• Status
• TL;DR
• Motivation
• Problem 1: %eval% does not accept objects in lieu of strings for code
• Problem 2: Host callout does not receive type information
• Problem 3: Host callout does not receive the full code to check
• Tests

Champion(s): koto
Author(s): mikesamuel, koto
Stage: 3
Spec: ecmarkup output, source

Allow hosts to create code-like objects and change HostEnsureCanCompileStrings( calleeRealm, parameterStrings, bodyString, direct ) to HostEnsureCanCompileStrings( calleeRealm, parameterStrings, bodyString, codeString, compilationType, parameterArgs, bodyArg ).

eval is Evil

The eval function is the most misused feature of JavaScript. Avoid it.

-- Douglas Crockford, "JavaScript: The Good Parts"

eval and its friend new Function are problematic because, too often, an attacker can turn it against the application.

Most code avoids eval, but JS programs are no longer small, and self-contained as they were when Crock wrote that.

If one module uses eval, even if it's as simple as Function('return this')() to get a handle to the global object then eval has to work.

This prevents the use of security measures like:

• Content-Security-Policy
• node --disallow_code_generation_from_strings

which turn off eval globally.

As JavaScript programs get larger, the chance that no part of it needs eval or Function() to operate gets smaller.

It is difficult in JavaScript for a code reviewer to determine that code never uses these operators. For example, the below can when x is constructor.

({}[x][x](y)());

// ({})[x]       === Object
// ({})[x][x]    === Function
// ({})[x][x](y)  ~  Function(y)

So code review and developer training are unlikely to prevent abuse of these operators.

This aims to solve the problem by providing more context to host environments so that they can make finer-grained trust decisions. Since strings in Javascript programs often come from untrusted sources (DOM-Based XSS in web platform), the trust decisions might be based on brand-checking objects representing the code that the application author trusts to be evaluated.

The Trusted Types proposal (explainer for TC39) seeks to guard risky operations like dynamic code evaluation by requiring that code portions have a runtime type that indicates that they have been explicitly trusted.

Specifically, when Trusted Types enforcement is turned on, it would like to ensure that arguments to eval() and new Function() are (or are convertible to) a TrustedScript - an object wrapping around a string stored in an internal, immutable slot. This enhances the existing dynamic code evaluation guards that the web platform already has with CSP (Trusted Types also integrates with other CSP mechanisms).

This proposal seeks to solve the following problems:

Currently, typeof x === 'string' || eval(x) === x. Eval exits early when its argument is not a string.

For example:

console.log(eval(123) === 123);

const array = ["alert(1)"];
console.log(eval(array) === array); // Does not alert

const touchy = {
  toString() {
    throw new Error();
  },
};
console.log(eval(touchy) === touchy); // Does not throw.

This follows from step 2 of the definition of PerformEval:

Runtime Semantics: PerformEval ( x, evalRealm, strictCaller, direct )

The abstract operation PerformEval with arguments *x*, *evalRealm*, *strictCaller*, and *direct* performs the following steps:

1. Assert: If direct is false, then strictCaller is also false.
2. If Type(x) is not String, return x.

To avoid breaking the web, eval(x) should do nothing different when x is a non-string value that existing applications might create.

Define a spec abstraction, IsCodeLike, that allows some object values through but without changing the semantics of pre-existing programs.

• Define HostGetCodeForEval(*x*), a spec abstraction that returns the code string for objects that should evaluate.
• Tweak PerformEval, which is called by both direct and indirect eval, to use HostGetCodeForEval(*x*) to ensure Code-like objects will not cause the early-exit.

• HostGetCodeForEval has no observable side effect for values. eval is backwards compatible when a program produces no code like values.
• User code can only create code-like values via host-defined APIs.

• Can't be tested in test262 (code-like object creation is host-defined).
• Code-like values are not proxyable.

Currently the information available to decide whether to allow compilation of a string is a realm, a list of strings from parameters, a string from body, and a boolean.

HostEnsureCanCompileStrings( _calleeRealm, parameterStrings, bodyString, direct )

HostEnsureCanCompileStrings is an implementation-defined abstract operation that allows host environments to block certain ECMAScript functions which allow developers to compile strings into ECMAScript code.

For the hosts to be able to guard dynamic code evaluation effectively, additional type information is needed.

This proposal aims to provide additional context to HostEnsureCanCompileStrings, and reorder the steps in CreateDynamicFunction so that HostEnsureCanCompileStrings receives runtime type information - namely, the eval argument, or all the Function constructor arguments.

• Requires changes to the host callout (see also below):
• Complex host interface; Requires passing objects to the host.

HostEnsureCanCompileStrings is called with parameters for the source code, but they're not in a unified string.

This proposal updates the host callout to contain the full code string to be executed, and moves the callout in CreateDynamicFunction after the function body is assembled.

Related tests at

• https://github.com/tc39/test262/blob/master/test/language/eval-code/direct/non-string-object.js
• https://github.com/tc39/test262/blob/master/test/language/eval-code/indirect/non-string-object.js

but testing these require affecting the behavior of host callouts so will probably need to be specified as web-platform-tests.