In file lib/utils/sea.js, the following use of eval is dangerous:
if (configSource) {
configData = eval('(' + configSource + ')');
}The config file can be used to inject arbitrary commands. Either validate the content of the file, use JSON.parse or use a more advanced sanitization package like:
https://www.npmjs.com/package/eval-sanitizer
In file lib/utils/sea.js, the following use of eval is dangerous:
The config file can be used to inject arbitrary commands. Either validate the content of the file, use JSON.parse or use a more advanced sanitization package like:
https://www.npmjs.com/package/eval-sanitizer