laverdet
commented
1 year ago We use the callback and the flag as a means to prevent OOM memory crashes, rather than as a hardening feature.
Open QuiiBz opened 1 year ago
laverdet
commented
1 year ago We use the callback and the flag as a means to prevent OOM memory crashes, rather than as a hardening feature.
Thanks for creating this amazing library. I wonder how we can disable completely code generation from strings?
It's disabled by default here: https://github.com/laverdet/isolated-vm/blob/19b3624b962c13526f78949fd8a6391895a9463d/src/isolate/environment.cc#L482
But then is allowed in the
CodeGenCallback: https://github.com/laverdet/isolated-vm/blob/19b3624b962c13526f78949fd8a6391895a9463d/src/isolate/environment.cc#L128I don't really understand why the above is set to
true, which allows executing code withineval(),new Function(), ... Shouldn't it be set tofalseinstead? Initially found in https://github.com/lagonapp/lagon/pull/84