lainns-mirror/noctalia-shell
1
0
Fork 0
mirror of https://github.com/noctalia-dev/noctalia-shell.git synced 2026-05-11 17:08:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(launcher): prevent arbitrary js execution. fix #2115

Browse Source
This commit is contained in:
Lemmy
2026-03-08 17:16:20 -04:00
parent 250242c266
commit 2f4b80d72f
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Helpers/AdvancedMath.js
+11
View File
@@ -88,6 +88,17 @@ function evaluate(expression) {
throw new Error("Invalid characters in expression");
}
// Block dangerous identifiers (prototype chain traversal, code execution)
if (/\b(constructor|prototype|__proto__|__defineGetter__|__defineSetter__|__lookupGetter__|__lookupSetter__|Function|eval|require|import|process|global|window|this|self|globalThis|String|Object|Array|RegExp|Proxy|Reflect|setTimeout|setInterval)\b/.test(processed)) {
throw new Error("Invalid expression");
}
// Only allow Math.method property access - block any other dot-property chains
var withoutMathCalls = processed.replace(/\bMath\.\w+/g, '0');
if (/\./.test(withoutMathCalls)) {
throw new Error("Invalid expression");
}
// Evaluate the processed expression
var result = eval(processed);