I was looking at patriksimek/vm2#32 - The implementation in vm2 have patched a lot of vulnerabilities but there are a ton of problems because of trying to prevent all backdoors.
According to patriksimek/vm2#32 (comment) the only way to fix this class of vulnerabilities is completely disabling eval with a C++ addon. And in the best case scenario you are still vulnerable to DoD attacks.
The code of safe-eval is way too simple. #15 is a futile effort.
I just think that the name of this module is misleading. People may think (like I was) that safe-eval is reasonable secure but it is far from the truth.
In my humble opinion, safe-eval should just marked as vulnerable and the README.md should have a very noticeable disclaimer about not being safe.
I was looking at patriksimek/vm2#32 - The implementation in vm2 have patched a lot of vulnerabilities but there are a ton of problems because of trying to prevent all backdoors.
According to patriksimek/vm2#32 (comment) the only way to fix this class of vulnerabilities is completely disabling
evalwith a C++ addon. And in the best case scenario you are still vulnerable to DoD attacks.The code of
safe-evalis way too simple. #15 is a futile effort.I just think that the name of this module is misleading. People may think (like I was) that
safe-evalis reasonable secure but it is far from the truth.In my humble opinion,
safe-evalshould just marked as vulnerable and theREADME.mdshould have a very noticeable disclaimer about not being safe.