From 8b49d948f58e0665e87e63f7e154ab53fa60a939 Mon Sep 17 00:00:00 2001
From: Nayeem Rahman <nayeemrmn99@gmail.com>
Date: Mon, 12 Apr 2021 00:40:42 +0100
Subject: fix(runtime/js/timers): Use (0, eval) instead of eval() (#10103)

---
 cli/tests/unit/test_util.ts   |  1 +
 cli/tests/unit/timers_test.ts | 22 ++++++++++++++++++++++
 runtime/js/11_timers.js       |  2 +-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/cli/tests/unit/test_util.ts b/cli/tests/unit/test_util.ts
index 39866c3fc..0f967c0fb 100644
--- a/cli/tests/unit/test_util.ts
+++ b/cli/tests/unit/test_util.ts
@@ -21,6 +21,7 @@ export {
   unreachable,
 } from "../../../test_util/std/testing/asserts.ts";
 export { deferred } from "../../../test_util/std/async/deferred.ts";
+export type { Deferred } from "../../../test_util/std/async/deferred.ts";
 export { readLines } from "../../../test_util/std/io/bufio.ts";
 export { parse as parseArgs } from "../../../test_util/std/flags/mod.ts";
 
diff --git a/cli/tests/unit/timers_test.ts b/cli/tests/unit/timers_test.ts
index 11698b3c3..f04793afe 100644
--- a/cli/tests/unit/timers_test.ts
+++ b/cli/tests/unit/timers_test.ts
@@ -3,6 +3,7 @@ import {
   assert,
   assertEquals,
   assertNotEquals,
+  Deferred,
   deferred,
   unitTest,
 } from "./test_util.ts";
@@ -64,6 +65,27 @@ unitTest(async function timeoutSuccess(): Promise<void> {
   assertEquals(count, 1);
 });
 
+unitTest(async function timeoutEvalNoScopeLeak(): Promise<void> {
+  // eval can only access global scope
+  const global = globalThis as unknown as {
+    globalPromise: Deferred<Error>;
+  };
+  global.globalPromise = deferred();
+  setTimeout(
+    `
+    try {
+      console.log(core);
+      globalThis.globalPromise.reject(new Error("Didn't throw."));
+    } catch (error) {
+      globalThis.globalPromise.resolve(error);
+    }` as unknown as () => void,
+    0,
+  );
+  const error = await global.globalPromise;
+  assertEquals(error.name, "ReferenceError");
+  Reflect.deleteProperty(global, "globalPromise");
+});
+
 unitTest(async function timeoutArgs(): Promise<void> {
   const promise = deferred();
   const arg = 1;
diff --git a/runtime/js/11_timers.js b/runtime/js/11_timers.js
index 046609f75..eef1d39b2 100644
--- a/runtime/js/11_timers.js
+++ b/runtime/js/11_timers.js
@@ -442,7 +442,7 @@
     if ("function" === typeof callback) {
       callback();
     } else {
-      eval(callback);
+      (0, eval)(callback);
     }
   }
 
-- 
cgit v1.2.3