Replaced eval with Function for security

2025-08-11 05:58:59 +08:00 · 2022-06-03 20:36:06 +08:00 · 2022-06-03 20:36:06 +08:00 · 1678d2cb65
commit 1678d2cb65
parent cc628788fc
5 changed files with 34 additions and 26 deletions
--- a/backend/dist/sub-store-parser.loon.min.js
+++ b/backend/dist/sub-store-parser.loon.min.js
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -1,17 +1,18 @@
 {
  "name": "sub-store",
-  "version": "1.5.1",
+  "version": "1.6",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "sub-store",
-      "version": "1.5.1",
+      "version": "1.6",
      "license": "GPL",
      "dependencies": {
        "body-parser": "^1.19.0",
        "express": "^4.17.1",
        "js-base64": "^3.7.2",
+        "lodash": "^4.17.21",
        "request": "^2.88.2",
        "static-js-yaml": "^1.0.0"
      },
@ -7628,6 +7629,11 @@
        "node": ">=6"
      }
    },
+    "node_modules/lodash": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmmirror.com/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
+    },
    "node_modules/lodash._reinterpolate": {
      "version": "3.0.0",
      "resolved": "https://registry.npmmirror.com/lodash._reinterpolate/-/lodash._reinterpolate-3.0.0.tgz",
@ -18538,6 +18544,11 @@
        "path-exists": "^3.0.0"
      }
    },
+    "lodash": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmmirror.com/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
+    },
    "lodash._reinterpolate": {
      "version": "3.0.0",
      "resolved": "https://registry.npmmirror.com/lodash._reinterpolate/-/lodash._reinterpolate-3.0.0.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@ -15,6 +15,7 @@
    "body-parser": "^1.19.0",
    "express": "^4.17.1",
    "js-base64": "^3.7.2",
+    "lodash": "^4.17.21",
    "request": "^2.88.2",
    "static-js-yaml": "^1.0.0"
  },
--- a/backend/src/core/proxy-utils.js
+++ b/backend/src/core/proxy-utils.js
@ -1,10 +1,11 @@
 /* eslint-disable no-case-declarations */
-// eslint-disable-next-line no-unused-vars
-import { AND, FULL, OR, NOT } from '../utils/logical';
+import { HTTP } from '../vendor/open-api';
 import { safeLoad } from 'static-js-yaml';
 import download from '../utils/download';
+import { FULL } from '../utils/logical';
 import { getFlag } from '../utils/geo';
 import { Base64 } from 'js-base64';
+import lodash from 'lodash';

 import $ from './app';

@ -1186,26 +1187,18 @@ const PROXY_PROCESSORS = (function () {
     1. This function name should be `operator`!
     2. Always declare variables before using them!
     */
-    // eslint-disable-next-line no-unused-vars
    function ScriptOperator(script, targetPlatform, $arguments) {
        return {
            name: 'Script Operator',
            func: async (proxies) => {
                let output = proxies;
                await (async function () {
-                    // interface to get internal operators
-
-                    // eslint-disable-next-line no-unused-vars
-                    const $get = (name, args) => {
-                        const item = PROXY_PROCESSORS[name];
-                        return item(args);
-                    };
-                    // eslint-disable-next-line no-unused-vars
-                    const $process = ApplyProcessor;
-
-                    eval(script);
-
-                    // eslint-disable-next-line no-undef
+                    const operator = new Function(
+                        '$arguments',
+                        'HTTP',
+                        'lodash',
+                        `${script}\n return operator`,
+                    )($arguments, HTTP, lodash);
                    output = operator(proxies, targetPlatform);
                })();
                return output;
@ -1306,15 +1299,18 @@ const PROXY_PROCESSORS = (function () {
     1. This function name should be `filter`!
     2. Always declare variables before using them!
     */
-    // eslint-disable-next-line no-unused-vars
    function ScriptFilter(script, targetPlatform, $arguments) {
        return {
            name: 'Script Filter',
            func: async (proxies) => {
                let output = FULL(proxies.length, true);
                await (async function () {
-                    eval(script);
-                    // eslint-disable-next-line no-undef
+                    const filter = new Function(
+                        '$arguments',
+                        'HTTP',
+                        'lodash',
+                        `${script}\n return filter`,
+                    )($arguments, HTTP, lodash);
                    output = filter(proxies, targetPlatform);
                })();
                return output;
@ -1956,7 +1952,7 @@ export async function ApplyProcessor(processor, objs) {
        // select proxies
        let selected = FULL(objs.length, true);
        try {
-            selected = AND(selected, await filter.func(objs));
+            selected = await filter.func(objs);
        } catch (err) {
            // print log and skip this filter
            console.log(`Cannot apply filter ${filter.name}\n Reason: ${err}`);
--- a/backend/sub-store.min.js
+++ b/backend/sub-store.min.js