From 5e8213d45ff0fa3390e4871095e381eb6afb4537 Mon Sep 17 00:00:00 2001 From: Nathan Sobo Date: Wed, 5 Mar 2014 09:57:08 -0700 Subject: [PATCH] Add atom.allowUnsafeEval loophole and disable unsafe-eval again With Node.js baked in, there's no water-tight way to prevent users from evaluating code at runtime, at least with CSP alone. This is because node exposes a 'vm' module that allows scripts to be compiled. There's also `module._compile`, etc. I think a reasonable compromise is to protect users from eval'ing code by accident. This commit adds an atom.allowUnsafeEval method which re-enables eval in the dynamic scope of the given function. I then use this to compile the keystroke grammar which saves us the complexity of pre-compiling it during specs. What do people think? --- src/atom.coffee | 9 +++++++++ src/key-binding.coffee | 2 +- static/index.html | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/atom.coffee b/src/atom.coffee index e85bbb120..b831b69c9 100644 --- a/src/atom.coffee +++ b/src/atom.coffee @@ -1,3 +1,4 @@ +vm = require 'vm' crypto = require 'crypto' ipc = require 'ipc' keytar = require 'keytar' @@ -527,3 +528,11 @@ class Atom extends Model delete window[key] else window[key] = value + + allowUnsafeEval: (fn) -> + oldEval = global.eval + try + global.eval = (source) -> vm.runInThisContext(source) + fn() + finally + global.eval = oldEval diff --git a/src/key-binding.coffee b/src/key-binding.coffee index 46b359858..57fbf4fcb 100644 --- a/src/key-binding.coffee +++ b/src/key-binding.coffee @@ -31,7 +31,7 @@ class KeyBinding catch keystrokePattern = fs.readFileSync(require.resolve('./keystroke-pattern.pegjs'), 'utf8') PEG = require 'pegjs' - @parser = PEG.buildParser(keystrokePattern) + atom.allowUnsafeEval => @parser = PEG.buildParser(keystrokePattern) @parser.parse(keystroke) diff --git a/static/index.html b/static/index.html index 71fade746..5559058dc 100644 --- a/static/index.html +++ b/static/index.html @@ -3,7 +3,7 @@ - +