Merge pull request #1174 from objectstack-ai/copilot/fix-evaluate-expression-error

fix(core): replace `new Function()` with CSP-safe recursive-descent expression parser

Author: xuyushun441-sys

CHANGELOG.md

@@ -21,6 +21,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **CSP-safe expression evaluation** (`@object-ui/core`): Replaced `new Function()` in `ExpressionCache.compileExpression()` with a new `SafeExpressionParser` — a recursive-descent interpreter that evaluates expressions without any dynamic code execution. This fixes `Content Security Policy` violations (`'unsafe-eval' is not an allowed source of script`) that occurred when evaluating schema expressions like `${stage !== 'closed_won' && stage !== 'closed_lost'}` in enterprise deployments with strict CSP headers. The `SafeExpressionParser` supports the full ObjectUI expression language: all comparison and logical operators, ternary and nullish coalescing, arithmetic, unary operators (`!`, `-`, `+`, `typeof`), dot/bracket/optional-chaining member access, function calls (formula functions, method calls, `Math.*`), single-param arrow functions (for `.filter(u => u.isActive)`, `.map(x => x.name)` etc.), array literals, `new Date()` / `new RegExp()` constructors, and all literal types. The `ExpressionCache` public API is unchanged. 41 new tests added.
+
 - **CI build errors** (`@object-ui/console`): Removed unused imports (`resolveI18nLabel` in `HomePage.tsx`, `Upload`/`FileText` in `QuickActions.tsx`) that caused TS6133 errors. Fixed `appConfig` → `appConfigs[0]` in `i18n-translations.test.ts` (TS2552). Extracted `customReportsConfig` from aggregated `sharedConfig` into a standalone export so the mock server kernel includes the `sales_performance_q1` report, fixing `ReportView.test.tsx` failures.
 
 - **Charts groupBy value→label resolution** (`@object-ui/plugin-charts`): Chart X-axis labels now display human-readable labels instead of raw values. Select/picklist fields resolve value→label via field metadata options, lookup/master_detail fields batch-fetch referenced record names, and all other fields fall back to `humanizeLabel()` (snake_case → Title Case). Removed hardcoded `value.slice(0, 3)` truncation from `AdvancedChartImpl.tsx` XAxis tick formatters — desktop now shows full labels with angle rotation for long text, mobile truncates at 8 characters with "…".

packages/core/src/evaluator/ExpressionCache.ts

@@ -8,14 +8,16 @@
 
 /**
  * @object-ui/core - Expression Cache
- * 
+ *
  * Caches compiled expressions to avoid re-parsing on every render.
  * Provides significant performance improvement for frequently evaluated expressions.
- * 
+ *
  * @module evaluator
  * @packageDocumentation
  */
 
+import { SafeExpressionParser } from './SafeExpressionParser.js';
+
 /**
  * A compiled expression function that can be executed with context values
  */
@@ -112,16 +114,28 @@ export class ExpressionCache {
   }
 
   /**
-   * Compile an expression into a function
+   * Compile an expression into a CSP-safe callable function.
+   *
+   * Uses `SafeExpressionParser` — a recursive-descent interpreter — instead of
+   * `new Function()` so that the expression engine works under strict
+   * Content Security Policy headers that forbid `'unsafe-eval'`.
+   *
+   * A single parser instance is created per compiled expression and reused
+   * across all invocations of the returned closure (`evaluate()` resets all
+   * internal state on every call), avoiding repeated allocations on hot paths.
    */
   private compileExpression(expression: string, varNames: string[]): CompiledExpression {
-    // SECURITY NOTE: Using Function constructor for expression evaluation.
-    // This is a controlled use case with:
-    // 1. Sanitization check (isDangerous) performed by caller
-    // 2. Strict mode enabled ("use strict")
-    // 3. Limited scope (only varNames variables available)
-    // 4. No access to global objects (process, window, etc.)
-    return new Function(...varNames, `"use strict"; return (${expression});`) as CompiledExpression;
+    // One parser per compiled expression — reused across hot-path calls.
+    const parser = new SafeExpressionParser();
+
+    return (...args: unknown[]) => {
+      // Reconstruct the named variable context from positional arguments.
+      const context: Record<string, unknown> = {};
+      for (let i = 0; i < varNames.length; i++) {
+        context[varNames[i]] = args[i];
+      }
+      return parser.evaluate(expression, context);
+    };
   }
 
   /**