Restricting eval() to a narrow scope

Question

I have a javascript file that reads another file which may contain javascript fragments that need to be eval()-ed. The script fragments are supposed to conform to a strict s

Answer 1

Here's an idea. What if you used a static analyzer (something you could build with esprima, for example) to determine which outside variables the eval'd code uses, and alias them. By "outside code" i mean variables the eval'd code uses but does not declare. Here's an example:

eval(safeEval(
     "var x = window.theX;"
    +"y = Math.random();"
    +"eval('window.z = 500;');"))

where safeEval returns the javascript string modified with a context that blocks access to outside variables:

";(function(y, Math, window) {"
  +"var x = window.theX;"
  +"y = Math.random();"
  +"eval(safeEval('window.z = 500;');"
"})();"

There are a couple things you can do now with this:

• You can ensure that eval'd code can't read the values of outside variables, nor write to them (by passing undefined as the function arguments, or not passing arguments). Or you could simply throw an exception in cases where variables are being unsafely accessed.
• You also ensure that variables created by eval don't affect the surrounding scope
• You could allow eval to create variables in the surrounding scope by declaring those variables outside the closure instead of as function parameters
• You could allow read-only access by copying values of outside variables and using them as arguments to the function
• You could allow read-write access to specific variables by telling safeEval to not alias those particular names
• You can detect cases where the eval does not modify a particular variable and allow it to be automatically excluded from being aliased (eg. Math in this case, is not being modified)
• You could give the eval a context in which to run, by passing in argument values that may be different than the surrounding context
• You could capture context changes by also returning the function arguments from the function so you can examine them outside the eval.

Note that the use of eval is a special case, since by its nature, it effectively can't be wrapped in another function (which is why we have to do eval(safeEval(...))).

Of course, doing all this work may slow down your code, but there are certainly places where the hit won't matter. Hope this helps someone. And if anyone creates a proof of concept, I'd love to see a link to it here ; )

Answer 2

Short answer: No. If it's in the global scope, it's available to anything.

Long answer: if you're eval()ing untrusted code that really wants to read or mess with your execution environment, you're screwed. But if you own and trust all code being executed, including that being eval()ed, you can fake it by overriding the execution context:

function maskedEval(scr)
{
    // set up an object to serve as the context for the code
    // being evaluated. 
    var mask = {};
    // mask global properties 
    for (p in this)
        mask[p] = undefined;

    // execute script in private context
    (new Function( "with(this) { " + scr + "}")).call(mask);
}

Again, I must stress:

This will only serve to shield trusted code from the context in which it is executed. If you don't trust the code, DO NOT eval() it (or pass it to new Function(), or use it in any other way that behaves like eval()).

Answer 3

Shog9♦'s Answer is great. But if your code is just an expression, the code will be executed and nothing will be returned. For expressions, use

function evalInContext(context, js) {

  return eval('with(context) { ' + js + ' }');

}

Here is how to use it:

var obj = {key: true};

evalInContext(obj, 'key ? "YES" : "NO"');

It will return "YES".

If you are not sure if the code to be executed is expressions or statements, you can combine them:

function evalInContext(context, js) {

  var value;

  try {
    // for expressions
    value = eval('with(context) { ' + js + ' }');
  } catch (e) {
    if (e instanceof SyntaxError) {
      try {
        // for statements
        value = (new Function('with(this) { ' + js + ' }')).call(context);
      } catch (e) {}
    }
  }

  return value;
}

Answer 4

Don't execute code you don't trust. Globals will always be accessible. If you do trust the code, you can execute it with particular variables in it's scope as follows:

(new Function("a", "b", "alert(a + b);"))(1, 2);

this is equivalent to:

(function (a, b) {
    alert(a + b);
})(1, 2);

Answer 5

There is a project called Google Caja. You can "sandbox" third party javascript using Caja. https://developers.google.com/caja/

Answer 6

Don't use eval. There's an alternative, js.js: JS interpreter written in JS, so that you can run JS programs in any environment you've managed to setup. Here's an example of its API from the project page:

var jsObjs = JSJS.Init();
var rval = JSJS.EvaluateScript(jsObjs.cx, jsObjs.glob, "1 + 1");
var d = JSJS.ValueToNumber(jsObjs.cx, rval);
window.alert(d); // 2
JSJS.End(jsObjs);

Nothing scary, as you can see.