在不使用 eval 的情况下断言 Javascript 中的简单条件

Question

I'm trying to build a Javascript program that can interpret simple conditions:

let condition = '5 + 6 > 10';
if( assert(condition) ){
  //... do something
} else {
  // ... do other thing
}

A simple but unsecure way to implement assert is to simply use eval . It works, but opens a security hole. How could I work around this?

I need support for addition and substraction, string and numbers comparisons, and parenthesis management.

Answer 1

There are several options:

• you can write a tokenizer and parser for your expressions by hand. For a simple grammar like this, this isn't complicated and is actually a very good exercise in programming. Look up "shunting yard algorithm" or "recursive descent parser".

• alternatively, you can use a parser generator like peg or nearley . With a generator, you write your grammar in their specific language and let the generator create a parsing function for you. Check out their examples: https://pegjs.org/online ,https://github.com/kach/nearley/tree/master/examples/calculator

• finally, you can use a full-blown Javascript parser like esprima or acorn . This way you'll get a complete javascript AST, which you can walk and perform calculations as you go. This method is far more complicated that the others, but gives you the full power of javascript in your expressions, eg functions, regexes etc.

Answer 2

If the interpreter supports toString() on functions, you can do this for example:

function test (f) {
  let source = f.toString().replace(/^\(\) => /,'');
  if (f()) {
    console.log(source+" succeeded");
  } else {
    console.log(source+" failed");
  }
}
let condition = () => 5 + 6 > 10;
test(condition)
test(() => 5 + 4 > 10)