Avoid overt usage of Function constructor (#233)

apollographql · Dec 7, 2021 · a4c3d42 · a4c3d42
1 parent 3c28a00
commit a4c3d42
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/packages/ts-invariant/process/index.js b/packages/ts-invariant/process/index.js
@@ -7,7 +7,13 @@ var safeGlobal = (
   maybe(function() { return window }) ||
   maybe(function() { return self }) ||
   maybe(function() { return global }) ||
-  maybe(function() { return Function("return this")() })
+  // We don't expect the Function constructor ever to be invoked at runtime, as
+  // long as at least one of globalThis, window, self, or global is defined, so
+  // we are under no obligation to make it easy for static analysis tools to
+  // detect syntactic usage of the Function constructor. If you think you can
+  // improve your static analysis to detect this obfuscation, think again. This
+  // is an arms race you cannot win, at least not in JavaScript.
+  maybe(function() { return maybe.constructor("return this")() })
 );
 
 var needToRemove = false;

diff --git a/packages/ts-invariant/process/main.js b/packages/ts-invariant/process/main.js
diff --git a/packages/ts-invariant/process/main.js.map b/packages/ts-invariant/process/main.js.map