Merge pull request #725 from tomaioo/fix/security/arbitrary-code-execution-via-eval-in-men

magnussolution · web-flow · commit b2d3cf55d7c2 · 2026-06-17T09:22:19.000-03:00
fix(security): 2 improvements across 2 files
diff --git a/app/model/GroupModule.js b/app/model/GroupModule.js
@@ -17,7 +17,7 @@ Ext.define('MBilling.model.GroupModule', {
         name: 'idModuletext',
         type: 'string',
         convert: function(value) {
-            return eval(value);
+            return value;
         }
     }, {
         name: 'show_menu',
diff --git a/app/model/Menu.js b/app/model/Menu.js
@@ -24,7 +24,7 @@ Ext.define('MBilling.model.Menu', {
     fields: [{
         name: 'text',
         convert: function(value) {
-            return (value.indexOf('t(') !== -1) ? eval(value) : value;
+            return value;
         }
     }, 'module', 'action', 'iconCls', 'rows']
 });

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ Ext.define('MBilling.model.GroupModule', {`
`17`	`17`	`name: 'idModuletext',`
`18`	`18`	`type: 'string',`
`19`	`19`	`convert: function(value) {`
`20`		`- return eval(value);`
	`20`	`+ return value;`
`21`	`21`	`}`
`22`	`22`	`}, {`
`23`	`23`	`name: 'show_menu',`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ Ext.define('MBilling.model.Menu', {`
`24`	`24`	`fields: [{`
`25`	`25`	`name: 'text',`
`26`	`26`	`convert: function(value) {`
`27`		`- return (value.indexOf('t(') !== -1) ? eval(value) : value;`
	`27`	`+ return value;`
`28`	`28`	`}`
`29`	`29`	`}, 'module', 'action', 'iconCls', 'rows']`
`30`	`30`	`});`