Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix code that generates warning when submit to Mozilla. #1514

Open
dteviot opened this issue Sep 26, 2024 · 4 comments
Open

Fix code that generates warning when submit to Mozilla. #1514

dteviot opened this issue Sep 26, 2024 · 4 comments

Comments

@dteviot
Copy link
Owner

dteviot commented Sep 26, 2024

The Function constructor is eval.
Warning: Evaluation of strings as code can lead to security vulnerabilities and performance issues, even in the most innocuous of circumstances. Please avoid using eval and the Function constructor when at all possible.

jszip/dist/jszip.min.js line 13 column 96498

Has been seen elsewhere. FooSoft/yomichan#828 (comment)
Not sure why it's showing now.
@gamebeaker
Copy link
Collaborator

gamebeaker commented Sep 26, 2024
edited
Loading

@dteviot as a "hack" you can just delete the offending part in jszip.min.js and it still works. (More tests needed)
Why do i think this is a valid solution? In my opinion the browser would block the js execution with the content_security_policy if WebToEpub should try to execute it as https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy is not set to 'unsafe-eval'. I tested it with new Function("console.log('test success');"); in main.js and get this error:
image

That is why i think this part of the code is never used in WebToEpub and can be deleted.
Replace in jszip.min.js &&(e=new function(""+e)) with nothing.
image
image
save the file and try web-ext lint it should now have no warnings.

@dteviot
Copy link
Owner Author

dteviot commented Sep 26, 2024

@gamebeaker

as a "hack" you can just delete the offending part in jszip.min.js and it still works.

That's not a solution.
The problem is, the code generates a warning message when file is submitted to Mozilla to go on the store. (Later on, this might become, extension is rejected. As it is, it's posting a warning the submission may be manually inspected and rejected.)

Modifying the jszip.min.js is not feasible because it's a minified file. That's only acceptable by Mozilla because it's a copy of a known library. Needed to specify the library so it can validate file is same. If we modify the code, it will no longer match.

@gamebeaker
Copy link
Collaborator

As jszip is no longer in active development(2 years since last update) an other zip packager is needed. Here is a comparison per downloads
https://npmtrends.com/adm-zip-vs-archiver-vs-jszip-vs-node-zip-vs-zip

@dteviot
Copy link
Owner Author

dteviot commented Sep 30, 2024

A third option, include source of jszip, rather than minified version. And remove the offending bit. But I'll take a look at the other zip packagers.

@gamebeaker gamebeaker mentioned this issue Oct 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dteviot @gamebeaker