notSoSafeEval

slavaGanzin · Aug 1, 2023 · 481f967 · 481f967
1 parent ff5555d
commit 481f967
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -90,6 +90,26 @@ $ rconf "http://192.168.1.85:14141/ea9b50e5de7e17e0ff38f0b7808917acbbe87ca6ce46e
 Hello world!
 ```
 
+### Code execution
+If you need dynamic configuration, i.e. tailored for each host use `{{{return javascript code}}}` in any configuration file (except rconf.yaml). For example:
+
+```
+#nginx.conf
+http {
+    events {
+        worker_connections {{{return parseInt(Math.random()*100)}}};
+    }
+    server {
+        listen {{{return rconf.interfaces.eth0.address}}}:3001;
+        server_name {{{
+            if (rconf.env.HOSTNAME) return rconf.env.HOSTNAME
+            return 'default.hostname'
+          }};
+    }
+}
+```
+Is this secure? No. Use with caution
+
 ### Cookbook
 
 #### join all devices in single vpn network using zerotier

diff --git a/client.js b/client.js
@@ -1,4 +1,4 @@
-const {getDiff, every, detectLanguage, joinPath, run, calculateHash, coerceArray, which, mkdirp, dirname, fs} = require('./helpers')
+const {getDiff, every, detectLanguage, joinPath, run, calculateHash, coerceArray, which, mkdirp, dirname, fs, notSoSafeEval} = require('./helpers')
 const {generateClientConfig} = require('./config')
 
 module.exports = queryUrl => {
@@ -39,6 +39,7 @@ module.exports = queryUrl => {
           const prev = tryCatch(fs.readFileSync, () => '')(f.path, 'utf8')
 
           if (calculateHash(prev) == calculateHash(f.content)) continue
+          f.content = replace(/{{{(.*?)}}}/gim, (x,code) => notSoSafeEval(code), f.content)
           fs.writeFileSync(f.path, f.content)
           log(service, 'file:updated '+f.path, {status: 'inprogress', diff: getDiff(prev, f.content)})
         }

diff --git a/helpers.js b/helpers.js
@@ -104,5 +104,12 @@ const Spinner = compose(ora, mergeRight({
   spinner: {interval: 380, frames: [ "⣾", "⣽", "⣻", "⢿", "⡿", "⣟", "⣯", "⣷" ] }
 }))
 
+const notSoSafeEval = code =>
+  new Function('rconf', 'process', 'require', code)({
+    env: process.env,
+    interfaces: getIPV4Interfaces(),
+    // os: require('os'),
+  })
 
-module.exports = {getDiff, every, detectLanguage, joinPath, run, calculateHash, coerceArray, which, mkdirp, dirname, fs, os, getIPV4Interfaces, pp, Spinner}
+
+module.exports = {getDiff, every, detectLanguage, joinPath, run, calculateHash, coerceArray, which, mkdirp, dirname, fs, os, getIPV4Interfaces, pp, Spinner, notSoSafeEval}
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "description": "Remote configuration syncronization daemon with Web UI",
   "name": "rconf",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "main": "index.js",
   "license": "MIT",
   "bin": "rconf.js",