Content Security Policy of your site blocks the use of 'eval' in JavaScipt

[lee-smith-gl]

Hi,

I am currently working on an Angular (v16.2.9) application that uses the json-logic-engine library.

While implementing a Content Security Policy (CSP), I discovered that the library's use of eval is causing a violation of the CSP guidelines.

Is there any possibility that the library could be refactored to eliminate the use of eval?

The repository includes two instances of the eval function:

https://github.com/TotalTechGeek/json-logic-engine/blob/master/utilities/chainingSupported.js

const getIsOptionalChainingSupported = () => {
  ...  
    const isUndefined = globalThis.eval('(test) => test?.foo?.bar')(test)
  ...
}

and:

https://github.com/TotalTechGeek/json-logic-engine/blob/master/compiler.js

function processBuiltString (method, str, buildState) {
  ...
  return declareSync(globalThis.eval(final)(state, values, methods, gen, notTraversed, Override, asyncIterators, r, rAsync), !buildState.asyncDetected)
}

Any help would be greatly appreciated.

[TotalTechGeek]

I could easily remove it from the optional chaining detection, and I can try to do that sometime this week (perhaps today), however, it does not make sense to remove it from the compiler path of the library.

If you're unable to use eval or new Function or something similar, you cannot make use of the sandboxed logic compiler, which optimizes performance of the logic. Any other mechanism would be an attempt to subvert the intentions of the unsafe-eval csp.

However: You will be able to use logic.run instead, though, which for most use cases, should be more than performant.

[lee-smith-gl]

Thanks for the fast, comprehensive reply. We've refactored our code, replacing logic.build usage with logic.run, resolving our CSP violiation.

Thanks again.