kitten.sh / evalish
Mirror: A maybe slightly safer-ish wrapper around eval Function constructors
fork atom

Readd global proxy wrapper

kitten.sh e6bf2185 3ebcce8e

options
unified split
Changed files
+25 -3
src
index.ts
+25 -3
src/index.ts
··· 25 const _getOwnPropertyDescriptor = Object.getOwnPropertyDescriptor; 26 const _defineProperty = Object.defineProperty; 27 const _create = Object.create; 28 29 type Object = Record<string | symbol, unknown>; 30 ··· 75 if (new.target === undefined) { 76 return target.apply(this, arguments); 77 } else { 78 - return new (target.bind.apply(target, arguments)); 79 } 80 }) 81 : _create(null); ··· 131 standin.prototype = _create(null); 132 } 133 134 - return freeze(standin); 135 } 136 137 let safeGlobal: Record<string | symbol, unknown> | void; ··· 208 209 // Lastly, we also disallow certain property accesses on the safe global 210 // Wrap any given target with a Proxy preventing access to unscopables 211 - return freeze(safeGlobal!); 212 } 213 214 interface SafeFunction {
··· 25 const _getOwnPropertyDescriptor = Object.getOwnPropertyDescriptor; 26 const _defineProperty = Object.defineProperty; 27 const _create = Object.create; 28 + const _slice = Array.prototype.slice; 29 30 type Object = Record<string | symbol, unknown>; 31 ··· 76 if (new.target === undefined) { 77 return target.apply(this, arguments); 78 } else { 79 + const args = _slice.call(arguments); 80 + args.unshift(null); 81 + return new (target.bind.apply(target, args)); 82 } 83 }) 84 : _create(null); ··· 134 standin.prototype = _create(null); 135 } 136 137 + return toplevel ? standin : freeze(standin); 138 } 139 140 let safeGlobal: Record<string | symbol, unknown> | void; ··· 211 212 // Lastly, we also disallow certain property accesses on the safe global 213 // Wrap any given target with a Proxy preventing access to unscopables 214 + if (typeof Proxy === 'function') { 215 + // Wrap the target in a Proxy that disallows access to some keys 216 + return (safeGlobal = new Proxy(safeGlobal!, { 217 + // Return a value, if it's allowed to be returned and mask this value 218 + get(target, _key) { 219 + const key = safeKey(target, _key); 220 + return !ignore[_key] && key !== undefined ? target[key] : undefined; 221 + }, 222 + has(_target, _key) { 223 + return true; 224 + }, 225 + set: noop, 226 + deleteProperty: noop, 227 + defineProperty: noop, 228 + getOwnPropertyDescriptor: noop, 229 + })); 230 + } else { 231 + // NOTE: Some property accesses may leak through here without the Proxy 232 + return freeze(safeGlobal!); 233 + } 234 } 235 236 interface SafeFunction {