RE: Proposal: safeEval

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: Proposal: safeEval

doodad-js Admin

But I doubt it can be full proof without runtime’s help.

 

I found a way: AST filtering with rewriting. So that “obj[key]” will get rewritten to “safeEval.get(obj, key)”. That is now part of my TODO list for “@doodad-js/safeeval”. For the moment, I block the dynamic property accessor operator (“obj[key]”), and the rewriting must be manual.

 

Claude

 

 

From: doodad-js Admin <[hidden email]>
Sent: Friday, June 22, 2018 7:29 PM
To: [hidden email]
Cc: 'Isiah Meadows' <[hidden email]>; 'es-discuss' <[hidden email]>
Subject: RE: FW: Proposal: safeEval

 

For the last time, why do you believe opcode filtering can?

 

Because, at my knowledge, AST filtering is more subject to break than “opcode” filtering. If that’s not the case, please help me to provide a better “safeEval” by reporting issues of my library directly to me. But I doubt it can be full proof without runtime’s help.

 

Claude

 

 

From: Mike Samuel <[hidden email]>
Sent: Friday, June 22, 2018 6:53 PM
To: doodad-js Admin <[hidden email]>
Cc: Isiah Meadows <[hidden email]>; es-discuss <[hidden email]>
Subject: Re: FW: Proposal: safeEval

 

 

On Fri, Jun 22, 2018, 6:51 PM doodad-js Admin <[hidden email]> wrote:

This is silly.  I can want these without wanting them built using substandard tools.

 

That’s the point why I bring it to ES. Nothing on the “user land” can provide something reliable, apart a complete JS runtime library compiled to “WASM” or “asm.js”. And... that’s silly.

 

For the last time, why do you believe opcode filtering can?

 

 

Virus-free. www.avg.com

 


_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss