Skip to content

fix(geo): remove unsafe and unnecessary new Function when parsing GeoJSON input#21640

Open
plainheart wants to merge 2 commits into
releasefrom
fix/geojson-parse
Open

fix(geo): remove unsafe and unnecessary new Function when parsing GeoJSON input#21640
plainheart wants to merge 2 commits into
releasefrom
fix/geojson-parse

Conversation

@plainheart
Copy link
Copy Markdown
Member

@plainheart plainheart commented May 31, 2026

Brief Information

This pull request is in the type of:

  • bug fixing
  • new feature
  • others

What does this PR do?

As we discussed in the group, remove unsafe and unnecessary new Function when parsing GeoJSON input.

Fixed issues

This issue was also reported as a security risk in closed #21626.

Document Info

One of the following should be checked.

  • This PR doesn't relate to document changes
  • The document should be updated later
  • The document changes have been made in apache/echarts-doc#xxx

@echarts-bot
Copy link
Copy Markdown

echarts-bot Bot commented May 31, 2026

Thanks for your contribution!
The community will review it ASAP. In the meanwhile, please checkout the coding standard and Wiki about How to make a pull request.

The pull request is marked to be PR: author is committer because you are a committer of this project.

@plainheart plainheart added this to the 6.1.1 milestone May 31, 2026
@plainheart plainheart requested a review from Copilot May 31, 2026 09:00
Copilot AI reviewed May 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes the new Function fallback used when parsing GeoJSON string inputs, addressing a reported code-execution risk in GeoJSON parsing.

Changes:

  • Replace the GeoJSON string parsing fallback (new Function(...)) with a direct JSON.parse.
  • Fix typos in GeoJSON-related comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/coord/geo/GeoJSONResource.ts
Comment on lines 163 to 165
function parseInput(source: GeoJSONSourceInput): GeoJSON | GeoJSONCompressed {
return !isString(source)
? source
: (typeof JSON !== 'undefined' && JSON.parse)
? JSON.parse(source)
: (new Function('return (' + source + ');'))();
return !isString(source) ? source : JSON.parse(source);
}
Copy link
Copy Markdown
Member Author

@plainheart plainheart May 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@100pah As the current codebase, do you think it is necessary to add JSON API check?

@plainheart plainheart requested a review from 100pah May 31, 2026 09:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@100pah 100pah Awaiting requested review from 100pah

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

PR: author is committer PR: awaiting review PR: doc unchanged size/S

Projects

None yet

Milestone

6.1.1

Development

Successfully merging this pull request may close these issues.

2 participants

@plainheart