Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eval() equivalent in Emscripten compiled js is unsafe and doesn't work when enabling CSP #7144

Closed
dinu-marina-typewise opened this issue Dec 7, 2022 · 14 comments
Assignees

Comments

@dinu-marina-typewise
Copy link

System information
tfjs-tflite 0.0.1-alpha.9

Describe the current behavior
When setting CSP policy, we get "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script". We traced this to createNamedFunction() which seems to come from emscripten and uses new Function(). Seemingly it can be disabled at compilation.

Reference:
https://stackoverflow.com/a/64814360
https://github.com/emscripten-core/emscripten/blob/1bc49003b9a5310362d2e4a6334a62be9cd56dc2/src/settings.js#L1282

Describe the expected behavior
Don't use evil eval() :)

@dinu-marina-typewise dinu-marina-typewise added the type:bug Something isn't working label Dec 7, 2022
@dinu-marina-typewise
Copy link
Author

@pyu10055 @mattsoulanille I could try to fix this myself, but I can't find how to compile the WASM libraries... I'm stuck at https://www.tensorflow.org/install/source (Docker Linux builds) but I'm at a loss how to run bazel to produce the wasm files. Could you lend a hand here? Thanks!

@mattsoulanille
Copy link
Member

Thanks for the issue report, @dinu-marina-typewise. At the moment, the WASM binaries are built on Google's internal build infrastructure, so you won't be able to build them yourself. One of our goals for Q1 2023 is to open-source this part of the build process.

I agree we should not use eval (or its equivalents). As part of this open-sourcing, I'll try to remove any instances of this in code generated by Emscripten.

@warrenseine
Copy link

Hello @mattsoulanille, I'd love to hear that this is a solved issue, but I'm assuming it wasn't tackled yet. Can we expect to see this in a next release?

@gaikwadrahul8
Copy link
Contributor

Hi, @dinu-marina-typewise

Apologize for the delayed response and Just to confirm, May I know have we taken care of this issue with @tensorflow/[email protected] version which published a month ago ? Thank you!

@github-actions
Copy link

github-actions bot commented Sep 1, 2023

This issue has been marked stale because it has no recent activity since 7 days. It will be closed if no further activity occurs. Thank you.

@github-actions github-actions bot added the stale label Sep 1, 2023
@github-actions
Copy link

github-actions bot commented Sep 9, 2023

This issue was closed due to lack of activity after being marked stale for past 7 days.

@github-actions github-actions bot closed this as completed Sep 9, 2023
@google-ml-butler
Copy link

Are you satisfied with the resolution of your issue?
Yes
No

@milanJ
Copy link

milanJ commented May 9, 2024

Hi, @dinu-marina-typewise

Apologize for the delayed response and Just to confirm, May I know have we taken care of this issue with @tensorflow/[email protected] version which published a month ago ? Thank you!

Hi @gaikwadrahul8 ,

Sorry for the late reply. We switched to using TensorFlow JS. But we are now again experimenting with using tfjs-tflite. The issue is not fixed in @tensorflow/[email protected]. eval() is still present in the code.

@stevedj
Copy link

stevedj commented Dec 4, 2024

I'm also encountering this error. To fix this issue in my other WebAssembly files compiled with Emscripten, I've been using the -s NO_DYNAMIC_EXECUTION=1 flag. Is there any other solution that doesn't involve unsafe-eval?

@stevedj
Copy link

stevedj commented Dec 17, 2024

Hi @milanJ , @dinu-marina-typewise

Just wondering,
Have you resolved this issue?

@milanJ
Copy link

milanJ commented Dec 17, 2024

Hi @stevedj ,

No, we haven't resolved this.

@stevedj
Copy link

stevedj commented Dec 17, 2024

Hi @milanJ
Thank you for your reply,

are you using Chrome Extension or a web app hosted in a web server?

@milanJ
Copy link

milanJ commented Dec 17, 2024

@stevedj We have a Kotlin Multiplatform library that is compiled to JS and is then used in Browser and Node.js environment.

@stevedj
Copy link

stevedj commented Dec 17, 2024

@milanJ
I have created a new issue, #8462

Feel free to stop by and interact with it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants