Security / escape sandbox

[baszczewski]

I would like to know if using this project is safe in a production environment? Has eval been used at any stage? Do user-written expressions have the chance to escape the sandbox like in an alternative project (browserify/static-eval#32)?

[FlavioLionelRita]

Hello good morning.
I don't use eval anywhere in the code.
To resolve the expressions, they are parsed, converting them into a tree of operators and operands.
Example:

private operators (model: ModelService): void {
	model.addOperator('+(a:T,b:T):T', (a: any, b: any):any => a + b, { priority: 5 })
	model.addOperator('-(a:number,b:number):number', (a: number, b: number):number => a - b, { priority: 5 })
	model.addOperator('-(a:number):number', (a: number):number => a * -1, { priority: 9 })
	model.addOperator('*(a:number,b:number):number', (a: number, b: number):number => a * b, { priority: 6 })
	model.addOperator('/(a:number,b:number):number', (a: number, b: number):number => a / b, { priority: 6 })
	model.addOperator('**(a:number,b:number):number', (a: number, b: number):number => a ** b, { priority: 7 })
	model.addOperator('//(a:number,b:number):number', (a: number, b: number):number => Math.pow(a, 1 / b), { priority: 7 })
	model.addOperator('%(a:number,b:number):number', (a: number, b: number):number => a % b, { priority: 8 })

	model.addOperator('&(a:number,b:number):number', (a: number, b: number):number => a & b, { priority: 5 })
	model.addOperator('|(a:number,b:number):number', (a: number, b: number):number => a | b, { priority: 5 })
	model.addOperator('^(a:number,b:number):number', (a: number, b: number):number => a ^ b, { priority: 5 })
	model.addOperator('~(a:number):number', (a: number):number => ~a, { priority: 9 })
	model.addOperator('<<(a:number,b:number):number', (a: number, b: number):number => a << b, { priority: 5 })
	model.addOperator('>>(a:number,b:number):number', (a: number, b: number):number => a >> b, { priority: 5 })