fix: Arbitrary code execution at prettier config load

Author: bajrangCoder

src/lib/prettierFormatter.js

@@ -1,4 +1,5 @@
 import fsOperation from "fileSystem";
+import { parse } from "acorn";
 import toast from "components/toast";
 import appSettings from "lib/settings";
 import prettierPluginBabel from "prettier/plugins/babel";
@@ -319,7 +320,7 @@ function parseJsonLike(text) {
 	const parsed = helpers.parseJSON(trimmed);
 	if (parsed) return parsed;
 	try {
-		return new Function(`return (${trimmed});`)();
+		return parseSafeExpression(trimmed);
 	} catch (_) {
 		return null;
 	}
@@ -329,26 +330,180 @@ function parseJsConfig(directory, source, absolutePath) {
 	if (!source) return null;
 	void directory;
 	void absolutePath;
-	let transformed = source;
-	if (/export\s+default/.test(transformed)) {
-		transformed = transformed.replace(/export\s+default/, "module.exports =");
-	}
-	const module = { exports: {} };
-	const exports = module.exports;
-	function requireStub(request) {
-		throw new Error(
-			`require(\"${request}\") is not supported in Prettier configs inside Acode`,
-		);
-	}
 	try {
-		const fn = new Function("module", "exports", "require", transformed);
-		fn(module, exports, requireStub);
-		return module.exports ?? exports;
+		return extractConfigFromProgram(source);
 	} catch (_) {
 		return null;
 	}
 }
 
+function parseProgram(source) {
+	try {
+		return parse(source, {
+			ecmaVersion: "latest",
+			sourceType: "module",
+			allowHashBang: true,
+		});
+	} catch (_) {
+		return parse(source, {
+			ecmaVersion: "latest",
+			sourceType: "script",
+			allowHashBang: true,
+		});
+	}
+}
+
+function extractConfigFromProgram(source) {
+	const ast = parseProgram(source);
+	const scope = new Map();
+
+	for (const statement of ast.body) {
+		const declared = readVariableDeclaration(statement, scope);
+		if (declared) {
+			for (const [name, value] of declared) {
+				scope.set(name, value);
+			}
+			continue;
+		}
+
+		const exported = readCommonJsExport(statement, scope);
+		if (exported !== undefined) return exported;
+
+		const esmExported = readEsmExport(statement, scope);
+		if (esmExported !== undefined) return esmExported;
+	}
+
+	return null;
+}
+
+function parseSafeExpression(text) {
+	const wrapped = `(${text})`;
+	const ast = parse(wrapped, {
+		ecmaVersion: "latest",
+		sourceType: "module",
+		allowHashBang: true,
+	});
+	const statement = ast.body[0];
+	if (statement?.type !== "ExpressionStatement") return null;
+	return evaluateNode(statement.expression, new Map());
+}
+
+function readVariableDeclaration(statement, scope) {
+	if (statement?.type !== "VariableDeclaration") return null;
+	const values = new Map();
+	const lookupScope = new Map(scope);
+
+	for (const decl of statement.declarations || []) {
+		if (!decl || decl.type !== "VariableDeclarator") continue;
+		if (decl.id?.type !== "Identifier") continue;
+		if (!decl.init) continue;
+		try {
+			const value = evaluateNode(decl.init, lookupScope);
+			values.set(decl.id.name, value);
+			lookupScope.set(decl.id.name, value);
+		} catch (_) {
+			// Ignore unsupported declarations
+		}
+	}
+
+	return values.size ? values : null;
+}
+
+function readCommonJsExport(statement, scope) {
+	if (statement?.type !== "ExpressionStatement") return undefined;
+	const expr = statement.expression;
+	if (expr?.type !== "AssignmentExpression" || expr.operator !== "=") {
+		return undefined;
+	}
+
+	if (!isModuleExports(expr.left)) return undefined;
+	return evaluateNode(expr.right, scope);
+}
+
+function readEsmExport(statement, scope) {
+	if (statement?.type !== "ExportDefaultDeclaration") return undefined;
+	return evaluateNode(statement.declaration, scope);
+}
+
+function isModuleExports(node) {
+	return (
+		node?.type === "MemberExpression" &&
+		!node.computed &&
+		node.object?.type === "Identifier" &&
+		node.object.name === "module" &&
+		node.property?.type === "Identifier" &&
+		node.property.name === "exports"
+	);
+}
+
+function evaluateNode(node, scope) {
+	if (!node) return null;
+
+	switch (node.type) {
+		case "ObjectExpression":
+			return evaluateObjectExpression(node, scope);
+		case "ArrayExpression":
+			return node.elements.map((entry) => evaluateNode(entry, scope));
+		case "Literal":
+			return node.value;
+		case "TemplateLiteral":
+			if (node.expressions.length) {
+				throw new Error("Template expressions are not supported");
+			}
+			return node.quasis.map((part) => part.value.cooked ?? "").join("");
+		case "Identifier":
+			if (scope.has(node.name)) return scope.get(node.name);
+			if (node.name === "undefined") return undefined;
+			throw new Error(`Unsupported identifier: ${node.name}`);
+		case "UnaryExpression":
+			return evaluateUnaryExpression(node, scope);
+		default:
+			throw new Error(`Unsupported node type: ${node.type}`);
+	}
+}
+
+function evaluateObjectExpression(node, scope) {
+	const output = {};
+	for (const property of node.properties || []) {
+		if (!property || property.type !== "Property") {
+			throw new Error("Unsupported object property");
+		}
+		if (property.kind !== "init" || property.method || property.shorthand) {
+			throw new Error("Unsupported object property kind");
+		}
+		const key = property.computed
+			? evaluateNode(property.key, scope)
+			: getPropertyKey(property.key);
+		const normalizedKey =
+			typeof key === "string" || typeof key === "number" ? String(key) : null;
+		if (!normalizedKey) {
+			throw new Error("Unsupported object key");
+		}
+		output[normalizedKey] = evaluateNode(property.value, scope);
+	}
+	return output;
+}
+
+function getPropertyKey(node) {
+	if (node?.type === "Identifier") return node.name;
+	if (node?.type === "Literal") return node.value;
+	throw new Error("Unsupported property key");
+}
+
+function evaluateUnaryExpression(node, scope) {
+	const value = evaluateNode(node.argument, scope);
+	switch (node.operator) {
+		case "+":
+			return +value;
+		case "-":
+			return -value;
+		case "!":
+			return !value;
+		default:
+			throw new Error(`Unsupported unary operator: ${node.operator}`);
+	}
+}
+
 function normalizePath(path) {
 	let result = String(path || "").replace(/\\/g, "/");
 	while (result.length > 1 && result.endsWith("/")) {