Package doesn't work with Content Security Policy unsafe-eval

Question

Package doesn't work with Content Security Policy unsafe-eval

taras opened this issue 3 years ago · comments

NetlifyCMS uses this package as a dependency. This package includes an eval function that is not permitted with CSP 'unsafe-eval' which prevents NetlifyCMS from working in secure environments.

decaporg/decap-cms#4367 (comment)

Please, let me know if you're open to removing the eval - I can submit a PR.

Glauber Ramos · Answer 1 · Sat Jun 11 2022 05:30:31 GMT+0800 (China Standard Time)

Hi, any update on this? Can we merge the PR?

Taras Mankovski · Answer 2 · Sat Jun 11 2022 05:32:30 GMT+0800 (China Standard Time)

I believe so. I don't remember. It's been so long :)

Rebecca Turner · Answer 3 · Thu Aug 04 2022 03:57:37 GMT+0800 (China Standard Time)

(I've been away from Github for a while for medical reasons, I'm not really back per se, but today's a good day.)

So the actual eval is safe, but you have rules that improperly flag it as unsafe? Am I understanding that correctly? I can't say I'm keen on "delete it and move on" as a solution...

Edit: Ah, I see, so this is in fact for bundled versions running inside browsers... Let's see if we can find a better solution than just deleting a feature that's quite useful server-side.

Andrea Giammarchi · Answer 4 · Thu Sep 14 2023 22:05:47 GMT+0800 (China Standard Time)

@iarna

So the actual eval is safe

accordingly to CSP eval is never safe and this is blocking our project to adopt this otherwise wonderful module ... no eval, Function, or any variant of these is possible under CSP rules that don't allow eval, and coming from a CDN this is also a foreign module so even more relevant as considered "not safe".

CSP doesn't care if you just eval("1 + 2"), it cares that no code evaluation ever happens at runtime.

Please consider using typeof require and then require?.(...) within that try/catch as eval is not strictly needed in the first place, "env detection" would do a way better job without bothering the safety of the module, thank you!

Andrea Giammarchi · Answer 5 · Thu Sep 14 2023 22:30:36 GMT+0800 (China Standard Time)

@iarna I can file a clean PR if needed, just let me know, thanks!

edit although I really don't understand this comment:

/* eval require not available in transpiled bundle */

I am not sure what you mean but transpilers make that eval happens: see https://cdn.jsdelivr.net/npm/@iarna/toml/parse-string/+esm

Andrea Giammarchi · Answer 6 · Fri Sep 15 2023 03:30:13 GMT+0800 (China Standard Time)

@iarna I don't see much activity in this repo ... are you OK for a fork? Happy to push back in here changes I might make to this, but I ma focusing mostly on web compat so any require will be removed from the codebase if any eval is needed, yet the rest would remain, as require('util').inspect imho shouldn't be ever needed in the first place, when we have better tools and ways these days to debug issues ... would that work?

silverwind · Answer 7 · Tue May 28 2024 05:14:10 GMT+0800 (China Standard Time)

+1 on removal of inspect dependency and especially eval which also causes warnings during my build process in vite:

node_modules/@iarna/toml/lib/toml-parser.js (178:22): Use of eval in "node_modules/@iarna/toml/lib/toml-parser.js" is strongly discouraged as it poses security risks and may cause issues with minification.

Edit: I found https://github.com/squirrelchat/smol-toml which looks to be a good alternative to this module.