In configuration settings of the Jint JS engine was added one new property - DisableEval (default false)

Author: Taritsyn

src/JavaScriptEngineSwitcher.ChakraCore/ChakraCoreSettings.cs

@@ -52,7 +52,8 @@ public bool DisableBackgroundWork
 		}
 
 		/// <summary>
-		/// Gets or sets a flag for whether to disable calls of <c>eval</c> function
+		/// Gets or sets a flag for whether to disable calls of <c>eval</c> function with custom code
+		/// and <c>Function</c> constructors taking function code as string
 		/// </summary>
 		public bool DisableEval
 		{

src/JavaScriptEngineSwitcher.Jint/JavaScriptEngineSwitcher.Jint.csproj

@@ -22,7 +22,7 @@
     <PackageTags>$(PackageCommonTags);Jint</PackageTags>
     <PackageIconFullPath>../../Icons/JavaScriptEngineSwitcher_Jint_Logo128x128.png</PackageIconFullPath>
     <PackageReleaseNotes>1. Jint was updated to version 3.0.0 Beta 2048;
-2. In configuration settings of the Jint JS engine was added one new property - `AllowReflection` (default `false`).</PackageReleaseNotes>
+2. In configuration settings of the Jint JS engine was added two new properties: `AllowReflection` (default `false`) and `DisableEval` (default `false`).</PackageReleaseNotes>
   </PropertyGroup>
 
   <ItemGroup>

src/JavaScriptEngineSwitcher.Jint/JintJsEngine.cs

@@ -125,6 +125,7 @@ public JintJsEngine(JintSettings settings)
 						.CancellationToken(_cancellationTokenSource.Token)
 						.DebuggerStatementHandling(debuggerStatementHandlingMode)
 						.DebugMode(jintSettings.EnableDebugging)
+						.DisableStringCompilation(jintSettings.DisableEval)
 						.LimitMemory(jintSettings.MemoryLimit)
 						.LimitRecursion(jintSettings.MaxRecursionDepth)
 						.LocalTimeZone(jintSettings.LocalTimeZone ?? TimeZoneInfo.Local)

src/JavaScriptEngineSwitcher.Jint/JintSettings.cs

@@ -59,6 +59,16 @@ public OriginalDebuggerEventHandler DebuggerStepCallback
 			set;
 		}
 
+		/// <summary>
+		/// Gets or sets a flag for whether to disable calls of <c>eval</c> function with custom code
+		/// and <c>Function</c> constructors taking function code as string
+		/// </summary>
+		public bool DisableEval
+		{
+			get;
+			set;
+		}
+
 		/// <summary>
 		/// Gets or sets a flag for whether to enable debug mode
 		/// </summary>
@@ -166,6 +176,7 @@ public JintSettings()
 			DebuggerBreakCallback = null;
 			DebuggerStatementHandlingMode = JsDebuggerStatementHandlingMode.Ignore;
 			DebuggerStepCallback = null;
+			DisableEval = false;
 			EnableDebugging = false;
 			LocalTimeZone = TimeZoneInfo.Local;
 			MaxArraySize = uint.MaxValue;

src/JavaScriptEngineSwitcher.Jint/readme.txt

@@ -19,8 +19,8 @@
    RELEASE NOTES
    =============
    1. Jint was updated to version 3.0.0 Beta 2048;
-   2. In configuration settings of the Jint JS engine was added one new property -
-      `AllowReflection` (default `false`).
+   2. In configuration settings of the Jint JS engine was added two new properties:
+      `AllowReflection` (default `false`) and `DisableEval` (default `false`).
 
    =============
    DOCUMENTATION

test/JavaScriptEngineSwitcher.Tests/ChakraCore/EvalTests.cs

@@ -0,0 +1,65 @@
+using Xunit;
+
+using JavaScriptEngineSwitcher.ChakraCore;
+using JavaScriptEngineSwitcher.Core;
+
+namespace JavaScriptEngineSwitcher.Tests.ChakraCore
+{
+	public class EvalTests : EvalTestsBase
+	{
+		protected override string EngineName
+		{
+			get { return "ChakraCoreJsEngine"; }
+		}
+
+
+		private IJsEngine CreateJsEngine(bool disableEval)
+		{
+			var jsEngine = new ChakraCoreJsEngine(new ChakraCoreSettings
+			{
+				DisableEval = disableEval
+			});
+
+			return jsEngine;
+		}
+
+
+		public override void UsageOfEvalFunction()
+		{
+			// Arrange
+			int TestDisableEvalSetting(bool disableEval)
+			{
+				using (var jsEngine = CreateJsEngine(disableEval: disableEval))
+				{
+					return jsEngine.Evaluate<int>("eval('2*2');");
+				}
+			}
+
+			// Act and Assert
+			Assert.Equal(4, TestDisableEvalSetting(false));
+
+			JsRuntimeException exception = Assert.Throws<JsRuntimeException>(() => TestDisableEvalSetting(true));
+			Assert.Equal("Runtime error", exception.Category);
+			Assert.Equal("Eval of strings is disabled in this runtime.", exception.Description);
+		}
+
+		public override void UsageOfFunctionConstructor()
+		{
+			// Arrange
+			int TestDisableEvalSetting(bool disableEval)
+			{
+				using (var jsEngine = CreateJsEngine(disableEval: disableEval))
+				{
+					return jsEngine.Evaluate<int>("new Function('return 2*2;')();");
+				}
+			}
+
+			// Act and Assert
+			Assert.Equal(4, TestDisableEvalSetting(false));
+
+			JsRuntimeException exception = Assert.Throws<JsRuntimeException>(() => TestDisableEvalSetting(true));
+			Assert.Equal("Runtime error", exception.Category);
+			Assert.Equal("Eval of strings is disabled in this runtime.", exception.Description);
+		}
+	}
+}

test/JavaScriptEngineSwitcher.Tests/EvalTestsBase.cs

@@ -0,0 +1,47 @@
+using Xunit;
+
+using JavaScriptEngineSwitcher.Core;
+
+namespace JavaScriptEngineSwitcher.Tests
+{
+	public abstract class EvalTestsBase : TestsBase
+	{
+		[Fact]
+		public virtual void UsageOfEvalFunction()
+		{
+			// Arrange
+			const string input = "eval('2*2');";
+			const int targetOutput = 4;
+
+			// Act
+			int output;
+
+			using (var jsEngine = CreateJsEngine())
+			{
+				output = jsEngine.Evaluate<int>(input);
+			}
+
+			// Assert
+			Assert.Equal(targetOutput, output);
+		}
+
+		[Fact]
+		public virtual void UsageOfFunctionConstructor()
+		{
+			// Arrange
+			const string input = "new Function('return 2*2;')();";
+			const int targetOutput = 4;
+
+			// Act
+			int output;
+
+			using (var jsEngine = CreateJsEngine())
+			{
+				output = jsEngine.Evaluate<int>(input);
+			}
+
+			// Assert
+			Assert.Equal(targetOutput, output);
+		}
+	}
+}

test/JavaScriptEngineSwitcher.Tests/Jint/EvalTests.cs

@@ -0,0 +1,67 @@
+#if !NET452
+using Xunit;
+
+using JavaScriptEngineSwitcher.Core;
+using JavaScriptEngineSwitcher.Jint;
+
+namespace JavaScriptEngineSwitcher.Tests.Jint
+{
+	public class EvalTests : EvalTestsBase
+	{
+		protected override string EngineName
+		{
+			get { return "JintJsEngine"; }
+		}
+
+
+		private IJsEngine CreateJsEngine(bool disableEval)
+		{
+			var jsEngine = new JintJsEngine(new JintSettings
+			{
+				DisableEval = disableEval
+			});
+
+			return jsEngine;
+		}
+
+
+		public override void UsageOfEvalFunction()
+		{
+			// Arrange
+			int TestDisableEvalSetting(bool disableEval)
+			{
+				using (var jsEngine = CreateJsEngine(disableEval: disableEval))
+				{
+					return jsEngine.Evaluate<int>("eval('2*2');");
+				}
+			}
+
+			// Act and Assert
+			Assert.Equal(4, TestDisableEvalSetting(false));
+
+			JsRuntimeException exception = Assert.Throws<JsRuntimeException>(() => TestDisableEvalSetting(true));
+			Assert.Equal("Runtime error", exception.Category);
+			Assert.Equal("String compilation has been disabled in engine options", exception.Description);
+		}
+
+		public override void UsageOfFunctionConstructor()
+		{
+			// Arrange
+			int TestDisableEvalSetting(bool disableEval)
+			{
+				using (var jsEngine = CreateJsEngine(disableEval: disableEval))
+				{
+					return jsEngine.Evaluate<int>("new Function('return 2*2;')();");
+				}
+			}
+
+			// Act and Assert
+			Assert.Equal(4, TestDisableEvalSetting(false));
+
+			JsRuntimeException exception = Assert.Throws<JsRuntimeException>(() => TestDisableEvalSetting(true));
+			Assert.Equal("Runtime error", exception.Category);
+			Assert.Equal("String compilation has been disabled in engine options", exception.Description);
+		}
+	}
+}
+#endif

test/JavaScriptEngineSwitcher.Tests/Jurassic/EvalTests.cs

@@ -0,0 +1,10 @@
+namespace JavaScriptEngineSwitcher.Tests.Jurassic
+{
+	public class EvalTests : EvalTestsBase
+	{
+		protected override string EngineName
+		{
+			get { return "JurassicJsEngine"; }
+		}
+	}
+}

test/JavaScriptEngineSwitcher.Tests/Msie/EvalTests.cs

@@ -0,0 +1,10 @@
+namespace JavaScriptEngineSwitcher.Tests.Msie
+{
+	public class EvalTests : EvalTestsBase
+	{
+		protected override string EngineName
+		{
+			get { return "MsieJsEngine"; }
+		}
+	}
+}