From 9054b1bc14a9c8a49cae692dc3953641fea1e38a Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Fri, 21 Jul 2023 08:17:01 +0200 Subject: [PATCH] LibJS: Always taint parsing environment on call to eval() We had an edge case where calls to eval() left the environment untainted *if* `eval` had also been declared as a local variable in the same parsing context. This broke the expected direct eval behavior when the variable `eval` was still pointing at the global `eval` function. This patch fixes the issue by simply always tainting the environment when a call to something named `eval` is encountered. It doesn't seem worth worrying about optimizing the case where someone is calling their own function named `eval`.. Fixes 1 test-js test in bytecode mode. :^) --- Userland/Libraries/LibJS/Parser.cpp | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/Userland/Libraries/LibJS/Parser.cpp b/Userland/Libraries/LibJS/Parser.cpp index 8e850d49b1..d51480e277 100644 --- a/Userland/Libraries/LibJS/Parser.cpp +++ b/Userland/Libraries/LibJS/Parser.cpp @@ -2230,19 +2230,8 @@ NonnullRefPtr Parser::parse_expression(int min_precedence, Ass if (is(*expression) && m_state.current_scope_pusher) { auto& callee = static_ptr_cast(expression)->callee(); - if (is(callee)) { - auto& identifier_instance = static_cast(callee); - if (identifier_instance.string() == "eval"sv) { - bool has_not_been_declared_as_variable = true; - for (auto scope = m_state.current_scope_pusher; scope; scope = scope->parent_scope()) { - if (scope->has_declaration(identifier_instance.string())) { - has_not_been_declared_as_variable = false; - break; - } - } - if (has_not_been_declared_as_variable) - m_state.current_scope_pusher->set_contains_direct_call_to_eval(); - } + if (is(callee) && static_cast(callee).string() == "eval"sv) { + m_state.current_scope_pusher->set_contains_direct_call_to_eval(); } }