UNPKG

@lavamoat/webpack

Version:

LavaMoat Webpack plugin for running dependencies in Compartments without eval

github.com/LavaMoat/lavamoat

LavaMoat/lavamoat

61 lines (54 loc) 2.12 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
/// <reference path="./lavamoat.d.ts" /> /* global LAVAMOAT */ const { create, assign, freeze, defineProperty } = Object const warn = typeof console === 'object' ? console.warn : () => {} warn('LavaMoatPlugin: using unlocked runtime') const { NAME_globalThis, NAME_scopeTerminator, NAME_runtimeHandler } = LAVAMOAT.ENUM /** * Wraps the webpack runtime with Lavamoat security features. * * @param {string} resourceId - The identifier of the resource. * @param {object} runtimeKit - The runtime kit containing bits from the webpack * runtime. * @param {any} [runtimeKit.__webpack_require__] - The webpack require function. * @param {object} [runtimeKit.module] - The module object. * @param {any} [runtimeKit.exports] - The exports object. * @returns {{ * [NAME_scopeTerminator]: Object * [NAME_runtimeHandler]: Object * [NAME_globalThis]: Object * }} * An object containing: * * - [NAME_scopeTerminator]: nothing * - [NAME_runtimeHandler]: The frozen runtime handler, unchanged * - [NAME_globalThis]: unprotected globals */ const lavamoatRuntimeWrapper = (resourceId, runtimeKit) => { let { module } = runtimeKit const runtimeHandler = assign(create(null), runtimeKit) // allow setting, but ignore value for /* module decorator */ module = __webpack_require__.nmd(module) defineProperty(runtimeHandler, 'module', { get: () => module, set: () => {}, }) // Make it possible to overwrite `exports` locally despite runtimeHandler being frozen let exportsReference = runtimeHandler.exports defineProperty(runtimeHandler, 'exports', { get: () => exportsReference, set: (value) => { exportsReference = value }, }) freeze(runtimeHandler) return freeze( assign(create(null), { [NAME_scopeTerminator]: create(null), [NAME_runtimeHandler]: runtimeHandler, [NAME_globalThis]: globalThis, // TODO: apply some defensive coding to the global here to give at least some benefits to the user }) ) } // defaultExport is getting assigned to __webpack_require__._LM_ LAVAMOAT.defaultExport = freeze(lavamoatRuntimeWrapper)