isolated-vm icon indicating copy to clipboard operation
isolated-vm copied to clipboard

Published 20 hours ago verified publisher icon laverdet

Disable completely code generation from strings?

Open QuiiBz opened this issue 1 year ago • 1 comments

Thanks for creating this amazing library. I wonder how we can disable completely code generation from strings?

It's disabled by default here: https://github.com/laverdet/isolated-vm/blob/19b3624b962c13526f78949fd8a6391895a9463d/src/isolate/environment.cc#L482

But then is allowed in the CodeGenCallback: https://github.com/laverdet/isolated-vm/blob/19b3624b962c13526f78949fd8a6391895a9463d/src/isolate/environment.cc#L128

I don't really understand why the above is set to true, which allows executing code within eval(), new Function(), ... Shouldn't it be set to false instead? Initially found in https://github.com/lagonapp/lagon/pull/84

QuiiBz avatar Jul 15 '22 07:07 QuiiBz

We use the callback and the flag as a means to prevent OOM memory crashes, rather than as a hardening feature.

laverdet avatar Aug 16 '22 04:08 laverdet