Skip to content

Commit

Permalink
fix: replace eval with globalThis to comply with CSP policies
Browse files Browse the repository at this point in the history
**Issue:**
Sandpack currently uses `eval` to obtain the global object, which triggers CSP `unsafe-eval` violations. This poses security risks and limits the ability to use Sandpack in environments with strict CSP policies.

**Solution:**
Replaced the `eval`-based approach with an IIFE that sequentially checks for `globalThis`, `self`, `window`, and `global` to securely access the global object without violating CSP policies.

**Testing:**
- Tested in a local development environment with CSP enforced to ensure no violations occur.

**Related Issue:**
- [1221](#1221)
  • Loading branch information
eugene-stativka committed Nov 20, 2024
1 parent 1cc5222 commit 12eb665
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions sandpack-react/src/components/Console/utils/transformers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,17 @@
/* eslint-disable @typescript-eslint/explicit-function-return-type */
/* eslint-disable @typescript-eslint/no-explicit-any */
// Const
const GLOBAL = (function getGlobal() {
// NOTE: see http://www.ecma-international.org/ecma-262/6.0/index.html#sec-performeval step 10
const savedEval = eval;
const GLOBAL = (function getGlobal(): any {
if (typeof globalThis !== 'undefined') return globalThis; // modern standard

return savedEval("this");
if (typeof window !== 'undefined') return window; // browser

if (typeof global !== 'undefined') return global; // Node.js

// eslint-disable-next-line no-restricted-globals
if (typeof self !== 'undefined') return self; // Web Worker

throw Error('Unable to locate global object');
})();

const ARRAY_BUFFER_SUPPORTED = typeof ArrayBuffer === "function";
Expand Down

0 comments on commit 12eb665

Please sign in to comment.