UNPKG

isolation

Version:

How often do you see libraries which mutates global variables Or how often do you check libraries actions ? This library provides script isolation in custom contexts to solve this kind of issues.

astrohelm.ru

astrohelm/isolation

307 lines (228 loc) 12 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
<h1 align="center"> **Isolation** </h1> **Why should i use it ?** How often do you see libraries which mutates global variables Or how often do you check libraries actions ? Library provides script isolation in custom contexts to solve this kind of issues. Also, isolation prevents global scope and prototypes pollution. > [!TIP] > > ## **Possible use case** > > May be useful as routing loader, if some loaded route makes an error while runtime, you may > recreate it - to prevent memory leaks. Another worlds, with this library you can create > multi-tenant applications; <h2 align="center"> **Installation** </h2> ```bash npm i isolation --save ``` <h2 align="center"> **Basic Usage** </h2> - **Prevent intentionally damage** It will stop tricky users code, while you don't allow it. ```javascript // unchecked-dangerous-library index.js const fs = require('fs'); fs.rm(process.cwd(), { recursive: true }); // Ha ha, no-code developer ``` ```javascript // routes/route/get.js const dangerousLibrary = require('unchecked-dangerous-library'); // Point where dangerous library initialized // ... other logic ``` ```javascript // index.js const Isolation = require('isolation'); const routes = Isolation.read('./routes'); // ⚠️ Will throw an error because fs doesn't allowed ``` - **Prevent unintentionally damage** This solves problem where libraries used to mutate global variables. ```javascript // unchecked-dangerous-library index.js var console = msg => process.stdout.write(msg); // Someone just want different implementation for console global.console = console; console('Here it works fine'); String.prototype = {}; // Or just mutating prototypes ``` ```javascript // routes/route/get.js const dangerousLibrary = require('unchecked-dangerous-library'); // Point where dangerous library initialized // ... other logic ``` ```javascript // index.js const Isolation = require('isolation'); Isolation.read('./routes'); console.log('All works fine'); console('Here it not works'); // Will throw an error String.prototype; // Will be as default ``` <h2 id="module-types" align="center"> **Module types / Script syntax** </h2> > [!CAUTION] > > You can run any script from string, just like eval, but in custom VM container. But you > **shouldn't use** it for unknown script evaluation, it may create **security issues**. ### **Commonjs** By default Isolation will use Standard Nodejs syntax. With this type of syntax it will provide to your realms global variables such as: - **require** function, which is almost same as nodejs require, but with extra cup of isolation; - **module** & **exports** variables provided to manipulate with exports between modules; - **\_\_filename** & **\_\_dirname** are same as with default nodejs realm; > [!IMPORTANT] > > You always should use module.exports to export, otherwise you will see undefined as the result of > realm execution. ```javascript const Isolation = require('isolation'); console.log(new Isolation(`module.exports = { field: 'value' };`).execute()); // Output: { field: 'value' } console.log(Isolation.execute(`module.exports = (a, b) => a + b;`)(2 + 2)); // Output: 4 console.log(Isolation.execute(`(a, b) => a + b;`)(2 + 2)); // Output: undefined Isolation.execute(`module.exports = async (a, b) => a + b;`)(2 + 2).then(console.log); // Output: 4 ``` ### **ISO** This type of syntax will stand your script alone without any of extra global variables. That means that you would not see <code>module</code> or <code>exports</code> in your environment. But your context variables will still work well. > [!IMPORTANT] > > In this mode, your realms will export result of the last expression, that means that you should > put a reference to your variable or expression at the end of the file / row; ```javascript const Isolation = require('isolation'); const options = { type: 'iso' }; console.log(new Isolation(`{ field: 'value' };`, options).execute()); // Output: { field: 'value' } console.log(Isolation.execute(`(a, b) => a + b;`, options)(2 + 2)); // Output: 4 Isolation.execute(`async (a, b) => a + b;`, options)(2 + 2).then(console.log); // Output: 4 ``` ### **ESM** Isolation doesn't yet support esm syntax. That's because currently <code>node.vm</code> ESM modules are experimental. <h2 id="context-api" align="center"> **Context API** </h2> You can create custom context or use default presets with **context api**. This will allow you to provide your custom variables to the context without requiring any module. > [!TIP] > > Remember to reuse your contexts. This will increase performance of your application. To help you > with this we have default contexts: ### **Context example** ```javascript const { contextify, execute } = require('isolation'); const custom = contextify({ console }); // ⚠️ Object will be mutated execute(`console.log(123);`, { ctx: custom }); // STD Output: 123 execute(`console.log(123);`); // No STD output, because different stdout stream ``` Also its allow you to change program behavior with something like: ```js const ctx = Isolation.contextify({ a: 1000, b: 10 }); const realm = new Isolation(`module.exports = a - b`, { ctx }); realm.execute(); // Output: 990 realm.execute({ ...ctx, a: 0 }); // Output: -10 realm.execute({ ...ctx, b: 7 }); // Output: 993 ``` ### **Default contexts** Default contexts are accessible from Isolation.contextify, there you can find: - Isolation.contextify.**EMPTY**, that just empty context - Isolation.contextify.**COMMON**, timers, buffer, fetch etc... - Isolation.contextify.**NODE**, global, console, process & **COMMON** context You should'nt use **NODE** context, it may create security issues, otherwise it may road to possible context escaping. <h2 id="reader-api" align="center"> **Reader API** </h2> Reader allow you to run scripts from files and extends possible provided options with: - Option <code>prepare:boolean</code> reader will return non-executed scripts, **default false** - Option <code>depth:number|boolean</code> nested directories restrictions, **default true** - Option <code>flat:boolean</code> result with nested scripts will be flat, **default false** - <code>read</code> Allow you to read source codes from files and directories ```javascript const Isolation = require('isolation'); Isolation.read('./path/to/script.js').then(console.log); // Output: result of script execution Isolation.read('./path/to').then(console.log); // Output: { script: any } Isolation.read('./path/to', { prepare: true }).then(console.log); // Output: { script: Script {} } ``` By default reader works with nested directories, to disable this behavior you can do: ```js const Isolation = require('isolation'); Isolation.read('./path/to', { depth: false }); // Or limit it: Isolation.read('./path/to', { depth: 3 }); ``` - <code>read.file</code> Allow you to execute script from single file ```javascript const Isolation = require('isolation'); Isolation.read.file('./path/to/script.js').then(console.log); // Output: result of script execution Isolation.read.file('./path/to/script.js', { prepare: true }).then(console.log); // Output: Script {} ``` - <code>read.dir</code> Allow you to execute multiple scripts from directory ```javascript const Isolation = require('isolation'); Isolation.read.dir('./path/to').then(console.log); // Output: { script: any, deep: { script: any } } Isolation.read.dir('./path/to', { prepare: true }).then(console.log); Output: { script: Script {} } Isolation.read.dir('./path/to', { depth: false }).then(console.log); // Output: { script: any } ``` <h2 id="access-control" align="center"> **Access control** </h2> You may control access over realm submodules and reader api; > [!NOTE] > > If access doesn't provided realm submodules would'nt be accessible and reader will read all files > in directed repository. ```js const options = { access: pathOrModule => pathOrModule === 'fs' || pathOrModule.endsWith('.js') }; Isolation.execute('module.exports = require("fs")', options); Isolation.read('./path/to/script.js', options); // Or const options2 = { access: { reader: path => true, // Directory reader realm: module => {}, // Realm submodules }, }; ``` ### **Library substitution** You can replace result of require for specific libraries with anything what you want; ```js const Isolation = require('isolation'); const src = ` const fs = require('fs'); module.exports = fs.readFile('Isolation.js'); `; const sub = name => { if (name !== 'fs') return true; return { readFile: filename => filename + ' Works !', }; }; const result = Isolation.execute(src, { access: { realm: sub } }); console.log(result); // Output: Isolation.js Works ! ``` <h2 id="script-options" align="center"> **Possible script options** </h2> | Option | Possible | Default | Description | | ---------------- | ---------------------------------------------- | -------------------------------- | ----------------------------------------------------------------------------------------------------- | | **type** | iso&nbsp;\|&nbsp;cjs | cjs | Type&nbsp;of&nbsp;script&nbsp;handling, see [syntax types](#module-types) | | **ctx** | object | - | Realm&nbsp;context, see [Context API](#context-api) | | **filename** | string | ISO | Name&nbsp;of&nbsp;the&nbsp;module&nbsp;, also it is global variable **\_\_filename** for root realm | | **dir** | string | process.cwd() | Module&nbsp;directory&nbsp;, also it is global variable **\_\_dirname** and realm require start point | | **npmIsolation** | boolean | false | Controls&nbsp;npm&nbsp;modules&nbsp;isolation | | **access** | [Access](./types/options.d.ts#L51) | - | Isolation&nbsp;restrictions, see [Access API](#reader-api) | | **prepare** | boolean | false | Reader&nbsp;would'nt&nbsp;execute script for you | | **flat** | boolean | false | Reader&nbsp;will&nbsp;flat&nbsp;nested&nbsp;scripts | | **depth** | boolean&nbsp;\|&nbsp;number | true | Restricts&nbsp;dir&nbsp;reading&nbsp;depth | | **realmOpts** | [ScriptOptions](./types/options.d.ts#L63) | - | Configuration&nbsp;for VM.Script initialization | | **runOpts** | [RunningCodeOptions](./types/options.d.ts#L62) | {&nbsp;timeout:&nbsp;1000&nbsp;} | Configuration&nbsp;for VM.Script execution | <h2 align="center">Copyright & contributors</h2> <p align="center"> Copyright © 2023 <a href="https://github.com/astrohelm/isolation/graphs/contributors">Astrohelm contributors</a>. This library is <a href="./LICENSE">MIT licensed license</a>.<br/> And it is part of <a href="https://github.com/astrohelm">Astrohelm solutions</a>. </p>