Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider full removal of eval support #1348

Open
travjenkins opened this issue Oct 31, 2024 · 0 comments
Open

Consider full removal of eval support #1348

travjenkins opened this issue Oct 31, 2024 · 0 comments
Labels
enhancement New feature or request Security Security Related tech debt Placeholder for work that is invisible to the user

Comments

@travjenkins
Copy link
Member

travjenkins commented Oct 31, 2024
edited
Loading

Why?

Using eval for most validation/search of large schemas is usually a pretty good idea for performance. However, there is some obvious risk allowing eval to be used in your application. We might want to look at allowing no eval at all

Web Assembly

This will usually throw errors. However, there is a setting just to allow WASM this privilege.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_webassembly_execution

MUI

Uses eval for data grid filtering. This is easy to disable by putting disableEval on the data grids. Would need to look into performance impact

image

mui/mui-x#11465

AJV

This would be a huge change in approach to the UI. We would need to either switch off AJV

ajv-validator/ajv#2285

Why haven't we yet?

This makes our lives MUCH MUCH MUCH easier. Replacing AJV is no small task. That would mean potentially having to replace JSONForms and that is a big deal. If we "pre comiple" it then we would need to have a build like marketing site and listen to changes to the connectors table. This would also be a pain to maintain.

Also, using eval allows for the filter that MUI does to be faster and easier.

Some documentation also says that eval should be okay while within a file that is hashed or nonced but I am not entirely sure if that is true.
@travjenkins travjenkins added tech debt Placeholder for work that is invisible to the user Security Security Related enhancement New feature or request labels Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Security Security Related tech debt Placeholder for work that is invisible to the user
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@travjenkins