[FR] Disable eval() usage by default

[PR3C14D0]

What is the problem this feature will solve?

eval() and Function() in Node.js allow executing arbitrary code at runtime. While powerful, they are a common vector for security vulnerabilities and accidental code injection. Currently, eval() is enabled by default, which means that even minor mistakes or untrusted dependencies can execute code dynamically, increasing security risks.

By disabling eval() by default, Node.js can provide a safer runtime out of the box. This change encourages developers to use safer alternatives such as vm or strict sandboxing, reducing potential attack surfaces in Node.js applications.

As you can see in this commit, you can somehow insert arbitrary code on a commit and not even notice.

This video (in spanish, by @midudev), explains how they attacked him through this method. Is crazy

What is the feature you are proposing to solve the problem?

Introduce a new opt-in flag --enable-eval in Node.js.

• Default behavior: eval() and Function() are disabled in the runtime. Any attempt to use them without the flag will throw an error.

• Opt-in: Users can explicitly enable eval() for legacy applications or specific use cases by passing node --enable-eval index.js

• Benefits:

• • Improves default security for Node.js applications.
• • Prevents accidental dynamic code execution in production.
• • Allows developers to consciously decide when they need eval().

[pshaughn]

The motivation here lines up with the Trusted Types Web API, perhaps the solution should do likewise.

[PR3C14D0]

The motivation here lines up with the Trusted Types Web API, perhaps the solution should do likewise.

Nope, the motivation here is for Node.JS. Actually if someone inject malicious code on one of your projects or dependencies, and you dont see it, this malware can take control of all of your tokens.

Yesterday we've been analyzing the same malware from that commit I referenced before and is crazy as fck.

His name is "glassworm", and appeared in npm supply chain attacks, VSCode extensions...etc.

Is code lives on the blockchain, specifically on Solana(SOL) transactions' MEMO field.

[PR3C14D0]

Other point of view, would be creating a --disable-eval argument, that disables eval() and Function().
Or maybe adding the --enable-eval argument (#62436) and add the ability in npm, of adding a global node_enable_eval=true to the .npmrc

[Renegade334]

Other point of view, would be creating a --disable-eval argument, that disables eval() and Function().

This exists.

[PR3C14D0]

Other point of view, would be creating a --disable-eval argument, that disables eval() and Function().

This exists.

Anyways, that's a parameter you should specifically search for knowing that exists. Browsers actually have eval() disabled on the consoles by default because of attacks with some cyphered scripts that stole your data in many websites. Reasonably, this idea of disabling eval() by default, is a better way to avoid attacks to non known users.

Imagine that you don't know coding, and you want to learn. While you are learning, you clone many repos and see how they work for learning. But in one of the repositories, you download a Glassworm malware, that expands automatically through repositories and infect more and more people, this malware isn't even noticeable once you execute it. And if you are learning node, one of the things you less care, are the parameters you pass to node before running. No one wants to have a random malware doing things in their computer.

[PR3C14D0]

My proposal is simple, disabling eval by default, and if you want it, you enable it.

About the thing of breaking some repositories, I also propose creating a global way to enabling eval if necessary, such as enabling on .npmrc. We should care for the inexpert developers, or people that don't expect being infected like that

[ljharb]

That is entirely a nonstarter - it violates the JS spec and thus would invalidate the ".js" in "node.js".

[bakkot]

Browsers actually have eval() disabled on the consoles by default because of attacks with some cyphered scripts that stole your data in many websites.

No they don't.

But in one of the repositories, you download a Glassworm malware, that expands automatically through repositories and infect more and more people, this malware isn't even noticeable once you execute it.

If you are downloading and running untrusted code, having eval disabled will not save you. Node's security model explicitly assumes that all executed code is trusted.