npm - @backstage/plugin-scaffolder-backend - Versions diffs - 0.15.13 → 0.15.14 - Mend

@backstage/plugin-scaffolder-backend 0.15.13 → 0.15.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +13 -0
package/assets/nunjucks.js.txt +10385 -0
package/dist/index.cjs.js +129 -47
package/dist/index.cjs.js.map +1 -1
package/package.json +15 -11

package/dist/index.cjs.js CHANGED Viewed

@@ -5,12 +5,12 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var errors = require('@backstage/errors');
 var catalogModel = require('@backstage/catalog-model');
 var fs = require('fs-extra');
-var path = require('path');
 var yaml = require('yaml');
 var backendCommon = require('@backstage/backend-common');
+var path = require('path');
 var globby = require('globby');
-var nunjucks = require('nunjucks');
 var isbinaryfile = require('isbinaryfile');
+var vm2 = require('vm2');
 var pluginScaffolderBackendModuleCookiecutter = require('@backstage/plugin-scaffolder-backend-module-cookiecutter');
 var child_process = require('child_process');
 var stream = require('stream');
@@ -27,6 +27,7 @@ var luxon = require('luxon');
 var Handlebars = require('handlebars');
 var winston = require('winston');
 var jsonschema = require('jsonschema');
+var nunjucks = require('nunjucks');
 var express = require('express');
 var Router = require('express-promise-router');
 var os = require('os');
@@ -56,14 +57,13 @@ function _interopNamespace(e) {
 }
 var fs__default = /*#__PURE__*/_interopDefaultLegacy(fs);
-var path__namespace = /*#__PURE__*/_interopNamespace(path);
-var path__default = /*#__PURE__*/_interopDefaultLegacy(path);
 var yaml__namespace = /*#__PURE__*/_interopNamespace(yaml);
+var path__default = /*#__PURE__*/_interopDefaultLegacy(path);
 var globby__default = /*#__PURE__*/_interopDefaultLegacy(globby);
-var nunjucks__default = /*#__PURE__*/_interopDefaultLegacy(nunjucks);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
 var Handlebars__namespace = /*#__PURE__*/_interopNamespace(Handlebars);
 var winston__namespace = /*#__PURE__*/_interopNamespace(winston);
+var nunjucks__default = /*#__PURE__*/_interopDefaultLegacy(nunjucks);
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var os__default = /*#__PURE__*/_interopDefaultLegacy(os);
@@ -182,7 +182,7 @@ function createCatalogWriteAction() {
     async handler(ctx) {
       ctx.logStream.write(`Writing catalog-info.yaml`);
       const {entity} = ctx.input;
-      await fs__default['default'].writeFile(path.resolve(ctx.workspacePath, "catalog-info.yaml"), yaml__namespace.stringify(entity));
+      await fs__default['default'].writeFile(backendCommon.resolveSafeChildPath(ctx.workspacePath, "catalog-info.yaml"), yaml__namespace.stringify(entity));
     }
   });
 }
@@ -226,7 +226,7 @@ ${files.map((f) => `  - ${path.relative(ctx.workspacePath, f)}`).join("\n")}`);
 async function recursiveReadDir(dir) {
   const subdirs = await fs.readdir(dir);
   const files = await Promise.all(subdirs.map(async (subdir) => {
-    const res = path.resolve(dir, subdir);
+    const res = path.join(dir, subdir);
     return (await fs.stat(res)).isDirectory() ? recursiveReadDir(res) : [res];
   }));
   return files.reduce((a, f) => a.concat(f), []);
@@ -250,7 +250,7 @@ async function fetchContents({
   }
   if (!fetchUrlIsAbsolute && (baseUrl == null ? void 0 : baseUrl.startsWith("file://"))) {
     const basePath = baseUrl.slice("file://".length);
-    const srcDir = backendCommon.resolveSafeChildPath(path__namespace.dirname(basePath), fetchUrl);
+    const srcDir = backendCommon.resolveSafeChildPath(path__default['default'].dirname(basePath), fetchUrl);
     await fs__default['default'].copy(srcDir, outputPath);
   } else {
     let readUrl;
@@ -313,7 +313,100 @@ function createFetchPlainAction(options) {
   });
 }
-nunjucks__default['default'].installJinjaCompat();
+const mkScript = (nunjucksSource) => `
+const { render, renderCompat } = (() => {
+  const module = {};
+  const process = { env: {} };
+  const require = (pkg) => { if (pkg === 'events') { return function (){}; }};
+  ${nunjucksSource}
+  const env = module.exports.configure({
+    autoescape: false,
+    tags: {
+      variableStart: '\${{',
+      variableEnd: '}}',
+    },
+  });
+  const compatEnv = module.exports.configure({
+    autoescape: false,
+    tags: {
+      variableStart: '{{',
+      variableEnd: '}}',
+    },
+  });
+  compatEnv.addFilter('jsonify', compatEnv.getFilter('dump'));
+  if (typeof parseRepoUrl !== 'undefined') {
+    const safeHelperRef = parseRepoUrl;
+    env.addFilter('parseRepoUrl', repoUrl => {
+      return JSON.parse(safeHelperRef(repoUrl))
+    });
+    env.addFilter('projectSlug', repoUrl => {
+      const { owner, repo } = JSON.parse(safeHelperRef(repoUrl));
+      return owner + '/' + repo;
+    });
+  }
+  let uninstallCompat = undefined;
+  function render(str, values) {
+    try {
+      if (uninstallCompat) {
+        uninstallCompat();
+        uninstallCompat = undefined;
+      }
+      return env.renderString(str, JSON.parse(values));
+    } catch (error) {
+      // Make sure errors don't leak anything
+      throw new Error(String(error.message));
+    }
+  }
+  function renderCompat(str, values) {
+    try {
+      if (!uninstallCompat) {
+        uninstallCompat = module.exports.installJinjaCompat();
+      }
+      return compatEnv.renderString(str, JSON.parse(values));
+    } catch (error) {
+      // Make sure errors don't leak anything
+      throw new Error(String(error.message));
+    }
+  }
+  return { render, renderCompat };
+})();
+`;
+class SecureTemplater {
+  static async loadRenderer(options = {}) {
+    const {parseRepoUrl, cookiecutterCompat} = options;
+    let sandbox = void 0;
+    if (parseRepoUrl) {
+      sandbox = {
+        parseRepoUrl: (url) => JSON.stringify(parseRepoUrl(url))
+      };
+    }
+    const vm = new vm2.VM({sandbox});
+    const nunjucksSource = await fs__default['default'].readFile(backendCommon.resolvePackagePath("@backstage/plugin-scaffolder-backend", "assets/nunjucks.js.txt"), "utf-8");
+    vm.run(mkScript(nunjucksSource));
+    const render = (template, values) => {
+      if (!vm) {
+        throw new Error("SecureTemplater has not been initialized");
+      }
+      vm.setGlobal("templateStr", template);
+      vm.setGlobal("templateValues", JSON.stringify(values));
+      if (cookiecutterCompat) {
+        return vm.run(`renderCompat(templateStr, templateValues)`);
+      }
+      return vm.run(`render(templateStr, templateValues)`);
+    };
+    return render;
+  }
+}
 function createFetchTemplateAction(options) {
   const {reader, integrations} = options;
   return createTemplateAction({
@@ -364,7 +457,7 @@ function createFetchTemplateAction(options) {
       var _a;
       ctx.logger.info("Fetching template content from remote URL");
       const workDir = await ctx.createTemporaryDirectory();
-      const templateDir = path.resolve(workDir, "template");
+      const templateDir = backendCommon.resolveSafeChildPath(workDir, "template");
       const targetPath = (_a = ctx.input.targetPath) != null ? _a : "./";
       const outputDir = backendCommon.resolveSafeChildPath(ctx.workspacePath, targetPath);
       if (ctx.input.copyWithoutRender && !Array.isArray(ctx.input.copyWithoutRender)) {
@@ -400,23 +493,14 @@ function createFetchTemplateAction(options) {
         onlyFiles: false,
         markDirectories: true
       })))).flat());
-      const templater = nunjucks__default['default'].configure({
-        ...ctx.input.cookiecutterCompat ? {} : {
-          tags: {
-            variableStart: "${{",
-            variableEnd: "}}"
-          }
-        },
-        autoescape: false
-      });
-      if (ctx.input.cookiecutterCompat) {
-        templater.addFilter("jsonify", templater.getFilter("dump"));
-      }
       const {cookiecutterCompat, values} = ctx.input;
       const context = {
         [cookiecutterCompat ? "cookiecutter" : "values"]: values
       };
       ctx.logger.info(`Processing ${allEntriesInTemplate.length} template files/directories with input values`, ctx.input.values);
+      const renderTemplate = await SecureTemplater.loadRenderer({
+        cookiecutterCompat: ctx.input.cookiecutterCompat
+      });
       for (const location of allEntriesInTemplate) {
         let renderFilename;
         let renderContents;
@@ -431,9 +515,9 @@ function createFetchTemplateAction(options) {
           renderFilename = renderContents = !nonTemplatedEntries.has(location);
         }
         if (renderFilename) {
-          localOutputPath = templater.renderString(localOutputPath, context);
+          localOutputPath = renderTemplate(localOutputPath, context);
         }
-        const outputPath = path.resolve(outputDir, localOutputPath);
+        const outputPath = backendCommon.resolveSafeChildPath(outputDir, localOutputPath);
         if (outputDir === outputPath) {
           continue;
         }
@@ -444,7 +528,7 @@ function createFetchTemplateAction(options) {
           ctx.logger.info(`Writing directory ${location} to template output path.`);
           await fs__default['default'].ensureDir(outputPath);
         } else {
-          const inputFilePath = path.resolve(templateDir, location);
+          const inputFilePath = backendCommon.resolveSafeChildPath(templateDir, location);
           if (await isbinaryfile.isBinaryFile(inputFilePath)) {
             ctx.logger.info(`Copying binary file ${location} to template output path.`);
             await fs__default['default'].copy(inputFilePath, outputPath);
@@ -452,7 +536,7 @@ function createFetchTemplateAction(options) {
             const statsObj = await fs__default['default'].stat(inputFilePath);
             ctx.logger.info(`Writing file ${location} to template output path with mode ${statsObj.mode}.`);
             const inputFileContents = await fs__default['default'].readFile(inputFilePath, "utf-8");
-            await fs__default['default'].outputFile(outputPath, renderContents ? templater.renderString(inputFileContents, context) : inputFileContents, {mode: statsObj.mode});
+            await fs__default['default'].outputFile(outputPath, renderContents ? renderTemplate(inputFileContents, context) : inputFileContents, {mode: statsObj.mode});
           }
         }
       }
@@ -1400,7 +1484,7 @@ const createPublishGithubPullRequestAction = ({
         dot: true
       });
       const fileContents = await Promise.all(localFilePaths.map((filePath) => {
-        const absPath = path__default['default'].resolve(fileRoot, filePath);
+        const absPath = backendCommon.resolveSafeChildPath(fileRoot, filePath);
         const base64EncodedContent = fs__default['default'].readFileSync(absPath).toString("base64");
         const fileStat = fs__default['default'].statSync(absPath);
         const githubTreeItemMode = isExecutable(fileStat.mode) ? "100755" : "100644";
@@ -2270,35 +2354,27 @@ const createStepLogger = ({
 class NunjucksWorkflowRunner {
   constructor(options) {
     this.options = options;
-    this.nunjucksOptions = {
+  }
+  isSingleTemplateString(input) {
+    var _a, _b;
+    const {parser, nodes} = nunjucks__default['default'];
+    const parsed = parser.parse(input, {}, {
       autoescape: false,
       tags: {
         variableStart: "${{",
         variableEnd: "}}"
       }
-    };
-    this.nunjucks = nunjucks__default['default'].configure(this.nunjucksOptions);
-    this.nunjucks.addFilter("parseRepoUrl", (repoUrl) => {
-      return parseRepoUrl(repoUrl, this.options.integrations);
-    });
-    this.nunjucks.addFilter("projectSlug", (repoUrl) => {
-      const {owner, repo} = parseRepoUrl(repoUrl, this.options.integrations);
-      return `${owner}/${repo}`;
     });
+    return parsed.children.length === 1 && !(((_b = (_a = parsed.children[0]) == null ? void 0 : _a.children) == null ? void 0 : _b[0]) instanceof nodes.TemplateData);
   }
-  isSingleTemplateString(input) {
-    const {parser, nodes} = require("nunjucks");
-    const parsed = parser.parse(input, {}, this.nunjucksOptions);
-    return parsed.children.length === 1 && !(parsed.children[0] instanceof nodes.TemplateData);
-  }
-  render(input, context) {
+  render(input, context, renderTemplate) {
     return JSON.parse(JSON.stringify(input), (_key, value) => {
       try {
         if (typeof value === "string") {
           try {
             if (this.isSingleTemplateString(value)) {
               const wrappedDumped = value.replace(/\${{(.+)}}/g, "${{ ( $1 ) | dump }}");
-              const templated2 = this.nunjucks.renderString(wrappedDumped, context);
+              const templated2 = renderTemplate(wrappedDumped, context);
               if (templated2 === "") {
                 return void 0;
               }
@@ -2307,7 +2383,7 @@ class NunjucksWorkflowRunner {
           } catch (ex) {
             this.options.logger.error(`Failed to parse template string: ${value} with error ${ex.message}`);
           }
-          const templated = this.nunjucks.renderString(value, context);
+          const templated = renderTemplate(value, context);
           if (templated === "") {
             return void 0;
           }
@@ -2325,6 +2401,12 @@ class NunjucksWorkflowRunner {
       throw new errors.InputError("Wrong template version executed with the workflow engine");
     }
     const workspacePath = path__default['default'].join(this.options.workingDirectory, await task.getWorkspaceName());
+    const {integrations} = this.options;
+    const renderTemplate = await SecureTemplater.loadRenderer({
+      parseRepoUrl(url) {
+        return parseRepoUrl(url, integrations);
+      }
+    });
     try {
       await fs__default['default'].ensureDir(workspacePath);
       await task.emitLog(`Starting up task with ${task.spec.steps.length} steps`);
@@ -2335,7 +2417,7 @@ class NunjucksWorkflowRunner {
       for (const step of task.spec.steps) {
         try {
           if (step.if) {
-            const ifResult = await this.render(step.if, context);
+            const ifResult = await this.render(step.if, context, renderTemplate);
             if (!isTruthy(ifResult)) {
               await task.emitLog(`Skipping step ${step.id} because it's if condition was false`, {stepId: step.id, status: "skipped"});
               continue;
@@ -2347,7 +2429,7 @@ class NunjucksWorkflowRunner {
           });
           const action = this.options.actionRegistry.get(step.action);
           const {taskLogger, streamLogger} = createStepLogger({task, step});
-          const input = (_a = step.input && this.render(step.input, context)) != null ? _a : {};
+          const input = (_a = step.input && this.render(step.input, context, renderTemplate)) != null ? _a : {};
           if ((_b = action.schema) == null ? void 0 : _b.input) {
             const validateResult = jsonschema.validate(input, action.schema.input);
             if (!validateResult.valid) {
@@ -2392,7 +2474,7 @@ class NunjucksWorkflowRunner {
           throw err;
         }
       }
-      const output = this.render(task.spec.output, context);
+      const output = this.render(task.spec.output, context, renderTemplate);
       return {output};
     } finally {
       if (workspacePath) {