CRITICAL: Dynamic module uses eval

[harshkhandeparkar]

Please describe the problem (or idea)

The dynamic module uses the javascript eval function to evaluate expressions. But the exec method should not be used at any cost because it will execute any js code that is entered in the textbox.

This is a major security threat to the IS demo and any other projects that use IS.

Please show us where to look

https://beta.sequencer.publiclab.org

What's your PublicLab.org username?

This can help us diagnose the issue:

Browser, version, and operating system

Many bugs are related to these -- please help us track it down and reproduce what you're seeing!

---

Thank you!

Your help makes Public Lab better! We deeply appreciate your helping refine and improve this site.

To learn how to write really great issues, which increases the chances they'll be resolved, see:

https://publiclab.org/wiki/developers#Contributing+for+non-coders

[jywarren]

Hi, do you have any ideas for other ways to accomplish this functionality? Thanks!

Could we swap for https://github.com/silentmatt/expr-eval ?

[jywarren]

image-sequencer/src/modules/Dynamic/Module.js

Lines 17 to 22 in 8c461bb

	function generator(expression) {
	var func = 'f = function (r, g, b, a) { var R = r, G = g, B = b, A = a; return ' + expression + ';}';
	var f;
	eval(func);
	return f;
	}

could we swapped for:

Also, i think you maybe meant eval and not exec? Thanks Harsh!

[harshkhandeparkar]

Oh yeah sorry, I meant eval.

[harshkhandeparkar]

Hi, do you have any ideas for other ways to accomplish this functionality? Thanks!

Could we swap for https://github.com/silentmatt/expr-eval ?

I guess there are packages like the one you found. We can switch if it doesn't break anything... What kind of expressions need to be supported though? 🤔

[jywarren]

It's designed just for simple mathematic expressions to do color channel compositing - so this should be fine!

[jywarren]

Check out #1729!