[CapacitorSet]

This is what the author attempted to do: if you read the first commit linked in the article, they made it so that math.js wouldn't execute Function when it encountered it (either an actual Function or a variable that equals Function).

However, the trick is to make Javascript execute Function, through a function that math.js won't mind executing. What I found was simply using Function.apply and Function.call; the author found Function.bind, and someone in this thread found several more.

[jmaa]

Alright, so there are simply too many unique functions accessible through the math.js API, for blacklisting to be feasible.

I'm curious why he didn't go down the whitelisting path in the first place. Basic maths don't require that many functions anyway, so he could've started with a small list, and expanded it as people asked for more. Alternatively he could have allowed for custom whitelists.

[josdejong]

Thanks for your suggestions. I'm the author of math.js working on these fixes. If feasible, a whitelist is safer than a blacklist of course. However, math.js supports objects like JavaScript, and these objects can have arbitrary properties. A naive whitelist would simply render these completely blocked. An option could be to try to distinguish between own properties and inherited properties but that gives issues too with regular methods on classes. It's not so easy to "just" create a whitelist and put it in place (and... which place or places?). I try to understand the underlying cause and try to put security measures at the right place rather than a hail-shot all over the place. I'm no security expert so it's a bit of a search. I'm really happy with all people helping to find and report more issues in this regard!

A first approach was to try to put security checks right before executing any function. That didn't work out since the parser doesn't have control over all function executions: for example not over the ones invoked by Array.forEach and Array.map. A second approach was to blacklist the "constructor" property since all issues did go via constructor and managed to call Function that way. That wasn't enough either. Current approach is to guard the values of symbols and properties (the places where unknown stuff can come in) and test whether there value equals Function. To be continued I think...