Pdfmake: CSP violation with 'unsafe-eval'

pdfmake does not use eval. eval is in the third party library, see https://github.com/bpampuch/pdfmake/issues/816.

Anyway by implementing pdfmake a CSP important rule is violated. How could
I avoid that? Would it be possible for you to find an alternative package?
Thanks

On Sun, 29 Apr 2018, 12:33 Libor M., notifications@github.com wrote:

Closed #1360 https://github.com/bpampuch/pdfmake/issues/1360.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/bpampuch/pdfmake/issues/1360#event-1600472661, or mute
the thread
https://github.com/notifications/unsubscribe-auth/ADzODWwrcfg_YJYUSomEpIwICnJ1ifSGks5ttZbogaJpZM4TrnSE
.

Pdfmake using pdfkit library for creating pdf files, this has a dependency on restructure library where eval is used. It can not be replaced by another library. Pdfmake can not solve this problem, it must be resolved in restructure library.
Exists issue https://github.com/devongovett/restructure/issues/28 and PR https://github.com/devongovett/restructure/pull/22 in restructure. We can only wait for a new version of restructure library.

Ok Libor. Thank you for your explanation.
We shall wait then, and press those guys from restructure :)

I have created PRs to resolve this issue upstream:

• Restructure PR 29
• Fontkit PR 180

And #1544 to prevent that the build of pdfmake inserts new Function

Is there a known work-around for this issue for sites requiring content security policies?

@ClaytonBrawley Were you able to find any workarounds?

restructure has closed the unsafe-eval and claim in version 2.0 this is no longer an issue. Will this be updated in pdfmake soon?

Reiterating what @thomasazdon stated:

restructure has closed the unsafe-eval and claim in version 2.0 this is no longer an issue. Will this be updated in pdfmake soon?

... any plan to update on this? 'unsafe-eval' is - rightfully so - proving to be problematic.

Any word on updating this or a workaround?

Any word on updating this or a workaround?

@eliahuhorwitz

In my case I was able to get around the issue by patching the library code directly.

Search for usage of new Function and replace those blocks of code. Using new Function constructors is relying on eval, which is why it gets blocked by CSPs that prevent 'unsafe-eval' (and rightfully so). Instead just return an inline function. I think there were about 4 or 5 cases that I had to replace.

Example of two offending lines of code:

this.versionGetter = new Function('parent', "return parent." + this.type);
this.versionSetter = new Function('parent', 'version', "return parent." + this.type + " = version");

Fixes for these two lines:

this.versionGetter = function(parent) {
     return Objects.getPropertyByPath(parent, type);
};
this.versionSetter = function(parent, version) {
     Objects.setObjectValueByPath(parent, version, type);
}

Here's the helper code (Typescript):

    public static getPropertyByPath<T>(obj: object, path: string): T {
        path = path.replace(/\[(\w+)\]/g, '.$1'); // convert indexes to properties
        path = path.replace(/^\./, ''); // strip a leading dot
        const a = path.split('.');
        for (let i = 0, n = a.length; i < n; ++i) {
            const k = a[i];
            if (k && obj && k in obj) {
                obj = obj[k];
            } else {
                return;
            }
        }
        return obj as any;
    }

    public static setObjectValueByPath<T extends object, V>(
        obj: T = {} as T,
        value: V,
        path: string = ''
    ): void {
        if (typeof obj !== 'object' || obj === null) {
            return;
        }
        path = path.replace(/\[(\w+)\]/g, '.$1'); // convert indexes to properties
        path = path.replace(/^\./, ''); // strip a leading dot
        const paths: string[] = path.split('.');
        if (!paths || paths.length === 0) {
            return;
        }
        let i = 0;
        const n = paths.length - 1;
        try {
            // traverse into the object for each property path segment
            for (; i < n; i++) {
                obj = obj[paths[i]];
            }

            // the final path index is the inner-property to assign the new value to
            obj[paths[i]] = value;
        } catch (e) {
            throw new Error(`Error accessing path '${path}' of object ${obj} causes ${e}`);
        }
    }

Is this now just a matter of pdfmake to update its dependencies?

foliojs/restructure v2.0.0 still contains new Functions calls. it was patched only a few weeks ago (foliojs/restructure@dd343b00ad9d536c84deb08a50473011273c5c25)

1. so there needs to be a new version of restructure released
2. then fontkit needs to updated and released
3. then pdfkit needs to updated and released
4. then pdfmake can be updated

foliojs/restructure v2.0.0 still contains new Functions calls. it was patched only a few weeks ago (foliojs/restructure@dd343b0)

1. so there needs to be a new version of restructure released
2. then fontkit needs to updated and released
3. then pdfkit needs to updated and released
4. then pdfmake can be updated

Hi @firien , is there any update on this since you wrote that message two months ago?
Why is this issue closed if it's still a pending issue?

No updates. I don't have any affiliation with this project but its likely closed because steps 1-3 described above are out of their control.
I have been waiting 3½ years for step 1… so its going to be a while.

There is a reference to new Function in pdfmake.js line 58342 which causes the below issue for me.
if (this.options.relativeTo) { this.relativeToGetter = new Function('ctx', "return ctx." + this.options.relativeTo); } }

Uncaught (in promise) EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://cdnjs.cloudflare.com".

at new Function (<anonymous>)
at new A (pdfmake.js:58342)
at Object.<anonymous> (pdfmake.js:40261)

How do you fix this issue in pdfmake ? I am using v0.1.68

@ajayep : I posted a workaround above in comment. You should be able to apply the same type of changes to the relativeToGetter function as I used but it will require you to bring in PDFMake to your codebase/repository and bundle it rather than loading it with some dependency management (e.g. npm) ... unless you want to try to automate applying a patch every time which I would not recommend.