passes a proxy value. when the proxy callback function is called, it throws an error, but when it is stringified (eg in the generated output) it'll work. this works with brfs, i haven't tried others yet.

* deps(package): Update static-eval to 2.0 Fixes https://nodesecurity.io/advisories/548 * use proxy value for callbacks when static-eval fails builds on #35, but when static-eval cannot evaluate a callback function because it is unsafe, this passes a proxy value. when the proxy callback function is called, it throws an error, but when it is stringified (eg in the generated output) it'll work. this works with brfs, i haven't tried others yet. * make sure `callee` exists * ci: remove node 0.8, add new versions

yoshuawuyts · 2017-11-21T13:46:00Z

@goto-bus-stop looks like #38 fixes most of it?

goto-bus-stop · 2017-11-21T13:50:12Z

Yep! Thought this would autoclose. Thanks for the reminder

deps(package): Update static-eval to 2.0

d6c8972

Fixes https://nodesecurity.io/advisories/548

dryajov mentioned this pull request Oct 20, 2017

fix: progress bar flakiness ipfs/js-ipfs#1042

Merged

ByCnck mentioned this pull request Oct 23, 2017

Problem caused by static_eval AschPlatform/asch#46

Closed

avindra mentioned this pull request Oct 31, 2017

Please enable Travis on PRs #37

Closed

yoshuawuyts mentioned this pull request Nov 14, 2017

Babelify config for Browserify does not work with rc10 choojs/bankai#329

Closed

goto-bus-stop mentioned this pull request Nov 18, 2017

update static-eval, closes #34, #35 #38

Merged

goto-bus-stop closed this Nov 21, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deps(package): Update static-eval to 2.0 #35

deps(package): Update static-eval to 2.0 #35

danez commented Oct 20, 2017 •

edited

Loading

danez commented Oct 20, 2017

daviddias commented Nov 10, 2017

goto-bus-stop commented Nov 18, 2017

yoshuawuyts commented Nov 21, 2017

goto-bus-stop commented Nov 21, 2017

deps(package): Update static-eval to 2.0 #35

deps(package): Update static-eval to 2.0 #35

Conversation

danez commented Oct 20, 2017 • edited Loading

danez commented Oct 20, 2017

daviddias commented Nov 10, 2017

goto-bus-stop commented Nov 18, 2017

yoshuawuyts commented Nov 21, 2017

goto-bus-stop commented Nov 21, 2017

danez commented Oct 20, 2017 •

edited

Loading