peggy icon indicating copy to clipboard operation
peggy copied to clipboard

Published 20 hours ago verified publisher icon peggyjs

'unsafe-eval' causes security issues

Open roper79 opened this issue 2 years ago • 4 comments

Google Chrome Extension Manifest V3 does not allow unsafe-eval any more, which currently prevents using peggy.

The problematic line reported is https://github.com/peggyjs/peggy/blob/244029be7d8a693ef0b1dd90fc4c14ace2bba4ea/lib/compiler/index.js#L113 (not sure if there are other places like that).

roper79 avatar Jun 08 '22 09:06 roper79

Writing down my notes here as I research this. If anyone has a path forward to recommend, or is willing to send a PR, we can prioritize the work to get it released. In the meantime, you'll have to watch me struggle. :)

In your use cases, can you pre-compile the grammar? The output of generate doesn't have an eval in it.

If not, we'll have to get a little creative. References:

I was able to recreate this by adding:

<meta http-equiv="Content-Security-Policy" content="script-src https://unpkg.com/ 'self' 'unsafe-inline'">

into the header of docs/online.html.

It looks like the presence of an eval statement isn't an issue, which means we don't need a special build.

A Sandbox is probably the correct way to go about this. Maybe we could create a generic sandbox, pass the grammar to it as a string with an identifier, have the sandbox generate and eval the result, then allow calling the parse function by identifier. You'd be limited in the types that you could return to things that would survive postMessage.

hildjj avatar Jun 08 '22 15:06 hildjj

Actually, in my case, pre-compiling the grammar solved the issue!

Thanks for your swift and effective help, @hildjj!!! I leave to your consideration if the ticket should be closed now.

roper79 avatar Jun 11 '22 15:06 roper79

I want to leave the ticket open, since it's an interesting problem. We'll just move it's priority down since you're up and running.

hildjj avatar Jun 11 '22 15:06 hildjj

BTW, this only shows this feature should have never been there. I'd remove that option in a major version.

If user of the library wants to evaluate it immediately, it's no problem to run with source output and do an eval. It's only 6 more characters to type.

reverofevil avatar Jun 19 '22 20:06 reverofevil

After having thought about this more, I'm going to close this as not-planned. Anyone who is using Peggy in a secure environment should pre-compile their grammars.

hildjj avatar Mar 01 '23 16:03 hildjj