Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@protobufjs/inquire violates default content security policy #997

Open
sherlock1982 opened this issue Mar 9, 2018 · 6 comments
Open

@protobufjs/inquire violates default content security policy #997

sherlock1982 opened this issue Mar 9, 2018 · 6 comments

Comments

@sherlock1982
Copy link

sherlock1982 commented Mar 9, 2018
edited
Loading

protobuf.js version: 6.8.6

There's a special code inside @protobufjs/inquire:

function inquire(moduleName) {
    try {
        var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval
        if (mod && (mod.length || Object.keys(mod).length))
            return mod;
    } catch (e) {} // eslint-disable-line no-empty
    return null;
}

If I apply "Content-Security-Policy" without additional exceptions to allow eval than it's prohibited. Actually it's the only eval in my ~1Mb minified file.
Probably there's a way to avoid it and become CSP compliant?

UPD: I'm using minimal variant with everything inbuilt.
@pietrodn
Copy link

I have the same problem. Electron 2.0.0 now prints out a warning if the web page has no Content-Security-Policy, or if it has one but unsafe-eval is enabled.
For now, protobufjs forces us to keep unsafe-eval enabled.

@iredelmeier iredelmeier mentioned this issue Dec 21, 2018
Closed
@arturjanc
Copy link

From the perspective of a security engineer who deploys Content Security Policy across a large number of applications, it would be great to have this code refactored to not rely on eval(), so that it doesn't force its users to set unsafe-eval in their CSP.

If this is difficult to refactor, just making sure that this is only executed in non-browser environments would be a reasonable workaround.

@LancerComet
Copy link

How about using new Function instead of eval?

const mod = new Function("id", "return require(id)")(moduleName)

@arturjanc
Copy link

new Function() is subject to the same CSP restrictions as eval():
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_eval_expressions

@LancerComet
Copy link

I've replaced protobuf.js with https://github.com/mapbox/pbf

@schontz schontz mentioned this issue Oct 21, 2020
Closed
@sapphi-red sapphi-red mentioned this issue Jun 25, 2021
Closed
This was referenced May 19, 2022
Open
Closed
@jakub-g jakub-g mentioned this issue Feb 14, 2024
Open
@corwinsheahan-wf corwinsheahan-wf mentioned this issue Jun 7, 2024
Open
@p3v9d5ui
Copy link

p3v9d5ui commented Sep 4, 2024

Any update on this? This issue has been open for 6 years now! Being incompatible with a safe script-src CSP policy is becoming more and more unacceptable.

@sfc-gh-hkantuni sfc-gh-hkantuni mentioned this issue Oct 24, 2024
Closed
@kantuni kantuni mentioned this issue Oct 24, 2024
Merged
kantuni added a commit to streamlit/streamlit that referenced this issue Oct 26, 2024
@kantuni
Remove eval from frontend bundle (#9731)
d9ff42e 
## Describe your changes

This PR blocks the use of `eval` in a browser environment. Please see
[this](https://docs.google.com/document/d/1g-fczG7eV5CIIUDd5pnwvGkUn-SLf2vMZeBk9qj1Yk4/)
spec for more info on why we need to remove it.

This PR adds 2 packages:
[patch-package](https://www.npmjs.com/package/patch-package) and
[postinstall-postinstall](https://www.npmjs.com/package/postinstall-postinstall).
The first one is used to patch `@protobufjs/inquire` which includes the
`eval` (see protobufjs/protobuf.js#997 and
protobufjs/protobuf.js#1548), and the second one
is used to call `postinstall` on `yarn remove` as Yarn v1 only calls it
on `yarn install` and `yarn add`.

## GitHub Issue Link (if applicable)

[SNOW-1554237](https://snowflakecomputing.atlassian.net/browse/SNOW-1554237)

## Testing Plan

- No tests required as there are no implementation changes.

---

**Contribution License Agreement**

By submitting this pull request you agree that all contributions to this
project are made under the Apache 2.0 license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@arturjanc @pietrodn @LancerComet @sherlock1982 @p3v9d5ui