UNPKG

@jsreport/jsreport-core

Version:

javascript based business reporting

github.com/jsreport/jsreport/tree/master/packages/jsreport-core

jsreport/jsreport

290 lines (243 loc) 10.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
const LRU = require('lru-cache') const stackTrace = require('stack-trace') const { customAlphabet } = require('nanoid') const nanoid = customAlphabet('abcdefghijklmnopqrstuvwxyz', 10) const createSandbox = require('./createSandbox') const normalizeError = require('../../shared/normalizeError') module.exports = function createRunInSandbox (reporter) { const functionsCache = LRU(reporter.options.sandbox.cache) return async function runInSandbox ({ manager = {}, context, userCode, initFn, executionFn, currentPath, onRequire, propertiesConfig, errorLineNumberOffset = 0 }, req) { let jsreportProxy = null // we use dynamic name because of the potential nested vm execution in the jsreportProxy.assets.require // it may turn out it is a bad approach in assets so we gonna delete it here const executionFnName = `${nanoid()}_executionFn` // creating new id different than execution to ensure user code can not get access to // internal functions by using the __sandboxId context.__sandboxId = nanoid() context[executionFnName] = executionFn context.__appDirectory = reporter.options.appDirectory context.__rootDirectory = reporter.options.rootDirectory context.__parentModuleDirectory = reporter.options.parentModuleDirectory context.__topLevelFunctions = {} context.__handleError = (err) => handleError(reporter, err) const { sourceFilesInfo, run, compileScript, restore, sandbox, sandboxRequire } = await createSandbox(context, { rootDirectory: reporter.options.rootDirectory, onLog: (log) => { // we mark any log done in sandbox as userLevel: true, this allows us to detect which logs belongs to user // and can potentially contain sensitive information let consoleType = log.level if (consoleType === 'debug') { consoleType = 'log' } else if (consoleType === 'warn') { consoleType = 'warning' } reporter.logger.debug(`(console:${consoleType}) ${log.message}`, { ...req, timestamp: log.timestamp, userLevel: true }) }, formatError: (error, moduleName) => { error.message += ` To be able to require custom modules you need to add to configuration { "trustUserCode": true } or enable just specific module using { sandbox: { allowedModules": ["${moduleName}"] }` }, safeExecution: reporter.options.trustUserCode === false, isolateModules: reporter.options.sandbox.isolateModules !== false, modulesCache: reporter.requestModulesCache.get(req.context.rootId), globalModules: reporter.options.sandbox.nativeModules || [], allowedModules: reporter.options.sandbox.allowedModules, propertiesConfig, requirePaths: [ reporter.options.rootDirectory, reporter.options.appDirectory, reporter.options.parentModuleDirectory ], requireMap: (moduleName) => { const m = reporter.options.sandbox.modules.find((m) => m.alias === moduleName || m.path === moduleName) if (m) { const cachedModuleFromOutside = require.cache[m.path] // this is an optimization, the requireMap always go the built-in node require, // which has an overhead, even if the module you are trying to resolve is already cached // node will try to resolve filename when the require happens from different module than // it was requested first time. // this becomes an issue when you do a lazy require inside helper execution, if this helper // is a hot path (executed multiple times during rendering) // then you are adding extra time per the amount of times you call the helper // (which is big if you call this in a loop for 15K items), // the solution is to try first from the require cache directly, and fallback to built-in require // when not found, we can do this because we are sure the m.path is the path to the resolved filename of module if (cachedModuleFromOutside != null) { return cachedModuleFromOutside.exports } return require(m.path) } if (moduleName === 'jsreport-proxy') { return jsreportProxy } if (onRequire) { return onRequire(moduleName, { context }) } } }) const _getTopLevelFunctions = function _getTopLevelFunctions (code) { return getTopLevelFunctions(functionsCache, code) } jsreportProxy = reporter.createProxy({ req, runInSandbox: run, context: sandbox, getTopLevelFunctions: _getTopLevelFunctions, sandboxRequire }) jsreportProxy.currentPath = async function getCurrentPath () { // we get the current path by throwing an error, which give us a stack trace // which we analyze and see if some source file is associated to an entity // if it is then we can properly get the path associated to it, if not we // fallback to the current path passed as options const filesCount = sourceFilesInfo.size let resolvedPath = currentPath if (filesCount > 0) { const err = new Error('get me stack trace please') const trace = stackTrace.parse(err) for (let i = 0; i < trace.length; i++) { const current = trace[i] if (sourceFilesInfo.has(current.getFileName())) { const { entity, entitySet } = sourceFilesInfo.get(current.getFileName()) if (entity != null && entitySet != null) { resolvedPath = await reporter.folders.resolveEntityPath(entity, entitySet, req) break } } } } return resolvedPath } jsreportProxy.currentDirectoryPath = async function getCurrentDirectoryPath () { const currentPath = await jsreportProxy.currentPath() if (currentPath != null) { const localPath = currentPath.substring(0, currentPath.lastIndexOf('/')) if (localPath === '') { return '/' } return localPath } return currentPath } // NOTE: it is important that cleanup, restore methods are not called from a function attached to the // sandbox, because the arguments and return value of such function call will be sandboxed again, to solve this // we don't attach these methods to the sandbox, and instead share them through a "manager" object that should // be passed in options manager.restore = restore if (typeof initFn === 'function') { const initScriptInfo = await initFn(_getTopLevelFunctions, compileScript) if (initScriptInfo) { try { await run(initScriptInfo.script, { filename: initScriptInfo.filename || 'sandbox-init.js', source: initScriptInfo.source }) } catch (e) { handleError(reporter, e) } } } const functionNames = getTopLevelFunctions(functionsCache, userCode) // it is better we remove our internal functions so we avoid user having the chance // to call them, as long as we force the execution to be truly async (with the await 1) // then it is safe to delete __handleError from context, when the execution is truly // async then it means the __handleError was already passed to catch handler, // therefore safe to delete const contextNormalizeCode = [ 'await 1;', `const ${executionFnName}_expose = ${executionFnName};`, 'delete this.__handleError;', `delete this['${executionFnName}'];` ].join('') const functionsCode = `return {topLevelFunctions: {${functionNames.map(h => `"${h}": ${h}`).join(',')}}, fnToExecute: ${executionFnName}_expose}` const executionCode = `;(async () => { ${contextNormalizeCode}${userCode} \n\n;${functionsCode} })() .then(({ topLevelFunctions, fnToExecute }) => { const mergedTopLevelFunctions = { ...topLevelFunctions, ...__topLevelFunctions } // expose top level functions to the sandbox context // so helpers can call other helpers (from shared asset helpers, or .registerHelpers call from proxy) for (const [topLevelFnName, topLevelFn] of Object.entries(mergedTopLevelFunctions)) { this[topLevelFnName] = topLevelFn } return fnToExecute({ topLevelFunctions: mergedTopLevelFunctions, require, console, context: this }) }).catch(__handleError);` try { return await run(executionCode, { filename: 'sandbox.js', source: userCode, errorLineNumberOffset }) } catch (e) { handleError(reporter, e) } } } function handleError (reporter, errValue) { let newError = normalizeError(errValue) if (newError === errValue) { // here it means the original error was valid in the first place, // so it was not normalized newError = new Error(errValue.message) Object.assign(newError, errValue) if (errValue.stack) { newError.stack = errValue.stack } } throw reporter.createError(null, { original: newError, statusCode: 400 }) } function getTopLevelFunctions (cache, code) { const key = `functions:${code}` if (cache.has(key)) { return cache.get(key) } // lazy load to speed up boot const parser = require('@babel/parser') const traverse = require('@babel/traverse').default const names = [] try { const ast = parser.parse(code, { sourceType: 'script', allowReturnOutsideFunction: false, allowAwaitOutsideFunction: true, plugins: [ 'classProperties', 'classPrivateProperties', 'classPrivateMethods', 'doExpressions', 'functionBind', 'throwExpressions', 'topLevelAwait' ] }) // traverse only function declaration that are defined // at the top level of program traverse(ast, { FunctionDeclaration: (path) => { if (path.parent.type === 'Program') { names.push(path.node.id.name) } } }) } catch (e) { // we let the error handling for later eval return [] } cache.set(key, names) return names }