JavaScript expression parsing and evaluation.
Powered by jsep.
npm install --save expression-eval
const expr = require('expression-eval');
const ast = expr.parse('1 + foo');The result of the parse is an AST (abstract syntax tree), like:
{
"type": "BinaryExpression",
"operator": "+",
"left": {
"type": "Literal",
"value": 1,
"raw": "1"
},
"right": {
"type": "Identifier",
"name": "foo"
}
}const expr = require('expression-eval');
const ast = expr.parse('a + b / c'); // abstract syntax tree (AST)
const value = expr.eval(ast, {a: 2, b: 2, c: 5}); // 2.4Alternatively, use evalAsync for asynchronous evaluation.
As an alternative to requiring identifier values to be pre-populated directly within the context, the context may hold a function getValue( identifierName ) returning the value
of the identifier.
const expr = require('expression-eval');
const fn = expr.compile('foo.bar + 10');
fn({foo: {bar: 'baz'}}); // 'baz10'Alternatively, use compileAsync for asynchronous compilation.
Although this package does avoid the use of eval(), it cannot guarantee that user-provided expressions, or user-provided inputs to evaluation, will not modify the state or behavior of your application. Always use caution when combining user input and dynamic evaluation, and avoid it where possible.
For example:
const ast = expr.parse('foo[bar](baz)()');
expr.eval(ast, {
foo: String,
bar: 'constructor',
baz: 'console.log("im in ur logs");'
});
// Prints: "im in ur logs"The kinds of expressions that can expose vulnerabilities can be more subtle than this, and are sometimes possible even in cases where users only provide primitive values as inputs to pre-defined expressions.
MIT License.