Web3.js: Dependency on "eval" requires a looser security policy.

Created on 6 Aug 2018  Â·  5Comments  Â·  Source: ChainSafe/web3.js

The web3.js package depends on a library called "thenify" which makes calls to eval:

└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └── [email protected]

eval is also used in web3 itself: https://github.com/ethereum/web3.js/blob/3d74aa674b951b6bcbae1faf646c1bd4d21d916b/packages/web3-core-requestmanager/src/givenProvider.js#L28

eval is commonly disabled in Content-Security-Policy, but web3's usage prevents usage of this security feature.

Obviously, it can't be removed if it provides a capability that there is no reasonable substitute for. But, wrapping file system calls in a promise doesn't seem like a necessary application.

1.x
Source
picture justinmeiners

Most helpful comment

Root cause here is depency on fs-promise which was deprecated 2 years ago.
https://www.npmjs.com/package/fs-promise
Looks like we need to hop over to swarm-js and have them update

fs-promise is now deprecated. Use mz/fs fs-extra^3.0.

I'll head over there and bug them.

update
https://www.npmjs.com/package/swarm-js
Dependencies list shows they've already moved to fs-extra. So perhaps we just need to bump the swarm-js version to 0.1.39

update 2
Looks like the update was done sometime ago.
https://github.com/ethereum/web3.js/blob/bb7827d84bbfec7ecc13602b33397e3db1c3a524/packages/web3-bzz/package.json
It should be safe to close this issue or mark it complete or whatever.

picture sshelton76 on 24 Apr 2019
👍2 🎉1

All 5 comments

1565 fixed this but its still not merged yet.

catsass19 picture catsass19 on 7 Aug 2018
👍2

@catsass19 This is great! But, it only addresses their source. The dependency would still prevent it.

justinmeiners picture justinmeiners on 7 Aug 2018

Root cause here is depency on fs-promise which was deprecated 2 years ago.
https://www.npmjs.com/package/fs-promise
Looks like we need to hop over to swarm-js and have them update

fs-promise is now deprecated. Use mz/fs fs-extra^3.0.

I'll head over there and bug them.

update
https://www.npmjs.com/package/swarm-js
Dependencies list shows they've already moved to fs-extra. So perhaps we just need to bump the swarm-js version to 0.1.39

update 2
Looks like the update was done sometime ago.
https://github.com/ethereum/web3.js/blob/bb7827d84bbfec7ecc13602b33397e3db1c3a524/packages/web3-bzz/package.json
It should be safe to close this issue or mark it complete or whatever.

sshelton76 picture sshelton76 on 24 Apr 2019
👍2 🎉1

On a side note, there is a PR in swarm-js we should watch for. Looks like there are major updates to dependencies coming for the next minor release. Hopefully this will fix the outstanding problems with swarm.
https://github.com/MaiaVictor/swarm-js/pull/33/commits/d149d0206f762083522a22b0f1bb5ef3d7ee2d27

sshelton76 picture sshelton76 on 24 Apr 2019

I have the same problem, but I still haven't found a solution until now, firefox AMO does not allow defined 'unsafe-eval' CSP

tdvni picture tdvni on 5 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

SCBuergel picture SCBuergel  Â·  3Comments
mishell-trickster picture mishell-trickster  Â·  3Comments
ragnu picture ragnu  Â·  3Comments
TinyWJL picture TinyWJL  Â·  3Comments
oktapodia picture oktapodia  Â·  3Comments