Bug: Fail to disable eval()

[caoccao]

Version

v16.17.0

Platform

Microsoft Windows NT 10.0.19044.0 x64

Subsystem

No response

What steps will reproduce the bug?

Background

I'm embedding Node.js in a C++ application and want to disable eval() for security concern.

Reproduce

• Build command: vcbuild.bat static without-intl
• C++ code: v8Context->AllowCodeGenerationFromStrings(false);

How often does it reproduce? Is there a required condition?

This is a consistent behavior malfunction. It doesn't require any conditions.

What is the expected behavior?

The expected result is calling eval() returns an error EvalError: Code generation from strings disallowed for this context. However, in v16.17.0 the eval() still works. It used to be working well in v16.16.0.

What do you see instead?

The eval() is not disabled.

Additional information

No response

[legendecas]

ModifyCodeGenerationFromStringsCallback is invoked when AllowCodeGenerationFromStrings is false. Node.js has set its ModifyCodeGenerationFromStringsCallback to check an internal allow code generation from strings flag.

In order to propagate the AllowCodeGenerationFromStrings to Node.js internal flag slot, context->AllowCodeGenerationFromStrings should be set before node::InitializeContext, or start node with --disallow-code-generation-from-strings (#44324).

Alternatively, the embedder can set its own callback of ModifyCodeGenerationFromStringsCallback.

[caoccao]

Thank you for the detailed explanation.

In my use case, the application may allow-disallow-allow-disallow... the code generation from strings in one context. It seems setting ModifyCodeGenerationFromStringsCallback is the only option. The question now is: will that break anything?

[caoccao]

Update

I added the following line and it works.

// After V8 isolate is initialized.
v8Isolate->SetModifyCodeGenerationFromStringsCallback(nullptr);