Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Function('return this')() does not comply with no-unsafe-eval #3

Open
frankwaldal opened this issue Sep 20, 2021 · 1 comment
Open

Function('return this')() does not comply with no-unsafe-eval #3

frankwaldal opened this issue Sep 20, 2021 · 1 comment

Comments

@frankwaldal
Copy link

Hi! 馃憢

Firstly, thanks for your work on this project! 馃檪

Today I used patch-package to patch grpc-web-error-details@1.1.0 for the project I'm working on.

The global variable Function('return this')(); doesn't comply with CSP no-unsafe-eval rule.
This is the same issue described in these two issues with the protobuf package: protocolbuffers/protobuf#6770 and protocolbuffers/protobuf#5464

We're patching our project with the following diff included from patch-package:

diff --git a/node_modules/grpc-web-error-details/dist/lib/code_pb.js b/node_modules/grpc-web-error-details/dist/lib/code_pb.js
index 0df746f..5c6beaa 100644
--- a/node_modules/grpc-web-error-details/dist/lib/code_pb.js
+++ b/node_modules/grpc-web-error-details/dist/lib/code_pb.js
@@ -13,7 +13,7 @@
 
 var jspb = require('google-protobuf');
 var goog = jspb;
-var global = Function('return this')();
+var global = (function() { return this || window || global || self; }).call(null);
 
 goog.exportSymbol('proto.google.rpc.Code', null, global);
 /**
diff --git a/node_modules/grpc-web-error-details/dist/lib/error_details_pb.js b/node_modules/grpc-web-error-details/dist/lib/error_details_pb.js
index b73688c..85b5ac8 100644
--- a/node_modules/grpc-web-error-details/dist/lib/error_details_pb.js
+++ b/node_modules/grpc-web-error-details/dist/lib/error_details_pb.js
@@ -13,7 +13,7 @@
 
 var jspb = require('google-protobuf');
 var goog = jspb;
-var global = Function('return this')();
+var global = (function() { return this || window || global || self; }).call(null);
 
 var google_protobuf_duration_pb = require('google-protobuf/google/protobuf/duration_pb.js');
 goog.object.extend(proto, google_protobuf_duration_pb);
diff --git a/node_modules/grpc-web-error-details/dist/lib/status_pb.js b/node_modules/grpc-web-error-details/dist/lib/status_pb.js
index 0cc9e12..2144731 100644
--- a/node_modules/grpc-web-error-details/dist/lib/status_pb.js
+++ b/node_modules/grpc-web-error-details/dist/lib/status_pb.js
@@ -13,7 +13,7 @@
 
 var jspb = require('google-protobuf');
 var goog = jspb;
-var global = Function('return this')();
+var global = (function() { return this || window || global || self; }).call(null);
 
 var google_protobuf_any_pb = require('google-protobuf/google/protobuf/any_pb.js');
 goog.object.extend(proto, google_protobuf_any_pb);

This issue body was partially generated by patch-package.
@shumbo
Copy link
Owner

shumbo commented Sep 23, 2021

@frankwaldal Thanks for opening up the issue! Although I see the problem, I want to keep the code generated by protoc in this package.

It seems that the issue is being discussed in protocolbuffers/protobuf-javascript#25 and it is still open.

Hopefully the issue is resolved soon so I can also update the generated code in this package. I will keep this issue open by then.

@bordalix bordalix mentioned this issue Jan 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shumbo @frankwaldal