search

OvidijusParsiunas / deep-chat

Fully customizable AI chatbot component for your website
https://deepchat.dev
MIT License
1.27k stars 176 forks source link

Use of eval in deepChat.js is strongly discouraged as it poses security risks #24

Closed guinanlin closed 8 months ago

guinanlin commented 8 months ago

try run to production happen errors but it's normal in dev:

frappe@acbde37c143d:~/frappe-bench/apps/qifudengta/sites/jinxin$ yarn build
yarn run v1.22.19
$ vite build
vite v4.5.0 building for production...
node_modules/deep-chat/dist/deepChat.js (6731:11) Use of eval in "node_modules/deep-chat/dist/deepChat.js" is strongly discouraged as it poses security risks and may cause issues with minification.
Killed
error Command failed with exit code 137.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

try to find deep-Chat.js "node_modules/deep-chat/dist/deepChat.js" 

TypeConverters.attibutes = {
  string: function string(r) {
    return r;
  },
  number: function number(r) {
    return parseFloat(r);
  },
  "boolean": function boolean(r) {
    return r === "true";
  },
  object: function object(r) {
    return JSON.parse(r);
  },
  array: function array(r) {
    return JSON.parse(r);
  },
  "function": function _function(value) {
    return eval(value);
  }
};

via the gpt suggestion:

TypeConverters.attibutes = {
  string: function string(r) {
    return r;
  },
  number: function number(r) {
    return parseFloat(r);
  },
  "boolean": function boolean(r) {
    return r === "true";
  },
  object: function object(r) {
    return JSON.parse(r);
  },
  array: function array(r) {
    return JSON.parse(r);
  },
  "function": function _function(value) {
    return new Function('return ' + value)(); // 使用 new Function 来替代 eval
  }
};
OvidijusParsiunas commented 8 months ago

Thankyou for letting me know about this issue @guinanlin!

I have made this change in the deep-chat-dev package version 9.0.40. It's a similar package to deep-chat just uses a different name so you can test the fix using it.

I am going to be making a new release in the main deep-chat package later tonight and will include this fix there. I'll update this thread when that is done.

Thankyou!

OvidijusParsiunas commented 8 months ago

Hey, just a quick update. I had to make more changes in a new feature I am working on so the new release is pushed back to tomorrow. Nevertheless you should be able to use the deep-chat-dev package in the meanwhile. Thanks!

OvidijusParsiunas commented 8 months ago

The latest deep-chat package version 1.3.22 now includes this update. I am going to close this issue, however, if you are experiencing any issues relating to this - feel free to comment below. If you are experiencing any other problems or have suggestions for improvements, you are welcome to create a new issue. Thanks!

guinanlin commented 8 months ago

The latest deep-chat package version 1.3.22 now includes this update. I am going to close this issue, however, if you are experiencing any issues relating to this - feel free to comment below. If you are experiencing any other problems or have suggestions for improvements, you are welcome to create a new issue. Thanks!

great , after testing, it works. tks.