-
-
Save burgil/d64f86bdc1b9a7cfa37c828c0e6dfd1c to your computer and use it in GitHub Desktop.
const evalMath = (str) => { | |
const operatorToFunction = { | |
"+": (a, b) => a + b, | |
"-": (a, b) => a - b, | |
"*": (a, b) => a * b, | |
"/": (a, b) => a / b | |
}; | |
const operationStr = str.replace(/\s/g, ''); | |
const numbers = operationStr.split(/[-+*/]/).map(Number); | |
const operators = operationStr.split(/\d+/).filter(Boolean).filter(operator => operator !== '.'); | |
for (let i = 0; i < operators.length; i++) { | |
const operator = operators[i]; | |
const nextNumber = numbers[i + 1]; | |
if (operator === '*' || operator === '/') { | |
numbers[i] = operatorToFunction[operator](numbers[i], nextNumber); | |
numbers.splice(i + 1, 1); | |
operators.splice(i, 1); | |
i--; | |
} | |
} | |
let result = numbers[0]; | |
for (let i = 0; i < operators.length; i++) { | |
const operator = operators[i]; | |
const nextNumber = numbers[i + 1]; | |
result = operatorToFunction[operator](result, nextNumber); | |
} | |
const numberString = result.toFixed(15); | |
const decimalIndex = numberString.indexOf('.'); | |
let trimmedNumberString = numberString; | |
if (decimalIndex !== -1) { | |
let i = numberString.length - 1; | |
while (numberString[i] === '0' && i > decimalIndex) { | |
i--; | |
} | |
trimmedNumberString = numberString.substring(0, i + 1); | |
if (trimmedNumberString.charAt(trimmedNumberString.length - 1) === '.') trimmedNumberString = trimmedNumberString.slice(0, -1); | |
} | |
const finalResult = parseFloat(trimmedNumberString); | |
// test: (compares itself to eval) | |
const DEBUG = true; | |
if (DEBUG) { | |
const PERFORM_TEST = false; // <<<<< enable this | |
if (!PERFORM_TEST) { | |
console.log(str, '=', finalResult) | |
} else { | |
const ONLY_SHOW_INVALID = false; | |
try { | |
const evalResult = eval(str); | |
const numberString2 = evalResult.toFixed(15); | |
const decimalIndex2 = numberString2.indexOf('.'); | |
let trimmedNumberString2 = numberString2; | |
if (decimalIndex2 !== -1) { | |
let i2 = numberString2.length - 1; | |
while (numberString2[i2] === '0' && i2 > decimalIndex2) { | |
i2--; | |
} | |
trimmedNumberString2 = numberString2.substring(0, i2 + 1); | |
if (trimmedNumberString2.charAt(trimmedNumberString2.length - 1) === '.') trimmedNumberString2 = trimmedNumberString2.slice(0, -1); | |
} | |
const finalEvalResult = parseFloat(trimmedNumberString2); | |
const isValid = finalResult === finalEvalResult; | |
if (ONLY_SHOW_INVALID) { | |
if (!isValid) console.log(str, '=', finalResult, 'Invalid: ' + finalEvalResult) | |
} else { | |
console.log(str, '=', finalResult, "Is Valid?", isValid, isValid ? 'Valid' : 'Invalid: ' + finalEvalResult) | |
} | |
} catch(e) { | |
console.warn("Eval Error:", str, e.message); | |
} | |
} | |
} | |
// you can remove the test (which uses eval to verify itself) ^^ | |
return finalResult; | |
}; | |
let example; | |
example = evalMath('1 + 1'); | |
example = evalMath('4 - 1'); | |
example = evalMath('2 * 5'); | |
example = evalMath('16 / 4'); | |
example = evalMath('1 + 1 + 2'); | |
example = evalMath('4 - 1 - 2'); | |
example = evalMath('15 * 1000 * 2 / 2 * 2'); | |
example = evalMath('1 + 15 * 1000 * 2 / 2 * 2'); | |
example = evalMath('15 * 1000 * 2 / 2 * 2 + 1'); | |
example = evalMath('16 / 4 / 2'); | |
example = evalMath('5 * 5'); | |
example = evalMath('10 / 2'); | |
example = evalMath('3 + 5 * 2'); | |
example = evalMath('3 * 5 + 2'); | |
example = evalMath('10 - 3 * 2 + 5'); | |
example = evalMath('10 - 3 * 2'); | |
example = evalMath('3 * 2 + 5'); | |
example = evalMath('2 * 3 + 5 * 4'); | |
// example = evalMath('2 * (3 + 5)'); // Error | |
// example = evalMath('a + a'); // Error | |
// example = evalMath('b'); // Error | |
example = evalMath('0'); | |
example = evalMath('20'); | |
example = evalMath('-10 + 10'); | |
example = evalMath('-10 + 12'); | |
example = evalMath('10 - 15'); | |
// example = evalMath('1-'); // Error | |
example = evalMath('-1'); | |
example = evalMath('10 / 3'); | |
example = evalMath('1+1+1*2+1+1+1'); | |
example = evalMath('2.5 * 5'); | |
example = evalMath('1.5 + 1.5'); | |
example = evalMath('4.5 - 1.2'); | |
example = evalMath('2.3 * 2.5'); | |
example = evalMath('16.8 / 4.2'); | |
example = evalMath('1.1 + 1.2 + 2.3'); | |
example = evalMath('4.5 - 1.2 - 2.1'); | |
example = evalMath('15.25 * 100.5 * 2.2 / 2.5 * 2.5'); | |
example = evalMath('1.1 + 15.5 * 100.25 * 2.2 / 2.1 * 2.1'); | |
example = evalMath('15.5 * 1000.2 * 2.1 / 2.5 * 2.5 + 1.5'); | |
example = evalMath('16.5 / 4.5 / 2.5'); | |
example = evalMath('5.5 * 5.5'); | |
example = evalMath('10.5 / 2.5'); | |
example = evalMath('3.5 + 5.5 * 2.5'); | |
example = evalMath('3.2 * 5.5 + 2.5'); | |
example = evalMath('10.5 - 3.2 * 2.5 + 5.5'); | |
example = evalMath('10.5 - 3.2 * 2.5'); | |
example = evalMath('3.5 * 2.5 + 5.5'); | |
example = evalMath('2.1 * 3.5 + 5.5 * 4.5'); | |
example = evalMath('2.5 * 5.2'); | |
example = evalMath('0.1'); | |
example = evalMath('20.2'); | |
example = evalMath('-10.5 + 10.5'); | |
example = evalMath('-10.5 + 12.2'); | |
example = evalMath('10.5 - 15.5'); | |
// example = evalMath('1.1-'); // Error | |
example = evalMath('-1.1'); | |
example = evalMath('10.5 / 3.5'); | |
example = evalMath('1.2+1.3+1.5*2.5+1.7+1.8+1.9'); | |
"Finished" |
It's important to understand the risks of using eval
in javascript, especially when dealing with user input or dynamically generated code. eval
runs JavaScript code represented as a string, which poses significant security risks if the input is not carefully sanitized.
1. Security Risks:
-
Code Injection: Since
eval
executes any code passed to it, it's vulnerable to code injection attacks. Malicious users can exploit this to execute arbitrary code within your application, leading to security breaches, data leaks, or even complete system compromise. -
Cross-Site Scripting (XSS): If user input is directly fed into
eval
, it can execute scripts injected into the application by attackers. This can result in unauthorized access to sensitive data or the ability to perform actions on behalf of the user.
2. Bundler Warnings:
Many modern JavaScript bundlers, such as Webpack or Wrangler, emit warnings when eval
is used directly. These warnings serve as a reminder of the potential risks associated with using eval
and encourage developers to adopt safer alternatives.
▲ [WARNING] Using direct eval with a bundler is not recommended and may cause problems [direct-eval]
3. Alternatives:
Instead of using eval
, consider alternative approaches such as:
-
Parser Libraries: Use parser libraries like
math.js
orexpr-eval
to parse and evaluate mathematical expressions safely. These libraries provide functionalities similar toeval
but with built-in security measures to prevent code injection. -
Use my solution instead: mathEval is at your service, feel free to thank me below if you're using it, it means a lot to me.
-
new Function() Those works exactly the same like eval, do not use them.
In scenarios where you must evaluate mathematical expressions dynamically, it's crucial to ensure that the evaluation is restricted to mathematical operations only and doesn't expose your application to security vulnerabilities. Even in such cases, weigh the risks carefully and implement additional security measures to mitigate potential threats.
4. Cloudflare Workers Pages:
The warning I had in Cloudflare Workers Pages highlights the risks about using direct eval
.
eval
may seem like a convenient solution for evaluating dynamic code, its risks often outweigh its benefits, especially in scenarios involving user input or serverless environments. Always prioritize security for safer alternatives to eval
whenever possible.
Clean version:
const evalMath = (str) => {
const operatorToFunction = {
"+": (a, b) => a + b,
"-": (a, b) => a - b,
"*": (a, b) => a * b,
"/": (a, b) => a / b
};
const operationStr = str.replace(/\s/g, '');
const numbers = operationStr.split(/[-+*/]/).map(Number);
const operators = operationStr.split(/\d+/).filter(Boolean).filter(operator => operator !== '.');
for (let i = 0; i < operators.length; i++) {
const operator = operators[i];
const nextNumber = numbers[i + 1];
if (operator === '*' || operator === '/') {
numbers[i] = operatorToFunction[operator](numbers[i], nextNumber);
numbers.splice(i + 1, 1);
operators.splice(i, 1);
i--;
}
}
let result = numbers[0];
for (let i = 0; i < operators.length; i++) {
const operator = operators[i];
const nextNumber = numbers[i + 1];
result = operatorToFunction[operator](result, nextNumber);
}
const numberString = result.toFixed(15);
const decimalIndex = numberString.indexOf('.');
let trimmedNumberString = numberString;
if (decimalIndex !== -1) {
let i = numberString.length - 1;
while (numberString[i] === '0' && i > decimalIndex) {
i--;
}
trimmedNumberString = numberString.substring(0, i + 1);
if (trimmedNumberString.charAt(trimmedNumberString.length - 1) === '.') trimmedNumberString = trimmedNumberString.slice(0, -1);
}
return parseFloat(trimmedNumberString);
};
Important notes:
-
If you define
operatorToFunction
outside the scope ofexecuteOperation
sometimes you will getcan not access operatorToFunction before initialization
when testing on the devTools -
Unless the
.
is filtered, the operators read it as an operator -
Unless the result is fixed to 15 decimal points,
3.3-2.1
does not equal 1.2. -
To prevent the extra zeros after the decimal caused by fixing to 15 decimal points the third loop is needed.
-
To prevent cases where a
.
is all that remain after removing all zeros the extra slice is needed at the end -
To support multiple operations the
...
is needed
Best use case:
Best used when setting up build-time math-only evals, for example rate limits, and NOT for user input
Fixes this eval scenario for example:
const RATE_LIMITS = {
"IP": {
// perSecond: 1,
// perMinute: 1,
// perHour: 2,
// perDay: 6,
// perWeek: 8,
// perMonth: 10,
// perYear: 100,
custom: {
"15 * 1000": 1, // allowed up to 1 request per 15 seconds
"30 * 1000": 1, // allowed up to 1 request per 30 seconds
"15000": 1, // allowed up to 1 request per 15 seconds
"2 minutes": 1, // allowed up to 1 request per 2 minutes
"1 minute": 1, // allowed up to 1 request per 1 minutes
"1 second": 1, //
"0.5 years": 1, //
"0.5 seconds": 1, //
"1 hour and 30 minutes": 1, //
"90 minutes": 1, //
}
},
"Email": {
perSecond: 1,
perMinute: 1,
perHour: 2,
perDay: 3,
perWeek: 4,
perMonth: 5,
perYear: 50,
}
};
for (const limit in RATE_LIMITS) {
if (RATE_LIMITS[limit].custom) {
for (const customLimit in RATE_LIMITS[limit].custom) {
if (customLimit.includes('+') || customLimit.includes('*') || customLimit.includes('-') || customLimit.includes('/')) {
const newLimit = eval(customLimit); // simply replace with evalMath
console.log(newLimit, customLimit);
const limitCount = RATE_LIMITS[limit].custom[customLimit];
delete RATE_LIMITS[limit].custom[customLimit];
if (RATE_LIMITS[limit].custom[newLimit]) {
console.warn("Time Limit Already Exist:", newLimit, customLimit, limit);
} else {
RATE_LIMITS[limit].custom[newLimit] = limitCount;
}
}
}
}
}
console.log(RATE_LIMITS); // This simply replaced the 15 * 1000 with 15000 for example
Supports multiple number operations and operator precedence.
This code correctly handles operator precedence and supports multiple operations within the same expression. Additionally, it doesn't rely on string manipulation for basic arithmetic operations, making it more robust. Feel free to use and modify it as needed. If you have any further questions or need clarification, feel free to ask!