archive-gh-me/mathjs
1
0
Fork 0
mirror of https://github.com/josdejong/mathjs.git synced 2026-01-25 15:07:57 +00:00
Code Issues Projects Releases Wiki Activity

Released mathjs v3.13.1

Browse Source
This commit is contained in:
jos 2017-05-12 20:59:02 +02:00
parent 41ab57b701
commit 3878d19eff
30 changed files with 204 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
docs/expressions/security.md
View File

@ -7,7 +7,8 @@ layout: default
Executing arbitrary expressions like enabled by the expression parser of
mathjs involves a risk in general. When you're using mathjs to let users
execute arbitrary expressions, it's good to take a moment to think about
possible security and stability implications.
possible security and stability implications, especially when running
the code server side.
<h2 id="security-risks">Security risks <a href="#security-risks" title="Permalink">#</a></h2>
@ -29,6 +30,37 @@ types of security risks. The risk whe running inside a browser may be
limited though it's good to be aware of [Cross side scripting (XSS)](https://www.wikiwand.com/en/Cross-site_scripting) vulnerabilities. A nice overview of
security risks of a node.js servers is listed in an article [Node.js security checklist](https://blog.risingstack.com/node-js-security-checklist/) by Gergely Nemeth.
<h3 id="less-vulnerable-expression-parser">Less vulnerable expression parser <a href="#less-vulnerable-expression-parser" title="Permalink">#</a></h3>
There is a small number of functions which yield the biggest security
risk in the expression parser:
- `import` and `createUnit` which alter the built-in functionality and
allow overriding existing functions and units.
- `eval`, `parse`, `simplify`, and `derivative` which parse arbitrary
input into a manipulable expression tree.
To make the expression parser less vulnerable whilst still supporting
most functionality, these functions can be disabled:
```js
var math = require('mathjs');
var limitedEval = math.eval;
math.import({
'import': function () { throw new Error('Function import is disabled') },
'createUnit': function () { throw new Error('Function createUnit is disabled') },
'eval': function () { throw new Error('Function eval is disabled') },
'parse': function () { throw new Error('Function parse is disabled') },
'simplify': function () { throw new Error('Function simplify is disabled') },
'derivative': function () { throw new Error('Function derivative is disabled') }
}, {override: true});
console.log(limitedEval('sqrt(16)')); // Ok, 4
console.log(limitedEval('parse("2+3")')); // Error: Function parse is disabled
```
<h3 id="found-a-security-vulnerability-please-report-in-private">Found a security vulnerability? Please report in private! <a href="#found-a-security-vulnerability-please-report-in-private" title="Permalink">#</a></h3>
You found a security vulnerability? Awesome! We hope you don't have bad

8
download.md
View File

@ -36,8 +36,8 @@ Math.js can be downloaded or linked from [cdnjs](http://cdnjs.com/):
<table class="download">
<tr>
<td>
<a href="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.js">
Development (version 3.13.0)
<a href="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.js">
Development (version 3.13.1)
</a>
</td>
<td>
@ -46,8 +46,8 @@ Math.js can be downloaded or linked from [cdnjs](http://cdnjs.com/):
</tr>
<tr>
<td>
<a href="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js">
Production (version 3.13.0)
<a href="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js">
Production (version 3.13.1)
</a>
</td>
<td>

34
examples/advanced/more_secure_eval.js Normal file
View File

@ -0,0 +1,34 @@
// Expression parser security
//
// Executing arbitrary expressions like enabled by the expression parser of
// mathjs involves a risk in general. When you're using mathjs to let users
// execute arbitrary expressions, it's good to take a moment to think about
// possible security and stability implications, especially when running the
// code server side.
//
// There is a small number of functions which yield the biggest security risk
// in the expression parser of math.js:
//
// - `import` and `createUnit` which alter the built-in functionality and allow
// overriding existing functions and units.
// - `eval`, `parse`, `simplify`, and `derivative` which parse arbitrary input
// into a manipulable expression tree.
//
// To make the expression parser less vulnerable whilst still supporting most
// functionality, these functions can be disabled, as demonstrated in this
// example.
var math = require('../../index');
var limitedEval = math.eval;
math.import({
'import': function () { throw new Error('Function import is disabled') },
'createUnit': function () { throw new Error('Function createUnit is disabled') },
'eval': function () { throw new Error('Function eval is disabled') },
'parse': function () { throw new Error('Function parse is disabled') },
'simplify': function () { throw new Error('Function simplify is disabled') },
'derivative': function () { throw new Error('Function derivative is disabled') }
}, {override: true});
console.log(limitedEval('sqrt(16)')); // Ok, 4
console.log(limitedEval('parse("2+3")')); // Error: Function parse is disabled

48
examples/advanced/more_secure_eval.js.md Normal file
View File

@ -0,0 +1,48 @@
---
layout: default
---
# More secure eval
File: [more_secure_eval.js](more_secure_eval.js)
```js
// Expression parser security
//
// Executing arbitrary expressions like enabled by the expression parser of
// mathjs involves a risk in general. When you're using mathjs to let users
// execute arbitrary expressions, it's good to take a moment to think about
// possible security and stability implications, especially when running the
// code server side.
//
// There is a small number of functions which yield the biggest security risk
// in the expression parser of math.js:
//
// - `import` and `createUnit` which alter the built-in functionality and allow
// overriding existing functions and units.
// - `eval`, `parse`, `simplify`, and `derivative` which parse arbitrary input
// into a manipulable expression tree.
//
// To make the expression parser less vulnerable whilst still supporting most
// functionality, these functions can be disabled, as demonstrated in this
// example.
var math = require('../../index');
var limitedEval = math.eval;
math.import({
'import': function () { throw new Error('Function import is disabled') },
'createUnit': function () { throw new Error('Function createUnit is disabled') },
'eval': function () { throw new Error('Function eval is disabled') },
'parse': function () { throw new Error('Function parse is disabled') },
'simplify': function () { throw new Error('Function simplify is disabled') },
'derivative': function () { throw new Error('Function derivative is disabled') }
}, {override: true});
console.log(limitedEval('sqrt(16)')); // Ok, 4
console.log(limitedEval('parse("2+3")')); // Error: Function parse is disabled
```
<!-- Note: This file is automatically generated. Changes made in this file will be overridden. -->

2
examples/browser/angle_configuration.html
View File

@ -14,7 +14,7 @@
}
</style>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
</head>
<body>

2
examples/browser/angle_configuration.html.md
View File

@ -23,7 +23,7 @@ File: [angle_configuration.html](angle_configuration.html)
}
</style>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
</head>
<body>

2
examples/browser/basic_usage.html
View File

@ -2,7 +2,7 @@
<html>
<head>
<title>math.js | basic usage</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
</head>
<body>

2
examples/browser/basic_usage.html.md
View File

@ -11,7 +11,7 @@ File: [basic_usage.html](basic_usage.html)
<html>
<head>
<title>math.js | basic usage</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
</head>
<body>

2
examples/browser/currency_conversion.html
View File

@ -3,7 +3,7 @@
<head>
<title>math.js | currency conversion</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
<style>
body,

2
examples/browser/currency_conversion.html.md
View File

@ -12,7 +12,7 @@ File: [currency_conversion.html](currency_conversion.html)
<head>
<title>math.js | currency conversion</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
<style>
body,

2
examples/browser/custom_separators.html
View File

@ -14,7 +14,7 @@
}
</style>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
</head>
<body>

2
examples/browser/custom_separators.html.md
View File

@ -23,7 +23,7 @@ File: [custom_separators.html](custom_separators.html)
}
</style>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
</head>
<body>

2
examples/browser/old_browsers.html
View File

@ -7,7 +7,7 @@
<script src="//cdnjs.cloudflare.com/ajax/libs/es5-shim/2.2.0/es5-shim.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/es5-shim/2.2.0/es5-sham.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
</head>
<body>

2
examples/browser/old_browsers.html.md
View File

@ -16,7 +16,7 @@ File: [old_browsers.html](old_browsers.html)
<script src="//cdnjs.cloudflare.com/ajax/libs/es5-shim/2.2.0/es5-shim.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/es5-shim/2.2.0/es5-sham.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
</head>
<body>

2
examples/browser/plot.html
View File

@ -2,7 +2,7 @@
<html>
<head>
<title>math.js | plot</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
<!-- load http://maurizzzio.github.io/function-plot/ -->
<script src="http://cdnjs.cloudflare.com/ajax/libs/d3/3.5.5/d3.min.js"></script>

2
examples/browser/plot.html.md
View File

@ -11,7 +11,7 @@ File: [plot.html](plot.html)
<html>
<head>
<title>math.js | plot</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
<!-- load http://maurizzzio.github.io/function-plot/ -->
<script src="http://cdnjs.cloudflare.com/ajax/libs/d3/3.5.5/d3.min.js"></script>

2
examples/browser/pretty_printing_with_mathjax.html
View File

@ -3,7 +3,7 @@
<head>
<title>math.js | pretty printing with MathJax</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjax/2.3/MathJax.js?config=TeX-AMS-MML_HTMLorMML.js"></script>
<style>

2
examples/browser/pretty_printing_with_mathjax.html.md
View File

@ -12,7 +12,7 @@ File: [pretty_printing_with_mathjax.html](pretty_printing_with_mathjax.html)
<head>
<title>math.js | pretty printing with MathJax</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjax/2.3/MathJax.js?config=TeX-AMS-MML_HTMLorMML.js"></script>
<style>

2
examples/browser/requirejs_loading.html
View File

@ -8,7 +8,7 @@
<script>
// load math.js using require.js
require(['http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js'], function (math) {
require(['http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js'], function (math) {
// evaluate some expression
var result = math.eval('1.2 * (2 + 4.5)');
document.write(result);

2
examples/browser/requirejs_loading.html.md
View File

@ -17,7 +17,7 @@ File: [requirejs_loading.html](requirejs_loading.html)
<script>
// load math.js using require.js
require(['http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js'], function (math) {
require(['http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js'], function (math) {
// evaluate some expression
var result = math.eval('1.2 * (2 + 4.5)');
document.write(result);

2
examples/browser/rocket_trajectory_optimization.html
View File

@ -3,7 +3,7 @@
<head>
<title>math.js | rocket trajectory optimization</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.5.0/Chart.min.js"></script>
<style>

2
examples/browser/rocket_trajectory_optimization.html.md
View File

@ -12,7 +12,7 @@ File: [rocket_trajectory_optimization.html](rocket_trajectory_optimization.html)
<head>
<title>math.js | rocket trajectory optimization</title>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js"></script>
<script src="http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/2.5.0/Chart.min.js"></script>
<style>

2
examples/browser/webworkers/index.md
View File

@ -91,7 +91,7 @@ File: [webworkers.html](webworkers.html)
File: [worker.js](worker.js)
```js
importScripts('http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js');
importScripts('http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js');
// create a parser
var parser = math.parser();

2
examples/browser/webworkers/worker.js
View File

@ -1,4 +1,4 @@
importScripts('http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.0/math.min.js');
importScripts('http://cdnjs.cloudflare.com/ajax/libs/mathjs/3.13.1/math.min.js');
// create a parser
var parser = math.parser();

1
examples/index.md
View File

@ -39,6 +39,7 @@ layout: default
- [Custom loading](advanced/custom_loading.js.html)
- [Expression trees](advanced/expression_trees.js.html)
- [Function transform](advanced/function_transform.js.html)
- [More secure eval](advanced/more_secure_eval.js.html)
- [Web server](advanced/web_server/index.html)
<!-- Note: This file is automatically generated. Changes made in this file will be overridden. -->

7
history.md
View File

@ -4,6 +4,13 @@ layout: default
<h1 id="history">History <a href="#history" title="Permalink">#</a></h1>
<h2 id="20170512-version-3131">2017-05-12, version 3.13.1 <a href="#20170512-version-3131" title="Permalink">#</a></h2>
- Fixed creating units with an alias not working within the expression
parser.
- Fixed security vulnerabilities. Thanks Sam.
<h2 id="20170512-version-3130">2017-05-12, version 3.13.0 <a href="#20170512-version-3130" title="Permalink">#</a></h2>
- Command line application can now evaluate inline expressions

55
js/lib/math.js
View File

@ -6,7 +6,7 @@
* It features real and complex numbers, units, matrices, a large set of
* mathematical functions, and a flexible expression parser.
*
* @version 3.13.0
* @version 3.13.1
* @date 2017-05-12
*
* @license
@ -1374,7 +1374,7 @@ exports.map = function(object, callback) {
var clone = {};
for (var key in object) {
if (Object.hasOwnProperty.call(object, key)) {
if (exports.hasOwnProperty(object, key)) {
clone[key] = callback(object[key]);
}
}
@ -1390,7 +1390,7 @@ exports.map = function(object, callback) {
*/
exports.extend = function(a, b) {
for (var prop in b) {
if (Object.hasOwnProperty.call(b, prop)) {
if (exports.hasOwnProperty(b, prop)) {
a[prop] = b[prop];
}
}
@ -1410,7 +1410,7 @@ exports.deepExtend = function deepExtend (a, b) {
}
for (var prop in b) {
if (Object.hasOwnProperty.call(b, prop)) {
if (exports.hasOwnProperty(b, prop)) {
if (b[prop] && b[prop].constructor === Object) {
if (a[prop] === undefined) {
a[prop] = {};
@ -2076,16 +2076,37 @@ exports.format = function(value, options) {
/**
* Stringify a value into a string enclosed in double quotes.
* Double quotes inside the value are escaped.
* Unescaped double quotes and backslashes inside the value are escaped.
* @param {*} value
* @return {string}
*/
exports.stringify = function (value) {
var str = String(value).replace(/([^\\]|^)"/g, function (full, before) {
return before + '\\"';
});
var text = String(value);
var escaped = '';
var i = 0;
while (i < text.length) {
var c = text.charAt(i);
return '"' + str + '"';
if (c === '\\') {
escaped += c;
i++;
c = text.charAt(i);
if (c === '' || '"\\/bfnrtu'.indexOf(c) === -1) {
escaped += '\\'; // no valid escape character -> escape it
}
escaped += c;
}
else if (c === '"') {
escaped += '\\"';
}
else {
escaped += c;
}
i++;
}
return '"' + escaped + '"';
}
/**
@ -3840,6 +3861,8 @@ exports.factory = factory;
"use strict";
var hasOwnProperty = __webpack_require__(5).hasOwnProperty;
/**
* Get a property of a plain object
* Throws an error in case the object is not a plain object or the
@ -3853,7 +3876,7 @@ function getSafeProperty (object, prop) {
if (isPlainObject(object)) {
// only allow getting properties defined on the object itself,
// not inherited from it's prototype.
if (Object.hasOwnProperty.call(object, prop)) {
if (hasOwnProperty(object, prop)) {
return object[prop];
}
@ -3889,7 +3912,7 @@ function setSafeProperty (object, prop, value) {
// property already exists
// override when the property is defined on the object itself.
// don't allow overriding inherited properties like .constructor or .toString
if (Object.hasOwnProperty.call(object, prop)) {
if (hasOwnProperty(object, prop)) {
return object[prop] = value;
}
}
@ -3932,13 +3955,13 @@ function isSafeMethod (object, method) {
}
// test for plain functions defined on the object (instead of a method)
if (Object.hasOwnProperty.call(object, method) && isPlainObject(object)) {
if (hasOwnProperty(object, method) && isPlainObject(object)) {
return true;
}
// only allow methods from the whitelist
// TODO: also check whether this method is supported on given object
return safeMethods[method];
return hasOwnProperty(safeMethods, method);
}
function isPlainObject (object) {
@ -25978,7 +26001,9 @@ function factory (type, config, load, typed, math) {
definition = obj.definition;
prefixes = obj.prefixes;
offset = obj.offset;
aliases = obj.aliases;
if (obj.aliases) {
aliases = obj.aliases.valueOf(); // aliases could be a Matrix, so convert to Array
}
}
else {
throw new TypeError('Cannot create unit "' + name + '" from "' + obj.toString() + '": expecting "string" or "Unit" or "Object"');
@ -49879,7 +49904,7 @@ module.exports = function scatter(a, j, w, x, u, mark, c, f, inverse, update, va
/* 511 */
/***/ (function(module, exports) {
module.exports = '3.13.0';
module.exports = '3.13.1';
// Note: This file is automatically generated when building math.js.
// Changes made in this file will be overwritten.

2
js/lib/math.map
View File

File diff suppressed because one or more lines are too long

30
js/lib/math.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
package.json
View File

@ -6,7 +6,7 @@
"url": "https://github.com/josdejong/mathjs.git"
},
"dependencies": {
"mathjs": "3.13.0"
"mathjs": "3.13.1"
},
"devDependencies": {
"glob": "^4.3.5",