nv-vali-is-safe-func-code
- nv-vali-is-safe-func-code
- to check if a code-string of function/arrow-function from remote is safe for eval
- for nodejs server using
- npm install nv-vali-is-safe-func-code
const {verify} = require("nv-vali-is-safe-func-code");
var cd =`
function remote_func() {
()=>{
fs.writeFileSync("a.tst","xxx")
}
}
`
/*
verify(cd)
[
false,
_E {
start: Position { line: 4, column: 8 },
end: Position { line: 4, column: 10 },
reason: 'id_name_in_blacklist',
code: 'fs'
}
]
*/
var cd =`
function remote_func() {
try {
require("xxxxx")
} catch(e) {
}
}
`
/*
verify(cd)
[
false,
_E {
start: Position { line: 4, column: 5 },
end: Position { line: 4, column: 12 },
reason: 'id_name_in_blacklist',
code: 'require'
}
]
*/
var cd =`
function remote_func() {
import * as lib from "xxx"
}
`
/*
verify(cd)
[
false,
_E {
start: Position { line: 3, column: 12 },
end: Position { line: 3, column: 20 },
reason: 'ast_type_in_blacklist',
code: '* as lib'
}
]
>
*/
var cd =`
function remote_func() {
let b = XXXX;
b.send();
}
`
/*
[
false,
_E {
start: Position { line: 3, column: 13 },
end: Position { line: 3, column: 17 },
reason: 'have_no_binding',
code: 'XXXX'
}
]
{
verify: [Function: verify],
ERRORS: Error(4) {
'must_be_function_or_arrow_function',
'ast_type_in_blacklist',
'id_name_in_blacklist',
'have_no_binding'
},
ID_BLACKLIST: Set(48) {
'fs',
'os',
'module',
'sys',
'require',
'import',
'timers',
'eval',
'Function',
'process',
'global',
'globalThis',
'window',
'constructor',
'prototype',
'__proto__',
'getPrototypeOf',
'setPrototypeOf',
'deleteProperty',
'setImmediate',
'setTimeout',
'setInterval',
'v8',
'vm',
'Atomics',
'Buffer',
'buffer',
'SharedArrayBuffer',
'WebAssembly',
'wasi',
'async_hooks',
'child_process',
'cluster',
'console',
'readline',
'repl',
'dgram',
'dns',
'inspector',
'http',
'http2',
'https',
'net',
'tls',
'tty',
'perf_hooks',
'worker_threads',
'trace_events',
'domain'
},
AST_TYPE_BLACKLIST: BlackAstType(22) {
'ThrowStatement',
'DebuggerStatement',
'V8IntrinsicIdentifier',
'TSExportAssignment',
'TSNamespaceExportDeclaration',
'DeclareModuleExports',
'DeclareExportDeclaration',
'DeclareExportAllDeclaration',
'ExportAllDeclaration',
'ExportDefaultDeclaration',
'ExportDefaultSpecifier',
'ExportNamedDeclaration',
'ExportNamespaceSpecifier',
'ExportSpecifier',
'ImportAttribute',
'ImportDeclaration',
'ImportDefaultSpecifier',
'Import',
'ImportNamespaceSpecifier',
'ImportSpecifier',
'TSImportEqualsDeclaration',
'TSImportType'
},
GLOBAL_WHITE_LIST: GlobalPermit(80) {
'AbortController',
'AbortSignal',
'AggregateError',
'Array',
'ArrayBuffer',
'BigInt',
'BigInt64Array',
'BigUint64Array',
'Boolean',
'DataView',
'Date',
'Error',
'EvalError',
'Event',
'EventTarget',
'FinalizationRegistry',
'Float32Array',
'Float64Array',
'Int16Array',
'Int32Array',
'Int8Array',
'Intl',
'JSON',
'Map',
'Math',
'MessageChannel',
'MessageEvent',
'MessagePort',
'Number',
'Object',
'Promise',
'Proxy',
'RangeError',
'ReferenceError',
'Reflect',
'RegExp',
'Set',
'String',
'Symbol',
'SyntaxError',
'TextDecoder',
'TextEncoder',
'TypeError',
'URIError',
'URL',
'URLSearchParams',
'Uint16Array',
'Uint32Array',
'Uint8Array',
'Uint8ClampedArray',
'WeakMap',
'WeakRef',
'WeakSet',
'_error',
'assert',
'atob',
'btoa',
'constants',
'crypto',
'decodeURI',
'decodeURIComponent',
'encodeURI',
'encodeURIComponent',
'escape',
'events',
'isFinite',
'isNaN',
'parseFloat',
'parseInt',
'path',
'performance',
'punycode',
'querystring',
'queueMicrotask',
'stream',
'string_decoder',
'unescape',
'url',
'util',
'zlib'
}
}