Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Bypass nx-compile 2.0 with hoisting
See original GitHub issueIn the proposal at: https://github.com/RisingStack/nx-compile/issues/2#issuecomment-241438171 and https://github.com/RisingStack/nx-compile/pull/3 you talk about “Early closing the with block with a single ‘}’ character is now not possible.”
It looks like the idea for the fix was based on the fact that even if you break out of the “with” statement you are after the return statement, and code after the return is assumed unreachable. However a functions declared after the return statements are hoisted into scope(above the with statement). If we name that function “sandbox” we replace the Proxy with our function bypassing the sandbox.
resulting in the following code in the new Function(
// this gets hoisted
function sandbox(){}// }) }
with (sandbox) {
return (() => {
'use strict'; global.isSecure=false
})
};
I created the following failing test as a POC:
it('should protect against "early mustache closing" string manipulation and hoisting', () => {
const code = compiler.compileCode('global.isSecure=false})};function sandbox(){}//', {})
code()
expect(global.isSecure).to.be.true
})
Tested against https://github.com/RisingStack/nx-compile/pull/3
Issue Analytics
- State:
- Created 7 years ago
- Reactions:1
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Don’t mind at all!
Great (:
I think the issues are fixed with the pre-compiling function. I am going to close this now. (I opened a few fresh issues for v2.0.0)