diff --git a/doc/api/cli.md b/doc/api/cli.md index 36984a1003b6a0..8046d64649dae3 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -127,6 +127,15 @@ added: v12.0.0 Specify the file name of the CPU profile generated by `--cpu-prof`. +### `--disallow-code-generation-from-strings` + + +Make built-in language features like `eval` and `new Function` that generate +code from strings throw an exception instead. This does not affect the Node.js +`vm` module. + ### `--enable-fips` * `--abort-on-uncaught-exception` +* `--disallow-code-generation-from-strings` * `--interpreted-frames-native-stack` * `--max-old-space-size` * `--perf-basic-prof-only-functions` diff --git a/doc/node.1 b/doc/node.1 index dc29867a699b3c..fdc2644d42e46e 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -100,6 +100,11 @@ The default is File name of the V8 CPU profile generated with .Fl -cpu-prof . +.It Fl -disallow-code-generation-from-strings +Make built-in language features like `eval` and `new Function` that generate +code from strings throw an exception instead. This does not affect the Node.js +`vm` module. +. .It Fl -enable-fips Enable FIPS-compliant crypto at startup. Requires Node.js to be built with diff --git a/src/node_options.cc b/src/node_options.cc index 8909c74882f496..1c20a0d789f798 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -598,6 +598,10 @@ PerIsolateOptionsParser::PerIsolateOptionsParser( V8Option{}, kAllowedInEnvironment); AddOption("--stack-trace-limit", "", V8Option{}, kAllowedInEnvironment); + AddOption("--disallow-code-generation-from-strings", + "disallow eval and friends", + V8Option{}, + kAllowedInEnvironment); #ifdef NODE_REPORT AddOption("--report-uncaught-exception", diff --git a/test/parallel/test-cli-node-options.js b/test/parallel/test-cli-node-options.js index 7e42139470e964..698f463b627644 100644 --- a/test/parallel/test-cli-node-options.js +++ b/test/parallel/test-cli-node-options.js @@ -60,6 +60,7 @@ if (common.hasCrypto) { // V8 options expect('--abort_on-uncaught_exception', 'B\n'); +expect('--disallow-code-generation-from-strings', 'B\n'); expect('--max-old-space-size=0', 'B\n'); expect('--stack-trace-limit=100', /(\s*at f \(\[eval\]:1:\d*\)\r?\n){100}/,