JavaScript expression parsing and evaluation.
Powered by jsep.
npm install --save expression-eval
const expr = require('expression-eval');
const ast = expr.parse('1 + foo');
The result of the parse is an AST (abstract syntax tree), like:
{
"type": "BinaryExpression",
"operator": "+",
"left": {
"type": "Literal",
"value": 1,
"raw": "1"
},
"right": {
"type": "Identifier",
"name": "foo"
}
}
const expr = require('expression-eval');
const ast = expr.parse('a + b / c'); // abstract syntax tree (AST)
const value = expr.eval(ast, {a: 2, b: 2, c: 5}); // 2.4
const expr = require('expression-eval');
const fn = expr.compile('foo.bar + 10');
fn({foo: {bar: 'baz'}}); // 'baz10'
Although this package does avoid the use of eval()
, it cannot guarantee that user-provided expressions, or user-provided inputs to evaluation, will not modify the state or behavior of your application. Always use caution when combining user input and dynamic evaluation, and avoid it where possible.
For example:
const ast = expr.parse('foo[bar](baz)()');
expr.eval(ast, {
foo: String,
bar: 'constructor',
baz: 'console.log("im in ur logs");'
});
// Prints: "im in ur logs"
The kinds of expressions that can expose vulnerabilities can be more subtle than this, and are sometimes possible even in cases where users only provide primitive values as inputs to pre-defined expressions.
MIT License.