--disallow-code-generation-from-strings does not work as documented

[ChALkeR]

Doc: https://nodejs.org/docs/latest/api/cli.html#--disallow-code-generation-from-strings

It is advertised to cover built-in language features, but it doesn't cover data imports

No Node.js modules are directly imported here

// run with node and node --disallow-code-generation-from-strings
const payload = 'console.log("evaluated code from string")'
try { eval(payload) } catch (e) { console.log(e.message) }
try { new Function(payload)() } catch (e) { console.log(e.message) }
try { await import('data:text/javascript,' + payload) } catch (e) { console.log(e.message) }

Output:

% node --disallow-code-generation-from-strings 1.js
Code generation from strings disallowed for this context
Code generation from strings disallowed for this context
evaluated code from string

[ChALkeR]

For comparison, this is what browsers do under CSP:

[edilson258]

wait, the official nodejs docs only covers eval and new Function and those does not allow code from strings.

In the example U brought, only the last line (bellow) executes the code even with the flag --disallow-code-generation-from-strings set

try { await import('data:text/javascript,' + payload) } catch (e) { console.log(e.message) }

and the docs does not cover that

refs: https://nodejs.org/docs/latest-v16.x/api/cli.html#--disallow-code-generation-from-strings

[ChALkeR]

Doc states:

Make built-in language features like ...

1. import() is a built-in language feature, defined in the ECMAScript specification.
2. "like" is not exhaustive
3. This is analogous to script-src CSP for browsers blocking unsafe-eval, and that one blocks data imports too.
4. Having built-in import() as a dynamic eval defeats the purpose of this flag to a significant extent

[edilson258]

@ChALkeR you are right!

@mojodna @bmizerany need your opinion about this please.

[legendecas]

The flag --disallow-code-generation-from-strings only covers features that are guarded by ECMA262 host hook HostEnsureCanCompileStrings. The exhausted API list is

• eval,
• new Function,
• ShadowRealm.prototype.evaluate (https://github.com/tc39/proposal-shadowrealm/).

There are many APIs in Node.js' module system, and node:vm, that allows creating script and modules dynamically. I think the doc for --disallow-code-generation-from-strings should also explicit exclude Node.js' module APIs.

[jimmywarting]

Um, maybe it should not cover that?
maybe import() should be restricted instead to what you can and can't import
such that you only allow imports from "self", http, https and no data: url