From ab6e89dfbce926c6515186c7e5a399e8b7fab264 Mon Sep 17 00:00:00 2001
From: Sefa Eyeoglu <contact@scrumplex.net>
Date: Mon, 21 Oct 2024 18:23:38 +0200
Subject: [PATCH] Remove vulnerable js2py

js2py is potentially vulnerable to RCE. As it is unmaintained it should
just be removed from the tests.

POC: https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28397

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
---
 django_js_reverse/tests/unit_tests.py | 5 -----
 tox.ini                               | 1 -
 2 files changed, 6 deletions(-)

diff --git a/django_js_reverse/tests/unit_tests.py b/django_js_reverse/tests/unit_tests.py
index be2a074..1031cd2 100755
--- a/django_js_reverse/tests/unit_tests.py
+++ b/django_js_reverse/tests/unit_tests.py
@@ -20,7 +20,6 @@
 from django.core.management import call_command
 from django.template import Context, RequestContext, Template
 from django.utils.encoding import smart_str
-import js2py
 from helper import is_django_ver_gte_2
 from utils import script_prefix
 
@@ -51,9 +50,6 @@ def node_jseval(expr):
     return re.sub(r'\n$', '', stdout)
 
 
-def js2py_jseval(expr):
-    return js2py.eval_js(expr)
-
 
 class AbstractJSReverseTestCase(object):
     client = Client()
@@ -75,7 +71,6 @@ def url(jseval):
             return expected_url(jseval)
 
         self.assertEqual(node_jseval(module), url(node_jseval))
-        self.assertEqual(js2py_jseval('(function () {{ {} }}())'.format(script)), url(js2py_jseval))
 
     def assertEqualJSUrlEval(self, *args, **kwargs):
         js = smart_str(self.client.post('/jsreverse/').content)
diff --git a/tox.ini b/tox.ini
index f9590c8..53351e2 100644
--- a/tox.ini
+++ b/tox.ini
@@ -10,7 +10,6 @@ pip_pre = true
 commands = coverage run -p django_js_reverse/tests/unit_tests.py
 deps=
     coverage
-    js2py==0.74
     packaging==21.3
     django32: Django>=3.2,<4.0
     django40: Django>=4.0,<4.1