Merge pull request #5 from commenthol/warning

commenthol · web-flow · commit ba692863fe70 · 2019-05-15T20:40:46.000+02:00
docu: Add warning on infinite loop
diff --git a/README.md b/README.md
@@ -11,7 +11,9 @@ Especially when it comes to passing `context` props.
 Use [clones][] to wrap-up the methods you like to allow.
 Checkout the "harmful context" tests section.
 
-> **Warning:** The `saferEval` function may be harmful - so you are warned!
+![warning](https://raw.githubusercontent.com/commenthol/safer-eval/master/warning.png)
+
+**Warning:** The `saferEval` function may be harmful - so you are warned!
 
 In node the `vm` module is used to sandbox the evaluation of `code`.
 
@@ -37,6 +39,14 @@ Runs on node and in modern browsers:
 npm install --save safer-eval
 ```
 
+## Implementation recommendations
+
+Be aware that a `saferEval('function(){while(true){}}()')` may run
+infinitely. Consider using the module from within a worker thread which is terminated
+after timeout.
+
+Avoid passing context props while deserializing data from hostile environments.
+
 ## Usage
 
 `context` allows the definition of passed in Objects into the sandbox.
diff --git a/package.json b/package.json
@@ -37,27 +37,27 @@
     "clones": "^1.2.0"
   },
   "devDependencies": {
-    "@babel/cli": "^7.2.3",
-    "@babel/core": "^7.2.2",
-    "@babel/preset-env": "^7.2.3",
-    "babel-loader": "^8.0.4",
-    "eslint": "^5.15.1",
+    "@babel/cli": "^7.4.4",
+    "@babel/core": "^7.4.4",
+    "@babel/preset-env": "^7.4.4",
+    "babel-loader": "^8.0.6",
+    "eslint": "^5.16.0",
     "eslint-config-standard": "^12.0.0",
-    "eslint-plugin-import": "^2.14.0",
-    "eslint-plugin-node": "^8.0.0",
-    "eslint-plugin-promise": "^4.0.1",
+    "eslint-plugin-import": "^2.17.2",
+    "eslint-plugin-node": "^9.0.1",
+    "eslint-plugin-promise": "^4.1.1",
     "eslint-plugin-standard": "^4.0.0",
-    "karma": "^4.0.1",
-    "karma-chrome-launcher": "^2.0.0",
-    "karma-firefox-launcher": "^1.0.0",
+    "karma": "^4.1.0",
+    "karma-chrome-launcher": "^2.2.0",
+    "karma-firefox-launcher": "^1.1.0",
     "karma-mocha": "^1.3.0",
     "karma-sourcemap-loader": "^0.3.7",
     "karma-spec-reporter": "~0.0.32",
     "karma-webpack": "^3.0.5",
-    "mocha": "^6.0.2",
-    "nyc": "^13.1.0",
-    "rimraf": "^2.5.4",
-    "webpack": "^4.29.6"
+    "mocha": "^6.1.4",
+    "nyc": "^14.1.1",
+    "rimraf": "^2.6.3",
+    "webpack": "^4.31.0"
   },
   "_devDependencies": {
     "zuul": "^3.11.1"
diff --git a/warning.png b/warning.png
diff --git a/warning.svg b/warning.svg
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="350" height="180" color-interpolation="auto" color-rendering="auto" fill="black" font-family="'Dialog'" font-size="12px" image-rendering="auto" shape-rendering="auto" stroke="black" stroke-linecap="square" stroke-miterlimit="10" text-rendering="auto" version="1.1" viewBox="310 380 350 180" xmlns="http://www.w3.org/2000/svg" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+ <metadata>
+  <rdf:RDF>
+   <cc:Work rdf:about="">
+    <dc:format>image/svg+xml</dc:format>
+    <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage"/>
+    <dc:title/>
+   </cc:Work>
+  </rdf:RDF>
+ </metadata>
+ <!--Generated by the Batik Graphics2D SVG Generator-->
+ <defs>
+  <clipPath id="clipPath2">
+   <path d="m0 0v140h310v-140z"/>
+  </clipPath>
+ </defs>
+ <g transform="translate(330,400)" fill="#fde" fill-opacity=".4902" stroke="#fde" stroke-opacity=".4902">
+  <rect x=".5" y=".5" width="308.5" height="138.5" clip-path="url(#clipPath2)" stroke="none"/>
+ </g>
+ <g transform="translate(330,400)" fill="red" stroke="red" stroke-width="2.5">
+  <rect x=".5" y=".5" width="308.5" height="138.5" clip-path="url(#clipPath2)" fill="none"/>
+  <text x="105" y="21.8646" clip-path="url(#clipPath2)" font-family="sans-serif" font-size="18px" font-weight="bold" stroke="none" xml:space="preserve">WARNING</text>
+  <path d="m1 27.865h308" clip-path="url(#clipPath2)" fill="none"/>
+  <g font-family="sans-serif" font-size="18px" stroke="none">
+   <text x="23" y="66.5938" clip-path="url(#clipPath2)" xml:space="preserve">The "saferEval" function may</text>
+   <text x="49" y="86.4583" clip-path="url(#clipPath2)" xml:space="preserve">be harmful - so you are</text>
+   <text x="117" y="106.3229" clip-path="url(#clipPath2)" xml:space="preserve">warned!</text>
+  </g>
+ </g>
+ <g transform="matrix(.13398 0 0 .13398 368.3 371.14)">
+  <path d="m-187.86 499.89c-3.4082-5.4493-3.0569-12.598 0-17.705l181.82-315.28c3.3987-5.4398 9.1897-9.1897 15.655-9.1897 6.4651 0 12.256 3.7499 15.323 8.8574l182.15 315.27c3.0664 5.4493 3.3987 12.598 0 18.047-3.0664 5.791-9.1897 9.1992-15.322 9.1992h-364.3c-6.1328 0-12.266-3.4082-15.322-9.1992" fill="#fff" stroke="none"/>
+  <g transform="matrix(9.4935 0 0 -9.4935 -187.86 499.89)" fill="#ed171f">
+   <path d="m0 0c-0.359 0.574-0.322 1.327 0 1.865l19.152 33.21c0.358 0.573 0.968 0.968 1.649 0.968s1.291-0.395 1.614-0.933l19.187-33.209c0.323-0.574 0.358-1.327 0-1.901-0.323-0.61-0.968-0.969-1.614-0.969h-38.374c-0.646 0-1.292 0.359-1.614 0.969m35.47 3.551-14.669 25.391-14.668-25.391z" fill="#ed171f" stroke="none"/>
+  </g>
+  <g transform="translate(511.16 -20.351)">
+   <g transform="matrix(9.5379 0 0 -9.5379 -500.6 477.29)">
+    <path d="m0 0c1.076 0 1.936 0.897 1.936 1.972 0 1.076-0.86 1.973-1.936 1.973s-1.937-0.897-1.937-1.973c0-1.075 0.861-1.972 1.937-1.972" fill="#000" stroke="none"/>
+   </g>
+   <g transform="matrix(9.5379 0 0 -9.5379 -500.6 297.37)">
+    <path d="m0 0c1.327 0 2.403-1.112 2.403-2.439 0-0.251-0.036-0.717-0.108-1.363l-1.291-8.535c-0.071-0.502-0.502-0.897-1.004-0.897s-0.933 0.395-1.004 0.897l-1.255 8.535c-0.108 0.646-0.144 1.112-0.144 1.363 0 1.327 1.076 2.439 2.403 2.439" fill="#000" stroke="none"/>
+   </g>
+  </g>
+ </g>
+</svg>
