From c0e61fb2518fc4e8170d5bda3c477494db1f14cb Mon Sep 17 00:00:00 2001
From: Joan Touzet <joant@atypical.net>
Date: Wed, 25 Oct 2017 16:16:37 -0400
Subject: Disable eval() and Function() constructor in JS by default

This changes the couchjs --no-eval flag to --eval and disables
eval() and Function() constructors by default in couchjs.
---
 src/couch/priv/couch_js/help.h           |  2 +-
 src/couch/priv/couch_js/main.c           |  6 ++---
 src/couch/priv/couch_js/util.c           |  4 ++--
 src/couch/priv/couch_js/util.h           |  2 +-
 test/javascript/run                      |  2 +-
 test/javascript/tests/view_sandboxing.js | 40 ++++++++------------------------
 6 files changed, 18 insertions(+), 38 deletions(-)

diff --git a/src/couch/priv/couch_js/help.h b/src/couch/priv/couch_js/help.h
index e6afaa830..c6d76b257 100644
--- a/src/couch/priv/couch_js/help.h
+++ b/src/couch/priv/couch_js/help.h
@@ -54,7 +54,7 @@ static const char USAGE_TEMPLATE[] =
     "              most SIZE bytes of memory to be allocated\n"
     "  -u FILE     path to a .uri file containing the address\n"
     "              (or addresses) of one or more servers\n"
-    "  --no-eval   Disable runtime code evaluation\n"
+    "  --eval      Enable runtime code evaluation (dangerous!)\n"
     "\n"
     "Report bugs at <%s>.\n";
 
diff --git a/src/couch/priv/couch_js/main.c b/src/couch/priv/couch_js/main.c
index 20096ae27..986791c90 100644
--- a/src/couch/priv/couch_js/main.c
+++ b/src/couch/priv/couch_js/main.c
@@ -353,10 +353,10 @@ static JSBool
 csp_allows(JSContext* cx)
 {
     couch_args *args = (couch_args*)JS_GetContextPrivate(cx);
-    if(args->no_eval) {
-        return JS_FALSE;
-    } else {
+    if(args->eval) {
         return JS_TRUE;
+    } else {
+        return JS_FALSE;
     }
 }
 
diff --git a/src/couch/priv/couch_js/util.c b/src/couch/priv/couch_js/util.c
index 7919025d3..cf676ea33 100644
--- a/src/couch/priv/couch_js/util.c
+++ b/src/couch/priv/couch_js/util.c
@@ -98,8 +98,8 @@ couch_parse_args(int argc, const char* argv[])
             }
         } else if(strcmp("-u", argv[i]) == 0) {
             args->uri_file = argv[++i];
-        } else if(strcmp("--no-eval", argv[i]) == 0) {
-            args->no_eval = 1;
+        } else if(strcmp("--eval", argv[i]) == 0) {
+            args->eval = 1;
         } else if(strcmp("--", argv[i]) == 0) {
             i++;
             break;
diff --git a/src/couch/priv/couch_js/util.h b/src/couch/priv/couch_js/util.h
index 062469d66..b24d7f76f 100644
--- a/src/couch/priv/couch_js/util.h
+++ b/src/couch/priv/couch_js/util.h
@@ -16,7 +16,7 @@
 #include <jsapi.h>
 
 typedef struct {
-    int          no_eval;
+    int          eval;
     int          use_http;
     int          use_test_funs;
     int          stack_size;
diff --git a/test/javascript/run b/test/javascript/run
index 96b3a5696..c611be51e 100755
--- a/test/javascript/run
+++ b/test/javascript/run
@@ -72,7 +72,7 @@ def mkformatter(tests):
 
 def run_couchjs(test, fmt):
     fmt(test)
-    cmd = [COUCHJS, "-H", "-T"] + \
+    cmd = [COUCHJS, "--eval", "-H", "-T"] + \
             ["-u", "test/javascript/couchdb.uri"] + SCRIPTS + [test, RUNNER]
     p = sp.Popen(
         cmd,
diff --git a/test/javascript/tests/view_sandboxing.js b/test/javascript/tests/view_sandboxing.js
index 1f97218b7..1cdd815de 100644
--- a/test/javascript/tests/view_sandboxing.js
+++ b/test/javascript/tests/view_sandboxing.js
@@ -148,41 +148,21 @@ couchTests.view_sandboxing = function(debug) {
   // cleanup
   db.deleteDb();
 
-/* TODO: re-enable this test once --no-eval is the default
   // test that runtime code evaluation can be prevented
-  var couchjs_command_xhr = CouchDB.request(
-    "GET", "_node/node1@127.0.0.1/_config/query_servers/javascript");
-
-  var couchjs_command = JSON.parse(couchjs_command_xhr.responseText);
-  var couchjs_command_args = couchjs_command.match(/\S+|"(?:\\"|[^"])+"/g);
-
-  couchjs_command_args.splice(1, 0, "--no-eval");
-  var new_couchjs_command = couchjs_command_args.join(" ");
-
-  run_on_modified_server(
-    [{section: "query_servers",
-      key: "javascript",
-      value: new_couchjs_command}],
-    function () {
-      CouchDB.request("POST", "_reload_query_servers");
-
-      db_name = get_random_db_name();
-      db = new CouchDB(db_name, {"X-Couch-Full-Commit":"false"});
-      db.createDb();
+  db_name = get_random_db_name();
+  db = new CouchDB(db_name, {"X-Couch-Full-Commit":"false"});
+  db.createDb();
 
-      var doc = {integer: 1, string: "1", array: [1, 2, 3]};
-      T(db.save(doc).ok);
+  var doc = {integer: 1, string: "1", array: [1, 2, 3]};
+  T(db.save(doc).ok);
 
-      var results = db.query(function(doc) {
-          var glob = emit.constructor('return this')();
-          emit(doc._id, null);
-      });
+  var results = db.query(function(doc) {
+      var glob = emit.constructor('return this')();
+      emit(doc._id, null);
+  });
 
-      TEquals(0, results.rows.length);
-    });
-*/
+  TEquals(0, results.rows.length);
 
   // cleanup
-  CouchDB.request("POST", "_reload_query_servers");
   db.deleteDb();
 };
-- 
cgit v1.2.1