fix(security): prevent Function calls outside of member expressions

dist/index-browser-esm.js

@@ -1297,7 +1297,7 @@ const SafeEval = {
     const result = obj[prop];
     if (typeof result === 'function') {
       if (result === Function) {
-        throw new Error('Function constructor is disabled');
+        return result; // Don't bind so can identify and throw later
       }
       return result.bind(obj); // arrow functions aren't affected by bind.
     }
@@ -1319,6 +1319,9 @@ const SafeEval = {
   evalCallExpression(ast, subs) {
     const args = ast.arguments.map(arg => SafeEval.evalAst(arg, subs));
     const func = SafeEval.evalAst(ast.callee, subs);
+    if (func === Function) {
+      throw new Error('Function constructor is disabled');
+    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {

dist/index-browser-umd.cjs

@@ -1303,7 +1303,7 @@
 	    const result = obj[prop];
 	    if (typeof result === 'function') {
 	      if (result === Function) {
-	        throw new Error('Function constructor is disabled');
+	        return result; // Don't bind so can identify and throw later
 	      }
 	      return result.bind(obj); // arrow functions aren't affected by bind.
 	    }
@@ -1325,6 +1325,9 @@
 	  evalCallExpression(ast, subs) {
 	    const args = ast.arguments.map(arg => SafeEval.evalAst(arg, subs));
 	    const func = SafeEval.evalAst(ast.callee, subs);
+	    if (func === Function) {
+	      throw new Error('Function constructor is disabled');
+	    }
 	    return func(...args);
 	  },
 	  evalAssignmentExpression(ast, subs) {

dist/index-node-cjs.cjs

@@ -1298,7 +1298,7 @@ const SafeEval = {
     const result = obj[prop];
     if (typeof result === 'function') {
       if (result === Function) {
-        throw new Error('Function constructor is disabled');
+        return result; // Don't bind so can identify and throw later
       }
       return result.bind(obj); // arrow functions aren't affected by bind.
     }
@@ -1320,6 +1320,9 @@ const SafeEval = {
   evalCallExpression(ast, subs) {
     const args = ast.arguments.map(arg => SafeEval.evalAst(arg, subs));
     const func = SafeEval.evalAst(ast.callee, subs);
+    if (func === Function) {
+      throw new Error('Function constructor is disabled');
+    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {

dist/index-node-esm.js

@@ -1296,7 +1296,7 @@ const SafeEval = {
     const result = obj[prop];
     if (typeof result === 'function') {
       if (result === Function) {
-        throw new Error('Function constructor is disabled');
+        return result; // Don't bind so can identify and throw later
       }
       return result.bind(obj); // arrow functions aren't affected by bind.
     }
@@ -1318,6 +1318,9 @@ const SafeEval = {
   evalCallExpression(ast, subs) {
     const args = ast.arguments.map(arg => SafeEval.evalAst(arg, subs));
     const func = SafeEval.evalAst(ast.callee, subs);
+    if (func === Function) {
+      throw new Error('Function constructor is disabled');
+    }
     return func(...args);
   },
   evalAssignmentExpression(ast, subs) {

src/Safe-Script.js

@@ -112,7 +112,7 @@ const SafeEval = {
         const result = obj[prop];
         if (typeof result === 'function') {
             if (result === Function) {
-                throw new Error('Function constructor is disabled');
+                return result; // Don't bind so can identify and throw later
             }
             return result.bind(obj); // arrow functions aren't affected by bind.
         }
@@ -134,6 +134,9 @@ const SafeEval = {
     evalCallExpression (ast, subs) {
         const args = ast.arguments.map((arg) => SafeEval.evalAst(arg, subs));
         const func = SafeEval.evalAst(ast.callee, subs);
+        if (func === Function) {
+            throw new Error('Function constructor is disabled');
+        }
         return func(...args);
     },
     evalAssignmentExpression (ast, subs) {