| 1 | // Expression parser security
|
| 2 | //
|
| 3 | // Executing arbitrary expressions like enabled by the expression parser of
|
| 4 | // mathjs involves a risk in general. When you're using mathjs to let users
|
| 5 | // execute arbitrary expressions, it's good to take a moment to think about
|
| 6 | // possible security and stability implications, especially when running the
|
| 7 | // code server side.
|
| 8 | //
|
| 9 | // There is a small number of functions which yield the biggest security risk
|
| 10 | // in the expression parser of math.js:
|
| 11 | //
|
| 12 | // - `import` and `createUnit` which alter the built-in functionality and allow
|
| 13 | // overriding existing functions and units.
|
| 14 | // - `evaluate`, `parse`, `simplify`, and `derivative` which parse arbitrary input
|
| 15 | // into a manipulable expression tree.
|
| 16 | //
|
| 17 | // To make the expression parser less vulnerable whilst still supporting most
|
| 18 | // functionality, these functions can be disabled, as demonstrated in this
|
| 19 | // example.
|
| 20 |
|
| 21 | const { create, all } = require('../..')
|
| 22 | const math = create(all)
|
| 23 |
|
| 24 | const limitedEvaluate = math.evaluate
|
| 25 |
|
| 26 | math.import({
|
| 27 | import: function () { throw new Error('Function import is disabled') },
|
| 28 | createUnit: function () { throw new Error('Function createUnit is disabled') },
|
| 29 | evaluate: function () { throw new Error('Function evaluate is disabled') },
|
| 30 | parse: function () { throw new Error('Function parse is disabled') },
|
| 31 | simplify: function () { throw new Error('Function simplify is disabled') },
|
| 32 | derivative: function () { throw new Error('Function derivative is disabled') }
|
| 33 | }, { override: true })
|
| 34 |
|
| 35 | console.log(limitedEvaluate('sqrt(16)')) // Ok, 4
|
| 36 | console.log(limitedEvaluate('parse("2+3")')) // Error: Function parse is disabled
|