Obfuscate Function(...) fallback to thwart static misanalysis (#9164)

benjamn · web-flow · commit 6d86a52c6032 · 2021-12-07T13:23:39.000-05:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -85,7 +85,7 @@
     "optimism": "^0.16.1",
     "prop-types": "^15.7.2",
     "symbol-observable": "^4.0.0",
-    "ts-invariant": "^0.9.0",
+    "ts-invariant": "^0.9.4",
     "tslib": "^2.3.0",
     "zen-observable-ts": "^1.2.0"
   },
diff --git a/src/utilities/globals/global.ts b/src/utilities/globals/global.ts
@@ -9,7 +9,13 @@ export default (
   maybe(() => window) ||
   maybe(() => self) ||
   maybe(() => global) ||
-  maybe(() => Function("return this")())
+  // We don't expect the Function constructor ever to be invoked at runtime, as
+  // long as at least one of globalThis, window, self, or global is defined, so
+  // we are under no obligation to make it easy for static analysis tools to
+  // detect syntactic usage of the Function constructor. If you think you can
+  // improve your static analysis to detect this obfuscation, think again. This
+  // is an arms race you cannot win, at least not in JavaScript.
+  maybe(function() { return maybe.constructor("return this")() })
 ) as typeof globalThis & {
   __DEV__: typeof __DEV__;
 };
