mirror of
https://github.com/josdejong/mathjs.git
synced 2026-01-18 14:59:29 +00:00
c5971b371a
* chore(package): update standard to version 12.0.0
* update to new lint version with --fix
I believe this mainly adds whitespace to `{}`'s.
* Replace assert.equal with assert.strictEqual
This breaks a lot of tests which I will endevour to fix in the next
commits.
* Fix most errors due to assert.strictEquals
Some instances of `strictEquals` are replaced by `deepEquals`.
`toString` has been used to make some string comparisions explicit.
Tests will still fail untill #1236 and #1237 are fixed.
* Fix assertion erros due to -0
With node 10, assert.strictEqual no longer considers `0 === -0`.
I missed these first time round as I was using node 8.
* Put toString correct side of bracket
I was converting the constructor to a string rather
than the result of the computation. Oops.
* Fixed #1236: quantileSeq has inconsistant return
* Update package-lock
* Fixed #1237: norm sometimes returning a complex number instead of number
* Fix cli tests
* More changes for standardjs, and fixes in unit tests
35 lines
1.6 KiB
JavaScript
35 lines
1.6 KiB
JavaScript
// Expression parser security
|
|
//
|
|
// Executing arbitrary expressions like enabled by the expression parser of
|
|
// mathjs involves a risk in general. When you're using mathjs to let users
|
|
// execute arbitrary expressions, it's good to take a moment to think about
|
|
// possible security and stability implications, especially when running the
|
|
// code server side.
|
|
//
|
|
// There is a small number of functions which yield the biggest security risk
|
|
// in the expression parser of math.js:
|
|
//
|
|
// - `import` and `createUnit` which alter the built-in functionality and allow
|
|
// overriding existing functions and units.
|
|
// - `eval`, `parse`, `simplify`, and `derivative` which parse arbitrary input
|
|
// into a manipulable expression tree.
|
|
//
|
|
// To make the expression parser less vulnerable whilst still supporting most
|
|
// functionality, these functions can be disabled, as demonstrated in this
|
|
// example.
|
|
|
|
const math = require('../../index')
|
|
const limitedEval = math.eval
|
|
|
|
math.import({
|
|
'import': function () { throw new Error('Function import is disabled') },
|
|
'createUnit': function () { throw new Error('Function createUnit is disabled') },
|
|
'eval': function () { throw new Error('Function eval is disabled') },
|
|
'parse': function () { throw new Error('Function parse is disabled') },
|
|
'simplify': function () { throw new Error('Function simplify is disabled') },
|
|
'derivative': function () { throw new Error('Function derivative is disabled') }
|
|
}, { override: true })
|
|
|
|
console.log(limitedEval('sqrt(16)')) // Ok, 4
|
|
console.log(limitedEval('parse("2+3")')) // Error: Function parse is disabled
|