Security issue: toJSFunction() allows arbitrary JavaScript execution #292
Description
Hi,
While reviewing expr-eval, I noticed a security issue in the public API toJSFunction().
Summary
toJSFunction() converts an expression to a JavaScript source string using toString() and then executes it via new Function(). Because the generated code is not sandboxed or sanitized, a crafted expression can escape the intended expression context and execute arbitrary JavaScript code.
Affected code
The issue appears to originate from the following logic:
Expression.prototype.toJSFunction()- Code generation via
toString() - Execution using
new Function(...)
Impact
If untrusted input is passed to Parser.parse() and later compiled using toJSFunction(), this can result in arbitrary JavaScript execution in the host environment.
This behavior may be unexpected for users who assume expr-eval provides a safe expression evaluation mechanism.
Proof of concept
I have prepared a minimal reproducible example demonstrating the issue:
<LINK_TO_GIST>
Notes
I am reporting this responsibly and have not publicly disclosed details elsewhere.
Please let me know if you would prefer a private security disclosure instead.
Thanks for your time.