- This code runs in a Worker with
{ permissions: { write: false, read: false, net: false } }. This is likely very safe, but if you enable network access keep in mind that users might generate junk network traffic or attempt to make infinite loops. - If sandboxed code knows the name of one of your private vals it will be able to import the code with
import "https://esm.town/v/maxm/private". - If you enabled
write: truein the Worker, the unix socket that Deno uses to communicate with the host can be deleted and intercepted. This might mean that evaluated code can steal the socket and read the next request. You should not use this to evaluate code that should not be read by a previous evaluation. - All code is running on the same process and you are not protected from exotic attacks like speculative execution.
You can use this library to evaluate code:
import { evalCode } from "https://esm.town/maxm/eval"
console.log(await evalCode("export const foo = 1")) // => 1
You can use this library with https://www.val.town/v/maxm/transformEvalCode to return the last value without needing to export it. This is how the /eval api endpoint used to work and makes the library preform similarly to a repl.
import { evalCode } from "https://esm.town/maxm/eval"
import { transform } from "https://esm.town/maxm/transformEvalCode"
console.log(await evalCode(transform("1+1"))) // => 2
Here's an example UI application that demonstrates how you can string this all together: https://maxm-evalui.web.val.run/ (source: https://www.val.town/v/maxm/evalUI)
Code is evaluated using a dynamic import within a Worker.
Running the code withing a Worker prevents access to GlobalThis and window from leaking between evals.
Similarly, access to Deno.env is prevented and evaluations will see errors when trying to access any environment variables.
TODO: what else?
Migrated from folder: eval/eval