Add support for "--disallow-code-generation-from-strings" flag to workers

[capricorn86]

What is the problem this feature will solve?

I'm the creator and main maintainer of happy-dom. We recommend users to use the flags --disallow-code-generation-from-strings and --frozen-intrinsics when Javascript evaluation is enabled in happy-dom to make it harder for a potential attacker to escape a VM context and execute code at process level.

One of the packages uses Workers and it would be great if these flags could be sent in to "execArgv" when creating the Worker. It seems like --frozen-intrinsics is already supported.

What is the feature you are proposing to solve the problem?

Add support for --disallow-code-generation-from-strings to "execArgv" in Worker.

Example:

const worker = new Worker(new URL('ServerRendererWorker.js', import.meta.url), {
   execArgv: ['--disallow-code-generation-from-strings']
});

What alternatives have you considered?

No response

[juanarbol]

I'll take a look, thanks! This is a very interesting feature request

[juanarbol]

Based on docs

V8 options (such as --max-old-space-size) and options that affect the process (such as --title) are not supported. If set, this is provided as process.execArgv inside the worker. By default, options are inherited from the parent thread.

I'll ping @nodejs/workers, can I ask why aren't v8 options supported for a worker thread? Is there a feasible way to support them? Or at least a handful of them? This --disallow-code-generation-from-strings seems a quite interesting security feature -as OP mentioned-.

Refs: https://nodejs.org/docs/latest/api/worker_threads.html#new-workerfilename-options

[legendecas]

can I ask why aren't v8 options supported for a worker thread?

Most V8 flags are per process flags. Changing it for one worker thread will also change the flag value for other threads.

This per-process storage applies to --disallow-code-generation-from-strings as well. It is the default value for new context's code generation setting, for all threads.

In addition, --disallow-code-generation-from-strings is not a security flag. It is implemented in V8 and only disallows eval and new Function: #58328

[capricorn86]

Thank you for looking into this!