Grpc-node: GRPC Prevents Content Security Policy from working without including 'unsafe-eval'

Created on 22 Jul 2018  路  5Comments  路  Source: grpc/grpc-node

In GRPC-node 1.11.3:

var log_template = _.template(
    '{severity} {timestamp}\t{file}:{line}]\t{message}',
    {interpolate: /{([\s\S]+?)}/g});

The use of lodash's _.template function requires eval in a production environment. It seems kind of needless that this function is used here for something as mundane as logging, given the security implications. Is it avoidable?

All 5 comments

It is most certainty avoidable, yes. Thanks for bringing this to our attention.

Thanks very much for your reply @nicolasnoble. I'm glad to hear this won't require any serious rewrites to remedy.

Is there any chance this fix, when implemented, will be backported to [email protected]? Google's Firebase relys on 1.11.3 and I'm not sure if/when they plan to change their dependency, but I know they're pushing this version on all users of their Firebase-js-sdk

Backporting to such an old release seems unlikely, but we'll discuss it on Monday.

I figured, but given the circumstances of Google depending on it for something as widely used as Firebase, I thought it might be worth backporting. Thanks again!

[email protected] has been published containing this fix. Firebase will work on updating to this version now.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

aryehb picture aryehb  路  6Comments

yanbou893 picture yanbou893  路  5Comments

ozt88 picture ozt88  路  3Comments

keyvhinng picture keyvhinng  路  5Comments

bkw picture bkw  路  5Comments