Protobuf.js: @protobufjs/inquire violates default content security policy

Created on 9 Mar 2018  路  5Comments  路  Source: protobufjs/protobuf.js

protobuf.js version: 6.8.6

There's a special code inside @protobufjs/inquire:

function inquire(moduleName) {
    try {
        var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval
        if (mod && (mod.length || Object.keys(mod).length))
            return mod;
    } catch (e) {} // eslint-disable-line no-empty
    return null;
}

If I apply "Content-Security-Policy" without additional exceptions to allow eval than it's prohibited. Actually it's the only eval in my ~1Mb minified file.
Probably there's a way to avoid it and become CSP compliant?

UPD: I'm using minimal variant with everything inbuilt.

All 5 comments

I have the same problem. Electron 2.0.0 now prints out a warning if the web page has no Content-Security-Policy, or if it has one but unsafe-eval is enabled.
For now, protobufjs forces us to keep unsafe-eval enabled.

From the perspective of a security engineer who deploys Content Security Policy across a large number of applications, it would be great to have this code refactored to not rely on eval(), so that it doesn't force its users to set unsafe-eval in their CSP.

If this is difficult to refactor, just making sure that this is only executed in non-browser environments would be a reasonable workaround.

How about using new Function instead of eval?

const mod = new Function("id", "return require(id)")(moduleName)

I've replaced protobuf.js with https://github.com/mapbox/pbf

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mj-mehdizadeh picture mj-mehdizadeh  路  5Comments

andiwonder picture andiwonder  路  3Comments

ArvoGuo picture ArvoGuo  路  4Comments

b1naryMan picture b1naryMan  路  4Comments

terranmoccasin picture terranmoccasin  路  5Comments