Unsafe eval issues is back

Question

Unsafe eval issues is back

middiu opened this issue 2 years ago · comments

Hello,

I can see that this issue was fixed almost two years ago, but I still get. #35
I'm using latest version of the library 4.4.4, and this is the error in the browser console:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.googletagmanager.com".

Checking the error it seems to be pointing to ShortUniqueId class constructor.

The only way to use this library now with CSP is to set script-src: 'unsafe-eval' which make CSP useless.

Carlos Vieira · Answer 1 · Tue Aug 16 2022 23:36:31 GMT+0800 (China Standard Time)

I'm also getting Uncaught EvalError: call to Function() blocked by CSP

Jean Lescure · Answer 2 · Mon Aug 22 2022 10:44:37 GMT+0800 (China Standard Time)

Interesting, our usage of the Function native class has nothing to do with doing an "eval", even though I am aware that there's such a usage for it.

This is definitely a false positive.

Even though I think it's not a trivial change I'll try to find a workaround to how we define the ShortUniqueId class instance so it continues to work both as an object as well as a function.

Mathijs Kadijk · Answer 3 · Tue Aug 22 2023 21:24:28 GMT+0800 (China Standard Time)

FWIW: I wanted to use this library in a Cloudflare Worker and ran into the code generation error that is also mentioned in #45. The ShortUniqueId class inheriting from Function seems to be what triggers the issue.

Would be great if this can be fixed properly, but to unblock myself I worked around this by creating a fork. The only change is that I removed the inheritance from Function so you must construct the thing as an object. Which is fine for my use case.

The fork can be found here: https://github.com/nonstrict-hq/short-unique-id

@jeanlescure do you have an idea whether this can be fix in a more structural way? Would be great to use this lib in more contexts.

Jean Lescure · Answer 4 · Tue Sep 05 2023 09:13:57 GMT+0800 (China Standard Time)

@mac-cain13 version 5 has just been released and it has been refactored to not be callable as a function: https://github.com/simplyhexagonal/short-unique-id#-v5-notice

Do let us know if the code generation error has gone away.

Cheers 🍻

Jean Lescure · Answer 5 · Thu Oct 19 2023 04:50:26 GMT+0800 (China Standard Time)

Closing issue for now as we had no way to reproduce and new version should address what was originally described.

If problem persists feel free to open a new issue 😃