From 1df0eb5d50febe4634f65958a21849e8a9cce406 Mon Sep 17 00:00:00 2001
From: Rainer Hahnekamp <rainer.hahnekamp@gmail.com>
Date: Wed, 31 Jan 2024 15:07:19 +0100
Subject: [PATCH] fix(store-devtools): replace direct with indirect `eval`
 (#4216)

Closes #4213
---
 modules/store-devtools/spec/extension.spec.ts | 31 +++++++++++++++++++
 modules/store-devtools/src/extension.ts       |  3 +-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/modules/store-devtools/spec/extension.spec.ts b/modules/store-devtools/spec/extension.spec.ts
index d3d0f7908d..4285b802d4 100644
--- a/modules/store-devtools/spec/extension.spec.ts
+++ b/modules/store-devtools/spec/extension.spec.ts
@@ -4,6 +4,7 @@ import {
   ReduxDevtoolsExtensionConnection,
   ReduxDevtoolsExtensionConfig,
   REDUX_DEVTOOLS_EXTENSION,
+  ExtensionActionTypes,
 } from './../src/extension';
 import { Action } from '@ngrx/store';
 
@@ -182,6 +183,36 @@ describe('DevtoolsExtension', () => {
     );
   });
 
+  for (const { payload, name } of [
+    {
+      payload: "{type: '[Books] Rent', id: 5, customerId: 12}",
+      name: 'evaluates payload because of string',
+    },
+    {
+      payload: { type: '[Books] Rent', id: 5, customerId: 12 },
+      name: 'passes payload through if not of type string',
+    },
+  ]) {
+    it(`should handle an unlifted action (dispatched by DevTools) - ${name}`, () => {
+      const { devtoolsExtension, extensionConnection } = testSetup({
+        config: createConfig({}),
+      });
+      let unwrappedAction: Action | undefined = undefined;
+      devtoolsExtension.actions$.subscribe((action) => {
+        return (unwrappedAction = action);
+      });
+
+      const [callback] = extensionConnection.subscribe.calls.mostRecent().args;
+      callback({ type: ExtensionActionTypes.START });
+      callback({ type: ExtensionActionTypes.ACTION, payload });
+      expect(unwrappedAction).toEqual({
+        type: '[Books] Rent',
+        id: 5,
+        customerId: 12,
+      });
+    });
+  }
+
   describe('notify', () => {
     it('should send notification with default options', () => {
       const { devtoolsExtension, reduxDevtoolsExtension } = testSetup({
diff --git a/modules/store-devtools/src/extension.ts b/modules/store-devtools/src/extension.ts
index 685f581996..9838368bbd 100644
--- a/modules/store-devtools/src/extension.ts
+++ b/modules/store-devtools/src/extension.ts
@@ -247,7 +247,8 @@ export class DevtoolsExtension {
   }
 
   private unwrapAction(action: Action) {
-    return typeof action === 'string' ? eval(`(${action})`) : action;
+    // indirect eval according to https://esbuild.github.io/content-types/#direct-eval
+    return typeof action === 'string' ? (0, eval)(`(${action})`) : action;
   }
 
   private getExtensionConfig(config: StoreDevtoolsConfig) {