AG-39948 Improve 'prevent-eval-if' — return original value for 'eval.toString()'. #481

AdamWr · AdamWr · commit 60053cb7ee66 · 2025-02-17T18:45:24.000+03:00
Squashed commit of the following: commit ad2685c Merge: 568bdd0 9a97415 Author: Adam Wróblewski <adam@adguard.com> Date: Mon Feb 17 12:02:51 2025 +0100 Merge branch 'master' into fix/AG-39948 commit 568bdd0 Author: Adam Wróblewski <adam@adguard.com> Date: Mon Feb 17 11:56:32 2025 +0100 Fix prevent-bab commit 236d6a4 Author: Adam Wróblewski <adam@adguard.com> Date: Fri Feb 14 19:45:28 2025 +0100 Update changelog commit 8967d9b Author: Adam Wróblewski <adam@adguard.com> Date: Fri Feb 14 19:00:04 2025 +0100 Improve 'prevent-eval-if' — return original value for 'eval.toString()'
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,8 +17,13 @@ The format is based on [Keep a Changelog], and this project adheres to [Semantic
 - ability in `json-prune` scriptlet to match `key` with specific `value`
   and remove `array`/`object` if it contains specific `item` [#183]
 
+### Fixed
+
+- `prevent-eval-if` and `prevent-bab` scriptlets, now `eval.toString()` call returns original value [#481]
+
 [Unreleased]: https://github.com/AdguardTeam/Scriptlets/compare/v2.1.4...HEAD
 [#183]: https://github.com/AdguardTeam/Scriptlets/issues/183
+[#481]: https://github.com/AdguardTeam/Scriptlets/issues/481
 
 ## [v2.1.4] - 2025-01-20
 
diff --git a/src/scriptlets/prevent-bab.js b/src/scriptlets/prevent-bab.js
@@ -93,6 +93,7 @@ export function preventBab(source) {
         }
     };
     window.eval = evalWrapper.bind(window);
+    window.eval.toString = nativeEval.toString.bind(nativeEval);
 }
 
 export const preventBabNames = [
diff --git a/src/scriptlets/prevent-eval-if.js b/src/scriptlets/prevent-eval-if.js
@@ -41,6 +41,9 @@ export function preventEvalIf(source, search) {
         hit(source, payload);
         return undefined;
     }.bind(window);
+
+    // Protect window.eval from native code check
+    window.eval.toString = nativeEval.toString.bind(nativeEval);
 }
 
 export const preventEvalIfNames = [
diff --git a/tests/scriptlets/prevent-bab.test.js b/tests/scriptlets/prevent-bab.test.js
@@ -6,6 +6,8 @@ const name = 'prevent-bab';
 
 const testProp = 'evalProp';
 
+const nativeEval = window.eval;
+
 const beforeEach = () => {
     window.__debug = () => {
         window.hit = 'FIRED';
@@ -14,18 +16,22 @@ const beforeEach = () => {
 
 const afterEach = () => {
     clearGlobalProps(testProp, 'hit', '__debug');
+    window.eval = nativeEval;
 };
 
 module(name, { beforeEach, afterEach });
 
 test('works eval with AdblockBlock', (assert) => {
+    const originalEvalString = window.eval.toString();
+
     runScriptlet(name);
 
     const evalWrap = eval;
     evalWrap(`(function test() { const temp = 'babasbm'; window.${testProp} = 'test';})()`);
 
     assert.strictEqual(window[testProp], undefined);
     assert.strictEqual(window.hit, 'FIRED', 'hit fired');
+    assert.strictEqual(window.eval.toString(), originalEvalString, 'eval.toString() should return original value');
 });
 
 test('sample eval script works', (assert) => {
diff --git a/tests/scriptlets/prevent-eval-if.test.js b/tests/scriptlets/prevent-eval-if.test.js
@@ -52,6 +52,24 @@ test('AG prevent-eval-if works', (assert) => {
     assert.strictEqual(secondActual, undefined, 'result of eval evaluation should be undefined');
 });
 
+test('AG prevent-eval-if works, check toString', (assert) => {
+    const originalEvalString = window.eval.toString();
+
+    runScriptlet(name, ['/adblock/']);
+
+    const agPreventEvalIf = 'agPreventEvalIf';
+
+    const evalWrapper = eval;
+    const firstActual = evalWrapper(`(function () {return '${agPreventEvalIf}'})()`);
+    assert.strictEqual(window.hit, undefined, 'hit function should not fire for not matched function');
+    assert.strictEqual(firstActual, agPreventEvalIf, 'result of eval evaluation should exist');
+
+    const secondActual = evalWrapper(`(function () {const adblock = true; return '${agPreventEvalIf}'})()`);
+    assert.strictEqual(window.hit, 'FIRED', 'hit function should fire');
+    assert.strictEqual(secondActual, undefined, 'result of eval evaluation should be undefined');
+    assert.strictEqual(window.eval.toString(), originalEvalString, 'toString should not be changed');
+});
+
 test('does not work -- invalid regexp pattern', (assert) => {
     runScriptlet(name, ['/\\/']);
 

Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,7 @@ export function preventBab(source) {`
`93`	`93`	`}`
`94`	`94`	`};`
`95`	`95`	`window.eval = evalWrapper.bind(window);`
	`96`	`+ window.eval.toString = nativeEval.toString.bind(nativeEval);`
`96`	`97`	`}`
`97`	`98`
`98`	`99`	`export const preventBabNames = [`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,9 @@ export function preventEvalIf(source, search) {`
`41`	`41`	`hit(source, payload);`
`42`	`42`	`return undefined;`
`43`	`43`	`}.bind(window);`
	`44`	`+`
	`45`	`+ // Protect window.eval from native code check`
	`46`	`+ window.eval.toString = nativeEval.toString.bind(nativeEval);`
`44`	`47`	`}`
`45`	`48`
`46`	`49`	`export const preventEvalIfNames = [`