Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Published version of netlify-cms using eval()s #4367

Closed
stramel opened this issue Sep 26, 2020 · 2 comments
Closed

Published version of netlify-cms using eval()s #4367

stramel opened this issue Sep 26, 2020 · 2 comments
Labels
area: 3rd party dependencies type: bug code to address defects in shipped code type: security code to address security issues

Comments

@stramel
Copy link

stramel commented Sep 26, 2020
edited
Loading

Describe the bug

netlify-cms is utilizing eval() in the published code. Usage of eval() is generally frowned upon. It also doesn't seem like eval() is necessary in the majority of its usages.

I noticed one usage of eval(str) which is also frowned upon. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Never_use_eval!

To Reproduce

  1. Go to https://unpkg.com/netlify-cms@2.10.60/dist/netlify-cms.js
  2. Search for eval(

Usages:

  • const utilInspect=eval("require('util').inspect")
  • eval(str)
  • var crypto=eval("require('crypto')"),Buffer=eval("require('buffer').Buffer")

Expected behavior

No eval()s to exist in production code.

Applicable Versions:

  • Netlify CMS version: 2.10.60
  • Git provider: GitHub
  • OS: MacOS X
  • Browser version Chrome 85
  • Node.JS version: 12.13.0
@stramel stramel added the type: bug code to address defects in shipped code label Sep 26, 2020
@erezrokah
Copy link
Contributor

Thanks for raising this @stramel.

Looks like:

  • const utilInspect=eval("require('util').inspect")

Is coming from https://github.com/iarna/iarna-toml/blob/1374bf2f151aa23e32fecadceb49d4411c9b7adf/lib/toml-parser.js#L178

  • eval(str)

Is coming from https://github.com/jonschlinkert/gray-matter/blob/8a22958e0afd4b2e09c705becec1c35e76c4f0ee/lib/engines.js#L43

  • var crypto=eval("require('crypto')"),Buffer=eval("require('buffer').Buffer")

Is coming from https://github.com/emn178/js-sha256/blob/189bb9b03782b80e59516dfbea78f16b5d9754ce/src/sha256.js#L83

Since we're not using the JavaScript parser by gray-matter do you see any potential issues here?

@erezrokah erezrokah added area: 3rd party dependencies type: security code to address security issues labels Sep 28, 2020
@stramel
Copy link
Author

stramel commented Oct 7, 2020

Ah, yeah. Probably no issue here with it. I will see if I can bring it up with other packages to remove the usages. Thank you for looking into it.

@stramel stramel closed this as completed Oct 7, 2020
@stramel stramel mentioned this issue Oct 7, 2020
Closed
@erezrokah erezrokah mentioned this issue Oct 27, 2021
Open
@erezrokah erezrokah mentioned this issue Nov 19, 2021
Draft
4 tasks
@taras taras mentioned this issue Jan 10, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: 3rd party dependencies type: bug code to address defects in shipped code type: security code to address security issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stramel @erezrokah