🔒 update: security fix

Author: kazupon

README.md

@@ -65,6 +65,8 @@ renderer.renderToString(app, (err, html) => {
 ### module: `v-t` custom directive compiler module
 This module is `v-t` custom directive module for vue compiler. You can specify it as [`modules` option](https://github.com/vuejs/vue/tree/dev/packages/vue-template-compiler#vue-template-compiler) of `vue-template-compiler`.
 
+> :warning: NOTE: This extension is not isomorphic/universal codes. for Node.js environment only.
+
 The following example that use `compile` function of `vue-template-compiler`:
 
 ```javascript

lib/util.js

@@ -3,12 +3,24 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
+
+var _stringify = require('babel-runtime/core-js/json/stringify');
+
+var _stringify2 = _interopRequireDefault(_stringify);
+
 exports.warn = warn;
 exports.isPlainObject = isPlainObject;
 exports.addProp = addProp;
 exports.getAttr = getAttr;
 exports.removeAttr = removeAttr;
 exports.evaluateValue = evaluateValue;
+
+var _vm = require('vm2');
+
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+const vm = new _vm.VM();
+
 function warn(msg, err) {
   if (typeof console !== 'undefined') {
     console.warn('[vue-i18n-extensions] ' + msg);
@@ -48,7 +60,7 @@ function removeAttr(el, name) {
 function evaluateValue(expression) {
   const ret = { status: 'ng', value: undefined };
   try {
-    const val = new Function('return ' + expression)();
+    const val = vm.run(`(new Function('return ' + ${(0, _stringify2.default)(expression)}))()`);
     ret.status = 'ok';
     ret.value = val;
   } catch (e) {}

package.json

@@ -36,7 +36,7 @@
     "vue-template-compiler": "^2.4.2"
   },
   "engines": {
-    "node": ">= 4.0"
+    "node": ">= 6.0"
   },
   "files": [
     "lib",
@@ -68,5 +68,8 @@
     "test:cover": "cross-env BABEL_ENV=test ./node_modules/.bin/nyc report --reporter=html ava",
     "test:unit": "cross-env BABEL_ENV=test ava",
     "watch": "cross-env BABEL_ENV=development babel ./src --out-dir ./lib --watch"
+  },
+  "dependencies": {
+    "vm2": "^3.5.0"
   }
 }

src/util.js

@@ -1,3 +1,7 @@
+import { VM } from 'vm2'
+
+const vm = new VM()
+
 export function warn (msg, err) {
   if (typeof console !== 'undefined') {
     console.warn('[vue-i18n-extensions] ' + msg)
@@ -37,7 +41,7 @@ export function removeAttr (el, name) {
 export function evaluateValue (expression) {
   const ret = { status: 'ng', value: undefined }
   try {
-    const val = (new Function('return ' + expression))()
+    const val = vm.run(`(new Function('return ' + ${JSON.stringify(expression)}))()`)
     ret.status = 'ok'
     ret.value = val
   } catch (e) { }