Using `new Function` violates common security practice
nhusher opened this issue · comments
This library uses new Function
, which is equivalent to the eval
function. Under common sense security regimes, both new Function
and eval
are disallowed, including in the browser using CSP.
If you're under CSP restrictions, don't use the format
option. You can either use the default format, or override compareMinX
, compareMinY
and toBBox
methods to support a custom format without eval
.
@photonstorm any reason you decided to fork the library instead of just overriding the methods above? I think switching back to a direct dependency would be beneficial — you would get any potential bugfixes and performance improvements from upstream.
function customRBush(maxEntries) {
var tree = rbush(maxEntries);
tree.compareMinX = compareMinX;
tree.compareMinY = compareMinY;
tree.toBBox = toBBox;
return tree;
}
function compareMinX(a, b) { return a.left - b.left; }
function compareMinY(a, b) { return a.top - b.top; }
function toBBox(a) {
return {
minX: a.left,
minY: a.top,
maxX: a.right,
maxY: a.bottom
};
}
@mourner The main reason is because we needed a different way of requiring QuickSelect. You only release new versions once a year (if that) and they're generally really small updates, so it's trivial to manage from our end. If you were in a rapid development cycle then we'd do it differently, but I'm quite glad it's nice and stable and rarely changing.
Note that RBush v3.0 eliminates eval and is fully CSP-compliant. See #93