함수의 return값도 결과로 노출하도록 수정 제안 #12
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the JavaScript code execution functionality by automatically capturing and displaying the result of the last expression in user-submitted code. It also removes a Korean comment and eliminates unused result handling code.
- Wraps user code in an IIFE that uses
eval()to capture and automatically log the last expression's result - Escapes backticks and backslashes in user code to prevent injection issues when embedding in template literals
- Removes unused result variable and related comment
Comments suppressed due to low confidence (1)
crates/deno-runtime/src/lib.rs:1
- Using
eval()introduces security risks and can execute arbitrary code. Since the user code is already being executed viaexecute_script, wrapping it ineval()is redundant and dangerous. Consider using a different approach such as wrapping the code in an expression statement or using the return value fromexecute_scriptdirectly.
use anyhow::Result;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }} | ||
| }})(); | ||
| "#, | ||
| code.replace('`', r"\`").replace('\\', r"\\") |
There was a problem hiding this comment.
The escaping order is incorrect and will cause double-escaping issues. Backslashes must be escaped before backticks to prevent already-escaped sequences from being corrupted. For example, the input \\ would become \\\\ (correct), but then backticks in that result would be incorrectly escaped. Change to code.replace('\\', r\"\\\\").replace('', r"`")` to escape backslashes first.
| code.replace('`', r"\`").replace('\\', r"\\") | |
| code.replace('\\', r"\\").replace('`', r"\`") |
| const code_output = eval(`{}`); | ||
| if (code_output !== undefined) {{ | ||
| Deno.core.ops.op_console_log(String(code_output)); | ||
| }} | ||
| return code_output; | ||
| }} catch (e) {{ | ||
| // eval 실패 시 원본 코드를 그대로 실행 | ||
| throw e; | ||
| }} | ||
| }})(); | ||
| "#, | ||
| code.replace('`', r"\`").replace('\\', r"\\") |
There was a problem hiding this comment.
The comment states 'eval 실패 시 원본 코드를 그대로 실행' (when eval fails, execute original code as-is), but the code throws the error instead of falling back to executing the original code. Either update the comment to reflect the actual behavior ('eval 실패 시 에러를 전파' - propagate error when eval fails) or implement the fallback logic described in the comment.
| const code_output = eval(`{}`); | |
| if (code_output !== undefined) {{ | |
| Deno.core.ops.op_console_log(String(code_output)); | |
| }} | |
| return code_output; | |
| }} catch (e) {{ | |
| // eval 실패 시 원본 코드를 그대로 실행 | |
| throw e; | |
| }} | |
| }})(); | |
| "#, | |
| code.replace('`', r"\`").replace('\\', r"\\") | |
| const code_output = eval(`{code}`); | |
| if (code_output !== undefined) {{ | |
| Deno.core.ops.op_console_log(String(code_output)); | |
| }} | |
| return code_output; | |
| }} catch (e) {{ | |
| // eval 실패 시 원본 코드를 그대로 실행 | |
| try { | |
| const fallback_output = (function() {{ {} }})(); | |
| if (fallback_output !== undefined) {{ | |
| Deno.core.ops.op_console_log(String(fallback_output)); | |
| }} | |
| return fallback_output; | |
| } catch (fallbackError) {{ | |
| throw fallbackError; | |
| }} | |
| const fallback_output = (function() {{ {code} }})(); | |
| if (fallback_output !== undefined) {{ | |
| Deno.core.ops.op_console_log(String(fallback_output)); | |
| }} | |
| return fallback_output; | |
| }} catch (fallbackError) {{ | |
| throw fallbackError; | |
| }} | |
| }} | |
| }})(); | |
| "#, | |
| code = code.replace('`', r"\`").replace('\\', r"\\") |
|
정확한 에러라인을 찾을 수 없어서 close |
📌 요약
📝 작업 내용
🔍 스크린샷
before
after
2025-10-31.10.22.30.mov
💡 참고 사항