Can workerd be configured to allow new Function?

[nicksrandall]

I totally understand the security risks here and why this has been disabled in Cloudflare workers. That said, I have a use-case for dynamic code execution. Would this be possible with workerd?

[zegevlier]

Yes. For this you have to change a single line of code in src/workerd/jsg/resource.h at line 942. There, change the false into a true, compile and run. You can now use things like eval and new Function.

[kentonv]

Hi @nicksrandall,

I'm pretty hesitant to allow things like this is workerd because it may encourage people to build applications or (worse) libraries that do not work on Cloudflare Workers, by requiring this setting. That kind of ecosystem fragmentation would be painful for users in the long run.

Of course, you can easily tweak the source code as @zegevlier suggests. Doing this doesn't risk ecosystem fragmentation so much, since it's unlikely anyone is going to publish a workerd library that requires a custom build of workerd.

What would be really great, though, is if we could find an alternative design for your use case which could actually be supported on Cloudflare. The key thing we need is to have a record of all code that has been evaluated, so that if someone tries to exploit a zero-day, we can see what they did and at least fix the bug.

One solution that has been proposed for this is a special kind of KV namespace that is known to contain code snippets. You would be allowed to store code into the namespace and eval snippets from it dynamically. When used on Cloudflare Workers, snippets would be stored for some amount of time (and you'd be charged for this storage) even after the snippet is deleted. Also, there would need to be an understanding that the Workers team may view snippets if needed to investigate a possible exploit.

Would something like that possibly address your use case? If not, could you explain a bit about your use case and what it needs?

[nicksrandall]

Thanks for the response @kentonv. Yes, I believe I could make my use case work with what you described.

[nicksrandall]

I wonder if the implementation of new Function in workerd could add the template string to some storage somewhere for workers team automatically? I'm fine to pay for it but it would be nice if it "just worked".

[hkochniss]

An alternative design could be to use something like https://github.com/6utt3rfly/jse-eval to do restricted ast based evaluation of funtions (I do that with strict CSP clientside and in workers), it's still allowing a ton of usecases for e.g. data conversion