Open simontom opened 20 hours ago
Hi @simontom,
How about something like this:
engine.Execute(@"(() => {
const AsyncFunction = (async () => {}).constructor;
const ctor = (function () { throw new Error('Function constructors are disabled'); }).bind();
Object.defineProperty(Function.prototype, 'constructor', { value: ctor });
Object.defineProperty(AsyncFunction.prototype, 'constructor', { value: ctor });
Function = new Proxy(Function, { construct: ctor, apply: ctor });
})()");
Please let us know if that works for you. Thanks!
Hey folks, our scenario is "customer scriptable multitenant" runtime. We want to be very cautious what to allow.
In order to make it a bit more safer, we need the ClearScript API to disable
eval
and other ECMAScript APIs that convertstrings
into code (e.g., theFunction
CTOR).I see there is some flag in V8 (pro'ly) resulting right in the behaviour we crave for: "--disallow-code-generation-from-strings"
We were able "disable"
eval
exectuting the following script:This is what I've tried with
function
CTOR so far