echarts-gl icon indicating copy to clipboard operation
echarts-gl copied to clipboard

Published 20 hours ago verified publisher icon ecomfe

Content Security Policy (CSP) issues with new Function(...)

Open michael98123 opened this issue 3 years ago • 2 comments

the usage of "new Function()" requires to increase the CSP to 'unsafe-eval'

code:

function tryConvertExpr(string) {
    // PENDING
    var exprRes = /^expr\((.*)\)$/.exec(string);
    if (exprRes) {
        try {
            var func = new Function('width', 'height', 'dpr', 'return ' + exprRes[1]);
            // Try run t
            func(1, 1);

            return func;
        }
        catch (e) {
            throw new Error('Invalid expression.');
        }
    }
}

Please replace the usage(s) of new Function with safer methods

michael98123 avatar Nov 28 '22 13:11 michael98123

Ditto. This is a security issue and blocker for us.

setvik avatar Oct 04 '23 16:10 setvik

Update: the code is actually in a dependency of echarts-gl, claygl.

The insecure code is here: https://github.com/pissang/claygl/blob/master/src/createCompositor.js#L294

Related issue in that repository is here: https://github.com/pissang/claygl/issues/133

setvik avatar Oct 05 '23 03:10 setvik