fix: disallow usage of Object.constructor

commenthol · Mar 9, 2019 · 1c29f6a · 1c29f6a
1 parent 74e5bb8
commit 1c29f6a
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/src/index.js b/src/index.js
@@ -40,8 +40,11 @@ class SaferEval {
     if (typeof code !== 'string') {
       throw new TypeError('not a string')
     }
+    let src = 'Object.constructor = function () {};\n'
+    src += 'return ' + code + ';\n'
+
     return vm.runInContext(
-      '(function () {"use strict"; return ' + code + '})()',
+      '(function () {"use strict"; ' + src + '})()',
       this._context,
       this._options
     )