JarCastingexpression-eval
JavaScript expression parsing and evaluation.
Powered by jsep.
Installation
Install:
npm install --save expression-eval
Import:
// ES6
import { parse, eval } from 'expression-eval';
// CommonJS
const { parse, eval } = require('expression-eval');
// UMD / standalone script
const { parse, eval } = window.expressionEval;
API
Parsing
import { parse } from 'expression-eval';
const ast = parse('1 + foo');
The result of the parse is an AST (abstract syntax tree), like:
{
"type": "BinaryExpression",
"operator": "+",
"left": {
"type": "Literal",
"value": 1,
"raw": "1"
},
"right": {
"type": "Identifier",
"name": "foo"
}
}
Evaluation
import { parse, eval } from 'expression-eval';
const ast = parse('a + b / c'); // abstract syntax tree (AST)
const value = eval(ast, {a: 2, b: 2, c: 5}); // 2.4
Alternatively, use evalAsync for asynchronous evaluation.
Compilation
import { compile } from 'expression-eval';
const fn = compile('foo.bar + 10');
fn({foo: {bar: 'baz'}}); // 'baz10'
Alternatively, use compileAsync for asynchronous compilation.
Security
Although this package does avoid the use of eval(), it cannot guarantee that user-provided expressions, or user-provided inputs to evaluation, will not modify the state or behavior of your application. Always use caution when combining user input and dynamic evaluation, and avoid it where possible.
For example:
const ast = expr.parse('foo[bar](baz)()');
expr.eval(ast, {
foo: String,
bar: 'constructor',
baz: 'console.log("im in ur logs");'
});
// Prints: "im in ur logs"
The kinds of expressions that can expose vulnerabilities can be more subtle than this, and are sometimes possible even in cases where users only provide primitive values as inputs to pre-defined expressions.
License
MIT License.