Update to "degenerator" v3.0.1

TooTallNate · TooTallNate · commit af3c42eb4df7 · 2021-07-12T14:32:49.000-07:00
diff --git a/package.json b/package.json
@@ -8,7 +8,7 @@
     "dist"
   ],
   "dependencies": {
-    "degenerator": "^2.2.0",
+    "degenerator": "^3.0.1",
     "ip": "^1.1.5",
     "netmask": "^2.0.1"
   },
diff --git a/src/index.ts b/src/index.ts
@@ -48,7 +48,7 @@ function createPacResolver(
 	const names = Object.keys(sandbox).filter(k => isAsyncFunction(sandbox[k]));
 
 	// Compile the JS `FindProxyForURL()` function into an async function.
-	const resolver = compile<(url: string, host: string) => Promise<string>>(
+	const resolver = compile<string, [url: string, host: string]>(
 		str,
 		'FindProxyForURL',
 		names,
diff --git a/test/test.js b/test/test.js
@@ -28,7 +28,7 @@ describe('FindProxyForURL', function() {
 		});
 	});
 
-	it('should not modify the passed-in options object ', function(done) {
+	it('should not modify the passed-in options object', function(done) {
 		function foo() {}
 		const opts = { sandbox: { foo } };
 		const FindProxyForURL = pac(
@@ -43,6 +43,29 @@ describe('FindProxyForURL', function() {
 		});
 	});
 
+	it('should prevent untrusted code from escaping the sandbox', function() {
+		let err;
+		try {
+			pac(
+				`// Real PAC config:
+				function FindProxyForURL(url, host) {
+				return "DIRECT";
+				}
+				
+				// But also run arbitrary code:
+				var f = this.constructor.constructor(\`
+				process.exit(1);
+				\`);
+
+				f();
+				`
+			);
+		} catch(_err) {
+			err = _err;
+		}
+		assert.strictEqual(err.message, 'process is not defined')
+	});
+
 	describe('official docs Example #1', function() {
 		var FindProxyForURL = pac(
 			'function FindProxyForURL(url, host) {' +
