Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security warning: avoid using function constructor.

See original GitHub issue

I recently discovered that one of plotly.js’s dependency is using Function constructor. Unfortunately, I can’t tell exactly which one, but the code doesn’t seems to belong to plotly itself.

Here is Chrome’s error message:

plotly.js:74222Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is
 not an allowed source of script in the following Content Security Policy directive: "script-src 'self'
 www.google-analytics.com ajax.googleapis.com 'nonce-67df8dace6ea7feb57cab73e41ebe0c7'".

makeOp  @   plotly.js:74222
(anonymous function)    @   plotly.js:74244
455.cwise-compiler  @   plotly.js:74271
s   @   plotly.js:7
(anonymous function)    @   plotly.js:7
129.ndarray @   plotly.js:25687
s   @   plotly.js:7
(anonymous function)    @   plotly.js:7
138../lib/shaders   @   plotly.js:27330
s   @   plotly.js:7
(anonymous function)    @   plotly.js:7
798.../../constants/gl3d_dashes @   plotly.js:127609
s   @   plotly.js:7
(anonymous function)    @   plotly.js:7
800.../../constants/gl_markers  @   plotly.js:128154
s   @   plotly.js:7
(anonymous function)    @   plotly.js:7
15.../src/traces/scatter3d  @   plotly.js:355
s   @   plotly.js:7
(anonymous function)    @   plotly.js:7
12../bar    @   plotly.js:312
s   @   plotly.js:7
e   @   plotly.js:7
(anonymous function)    @   plotly.js:7
a   @   plotly.js:7
(anonymous function)    @   plotly.js:7
__webpack_require__ @   bootstrap 08e5224…:585
fn  @   bootstrap 08e5224…:109
(anonymous function)    @   svg-to-png.js:2
__webpack_require__ @   bootstrap 08e5224…:585
fn  @   bootstrap 08e5224…:109
(anonymous function)    @   commons.js:36658
__webpack_require__ @   bootstrap 08e5224…:585
fn  @   bootstrap 08e5224…:109
(anonymous function)    @   index.js:1
__webpack_require__ @   bootstrap 08e5224…:585
fn  @   bootstrap 08e5224…:109
(anonymous function)    @   bootstrap.js:9
__webpack_require__ @   bootstrap 08e5224…:585
fn  @   bootstrap 08e5224…:109
(anonymous function)    @   index.js:3
__webpack_require__ @   bootstrap 08e5224…:585
fn  @   bootstrap 08e5224…:109
(anonymous function)    @   index.js:8
__webpack_require__ @   bootstrap 08e5224…:585
webpackJsonpCallback    @   bootstrap 08e5224…:21
(anonymous function)    @   index.js:1

Function constructor is considered by browser’s CSP as an equivalent of eval. Therefore, we can’t setup a good Content Security Policy, unless we allow 'unsafe-eval' which is a whole in the policy itself.

It is possible to identify the faulty dependency, and maybe provide a workaround ?

Issue Analytics

State:
Created 7 years ago
Reactions:7
Comments:34 (20 by maintainers)

Top GitHub Comments

13reactions

nicolaskruchtencommented, Feb 18, 2021

An update: thanks to generous sponsorship from Equinor, we have been able to make substantial progress on this issue! I’ve just posted the pre-release announcement for Plotly.js 2.0, which will include the following changes related to this issue:

The following official partial bundles no longer use function-constructors: basic, cartesian, finance, geo, and mapbox.
A new partial bundle called strict will be supported from now on, and it contains the maximal subset of the library which is function-constructor-free (see link for list of trace types).
Tests have been added to our CI such that the introduction of new usages of function-constructors will be considered a regression, meaning that we are committing to maintaining the status of the above bundles.
As more sponsorship becomes available, we will continue to work on refactoring away the usage of function constructors in the various remaining gl2d and gl3d trace types (which involves upgrading various sub-dependencies, as listed in the comments above), such that the strict bundle will eventually grow to include the entire library, and such that we can eventually add the gl2d and gl3d partial bundles to the list of function-constructor-free bundles.
We are developing a new and easier way for folks to bundle custom partial bundles, in case there is a need for a subset of the strict bundle that doesn’t happen to match what’s in basic, cartesian, finance, geo, or mapbox.
We have documented the technique that can be used to load an official or custom partial bundle into a Dash app so that Dash developers can benefit from these new CSP-safe bundles.

7reactions

nicolaskruchtencommented, Oct 6, 2020

Great news: Equinor is generously willing to sponsor $15k of this work if we can find sponsors for the rest! Please let us know if you’re able to contribute part of the remaining $30k-$35k and we can get started on this project 😃

Top Results From Across the Web

JavaScript - Avoid use of Function Constructors

JavaScript - Avoid use of Function Constructors ... your program to random, unintended code which can be both slow and a security risk....

Function constructors should not be used - SonarSource Rules

In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments ...

Security considerations using "new Function(...)" (during ...

I avoid eval() whenever possible. But I'm not sure if it's secure enough to use new Function(...) which is also known as being...

no-new-func - ESLint - Pluggable JavaScript Linter

This error is raised to highlight the use of a bad practice. By passing a string to the Function constructor, you are requiring...

Function() constructor - JavaScript - MDN Web Docs

Calling the constructor directly can create functions dynamically, but suffers from security and similar (but far less significant) ...