Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Git rid of eval() in WASM wrapper

See original GitHub issue

Hi again! I used DotNetJS to create a library that exposes some common functions that we share across C# executables and an Electron app to ensure the behaviour is identical. The problem is, the electron’s app (Vortex) is blocking eval execution due to it’s CSP. I did earlier some investigation about this, but I would like to double check! Is eval critical for the runtime to work or is it used only for debugging? Could we strip it’s usage with some conditionals?

Waiting for https://github.com/dotnet/runtime/pull/74441

Issue Analytics

State:
Created a year ago
Comments:10 (10 by maintainers)

Top GitHub Comments

1reaction

Aragascommented, Aug 23, 2022

As I understand, will be fixed once this is done https://github.com/dotnet/runtime/pull/74441

1reaction

Aragascommented, Apr 27, 2022

I’ll report at least my findings then.

I think that there’s an additional eval call in function Function.apply(Function, i); https://github.com/Elringus/DotNetJS/blob/cad9a87854fd860203d25991a55bb3a68fa11229/JavaScript/dotnet-runtime/native/dotnet.js#L4760 After replacing all evals with { } as you did, Vortex still had an issue with that function. After replacing it with (x, y) => () => { }, CSP wasn’t triggering anymore and Vortex stared to load the module, but now there’s this error Error: System.NullReferenceException: Arg_NullReferenceException, pretty sure it breaks the runtime.

From what I understand somehow an eval function is injected here https://github.com/Elringus/DotNetJS/blob/cad9a87854fd860203d25991a55bb3a68fa11229/JavaScript/dotnet-runtime/native/dotnet.js#L4760

I manually enabled unsafe-eval for better debugging and tried some shenanigans like new Function('"use strict";return (' + keys+ ')'), but nope. Replacing with new Function('return ' + keys); or new Function(keys) yielded an interesting error and stacktrace: ReferenceError: converter is not defined at eval (https://mono-wasm.invalid/variadic_converter_ii_result_unmarshaled:3:1) which confirms that eval is used internally, as I understand.

I’m still not sure what Function.apply() does. It’s safe to replace the first arg with null instead of Function, not sure why it wasn’t done. Replacing the whole construction with eval(keys) works too. But as said earlier, the alternative with new Function() isn’t working.