From 1c29f6a6e304fb650c05056e217e457a0d2cc3c5 Mon Sep 17 00:00:00 2001
From: commenthol <commenthol@gmail.com>
Date: Sat, 9 Mar 2019 21:54:53 +0100
Subject: [PATCH] fix: disallow usage of Object.constructor

---
 src/index.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/index.js b/src/index.js
index 19e5f19..99379c8 100644
--- a/src/index.js
+++ b/src/index.js
@@ -40,8 +40,11 @@ class SaferEval {
     if (typeof code !== 'string') {
       throw new TypeError('not a string')
     }
+    let src = 'Object.constructor = function () {};\n'
+    src += 'return ' + code + ';\n'
+
     return vm.runInContext(
-      '(function () {"use strict"; return ' + code + '})()',
+      '(function () {"use strict"; ' + src + '})()',
       this._context,
       this._options
     )