update static-eval, closes #34, #35 (#38)

goto-bus-stop · web-flow · commit 33245c6e0506 · 2017-11-19T20:03:53.000+01:00
* deps(package): Update static-eval to 2.0 Fixes https://nodesecurity.io/advisories/548 * use proxy value for callbacks when static-eval fails builds on #35, but when static-eval cannot evaluate a callback function because it is unsafe, this passes a proxy value. when the proxy callback function is called, it throws an error, but when it is stringified (eg in the generated output) it'll work. this works with brfs, i haven't tried others yet. * make sure `callee` exists * ci: remove node 0.8, add new versions
diff --git a/.travis.yml b/.travis.yml
@@ -1,4 +1,7 @@
 language: node_js
 node_js:
-  - "0.8"
+  - 9
+  - 8
+  - 6
+  - 4 
   - "0.10"
diff --git a/index.js b/index.js
@@ -287,8 +287,31 @@ module.exports = function parse (modules, opts) {
             
             var xvars = copy(vars);
             xvars[node.name] = val;
-            
+
             var res = evaluate(cur, xvars);
+            if (res === undefined && cur.type === 'CallExpression') {
+                // static-eval can't safely evaluate code with callbacks, so do it manually in a safe way
+                var callee = evaluate(cur.callee, xvars);
+                var args = cur.arguments.map(function (arg) {
+                    // Return a function stub for callbacks so that `static-module` users
+                    // can do `callback.toString()` and get the original source
+                    if (arg.type === 'FunctionExpression' || arg.type === 'ArrowFunctionExpression') {
+                        var fn = function () {
+                            throw new Error('static-module: cannot call callbacks defined inside source code');
+                        };
+                        fn.toString = function () {
+                            return body.slice(arg.start, arg.end);
+                        };
+                        return fn;
+                    }
+                    return evaluate(arg, xvars);
+                });
+
+                if (callee !== undefined) {
+                    res = callee.apply(null, args);
+                }
+            }
+
             if (res !== undefined) {
                 updates.push({
                     start: cur.start,
diff --git a/package.json b/package.json
@@ -13,7 +13,7 @@
     "quote-stream": "~1.0.2",
     "readable-stream": "~2.3.3",
     "shallow-copy": "~0.0.1",
-    "static-eval": "~0.2.0",
+    "static-eval": "^2.0.0",
     "through2": "~2.0.3"
   },
   "devDependencies": {

-Original file line number
+Diff line change
@@ @@ -1,4 +1,7 @@ @@
 language: node_js
 node_js:
 -  - "0.8"
 +  - 9
 +  - 8
 +  - 6
 +  - 4
   - "0.10"