From e81c6ee616f857ade4bf34bded854b2ab3b26523 Mon Sep 17 00:00:00 2001 From: Daniel Tschinder Date: Fri, 20 Oct 2017 15:14:41 +0200 Subject: [PATCH 1/4] deps(package): Update static-eval to 2.0 Fixes https://nodesecurity.io/advisories/548 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 1c2c3e4..fb06a40 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,7 @@ "quote-stream": "~1.0.2", "readable-stream": "~2.3.3", "shallow-copy": "~0.0.1", - "static-eval": "~0.2.0", + "static-eval": "^2.0.0", "through2": "~2.0.3" }, "devDependencies": { From a0de110090ab264a89ce2f0b8041a5d71eac7339 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9e=20Kooi?= Date: Sat, 18 Nov 2017 23:45:27 +0100 Subject: [PATCH 2/4] use proxy value for callbacks when static-eval fails builds on #35, but when static-eval cannot evaluate a callback function because it is unsafe, this passes a proxy value. when the proxy callback function is called, it throws an error, but when it is stringified (eg in the generated output) it'll work. this works with brfs, i haven't tried others yet. --- index.js | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index a4c4435..41047b5 100644 --- a/index.js +++ b/index.js @@ -287,8 +287,29 @@ module.exports = function parse (modules, opts) { var xvars = copy(vars); xvars[node.name] = val; - + var res = evaluate(cur, xvars); + if (res === undefined && cur.type === 'CallExpression') { + // static-eval can't safely evaluate code with callbacks, so do it manually in a safe way + var callee = evaluate(cur.callee, xvars); + var args = cur.arguments.map(function (arg) { + // Return a function stub for callbacks so that `static-module` users + // can do `callback.toString()` and get the original source + if (arg.type === 'FunctionExpression' || arg.type === 'ArrowFunctionExpression') { + var fn = function () { + throw new Error('static-module: cannot call callbacks defined inside source code'); + }; + fn.toString = function () { + return body.slice(arg.start, arg.end); + }; + return fn; + } + return evaluate(arg, xvars); + }); + + res = callee.apply(null, args) + } + if (res !== undefined) { updates.push({ start: cur.start, From aa160fd6b4bc485f2a1858b6b8a00bd57365ae6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9e=20Kooi?= Date: Sat, 18 Nov 2017 23:51:27 +0100 Subject: [PATCH 3/4] make sure `callee` exists --- index.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index 41047b5..577984c 100644 --- a/index.js +++ b/index.js @@ -307,7 +307,9 @@ module.exports = function parse (modules, opts) { return evaluate(arg, xvars); }); - res = callee.apply(null, args) + if (callee !== undefined) { + res = callee.apply(null, args); + } } if (res !== undefined) { From 4eecda95335ba8b721e9be0bc06b3712b59786b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9e=20Kooi?= Date: Sun, 19 Nov 2017 00:01:34 +0100 Subject: [PATCH 4/4] ci: remove node 0.8, add new versions --- .travis.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index cc4dba2..4e78449 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,7 @@ language: node_js node_js: - - "0.8" + - 9 + - 8 + - 6 + - 4 - "0.10"