From 138e311038ec8bac7a7f142067397ad481d20b78 Mon Sep 17 00:00:00 2001 From: alokhyland Date: Tue, 8 Oct 2024 15:09:00 +0530 Subject: [PATCH] ELEMENTS-1759: Remove usage of unsafe-eval from CSP --- ui/nuxeo-filter.js | 41 ++++++++++++++----------------- ui/viewers/pdfjs/.DS_Store | Bin 0 -> 6148 bytes ui/viewers/pdfjs/web/viewer.html | 4 +-- 3 files changed, 20 insertions(+), 25 deletions(-) create mode 100644 ui/viewers/pdfjs/.DS_Store diff --git a/ui/nuxeo-filter.js b/ui/nuxeo-filter.js index 642b814f5..90976c3d0 100644 --- a/ui/nuxeo-filter.js +++ b/ui/nuxeo-filter.js @@ -18,7 +18,6 @@ limitations under the License. import '@polymer/polymer/polymer-legacy.js'; import '@nuxeo/nuxeo-elements/nuxeo-element.js'; -import { config } from '@nuxeo/nuxeo-elements'; import { Debouncer } from '@polymer/polymer/lib/utils/debounce.js'; import { microTask } from '@polymer/polymer/lib/utils/async.js'; import { enqueueDebouncer } from '@polymer/polymer/lib/utils/flush.js'; @@ -185,29 +184,25 @@ import Interpreter from './js-interpreter/interpreter.js'; let res = false; try { - if (!config.get('expressions.eval', true)) { - const js = new Interpreter(expression, (interpreter, scope) => { - // set scope - interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior)); - Object.entries({ document, user }).forEach(([k, obj]) => { - const v = {}; - // filter out private properties - Object.getOwnPropertyNames(obj) - .filter((p) => !p.startsWith('_')) - .forEach((p) => { - v[p] = obj[p]; - }); - interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v)); - }); - // XXX: 'this' in the scope of native functions is the interpreter instance - Object.assign(interpreter, FiltersBehavior); + const js = new Interpreter(expression, (interpreter, scope) => { + // set scope + interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior)); + Object.entries({ document, user }).forEach(([k, obj]) => { + const v = {}; + // filter out private properties + Object.getOwnPropertyNames(obj) + .filter((p) => !p.startsWith('_')) + .forEach((p) => { + v[p] = obj[p]; + }); + interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v)); }); - js.run(); - res = js.value; - } else { - const fn = new Function(['document', 'user'], `return ${expression};`); - res = fn.apply(this, [document, user]); - } + // XXX: 'this' in the scope of native functions is the interpreter instance + Object.assign(interpreter, FiltersBehavior); + }); + js.run(); + res = js.value; + return res; } catch (err) { console.error(`${err} in expression "${expression}"`); diff --git a/ui/viewers/pdfjs/.DS_Store b/ui/viewers/pdfjs/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..edc74b0b58e1323e79dd60115ef7c5d565f266b8 GIT binary patch literal 6148 zcmeH~J!%6%427R!7lt%jx|}8l$PET#pTHLgCdQ3%AdsY;qvz?T@g{Xx!V^euq*<}M zU$L_SV7rgkXJ7)bp}XSA!_18N3ST(m^m%;0UEgjOR=f&4M9hqp3A6p$mWY4|h=2%) zfCwyzK%U~*JTB;&^e7@A0?Q!a--kwb?WH3%J{=4(0#Mg1hjAUV1hsjA+Dk_&D>SR= z!K&3_4DoujQ(IlvOGj$9!)o}jy0iHdL$hp$H6}FcAqpZO0y6@u%qKtp5A@&W|5=Mt z5fFiYM!?ql<9^4Nsv{d9s=gj{YFy56_Y=UxkK!#ojQh - + - +