@cuxt/sandboxjs 0.1.0 → 0.1.3

package/package.json

@@ -1,68 +1,70 @@
-{
-  "name": "@cuxt/sandboxjs",
-  "version": "0.1.0",
-  "description": "JavaScript sandboxing library with prototype whitelist and safe globals.",
-  "main": "dist/node/Sandbox.js",
-  "module": "build/Sandbox.js",
-  "browser": "dist/Sandbox.min.js",
-  "type": "module",
-  "exports": {
-    ".": {
-      "import": "./build/Sandbox.js",
-      "require": "./dist/node/Sandbox.js",
-      "types": "./build/Sandbox.d.ts"
-    }
-  },
-  "files": [
-    "build",
-    "dist"
-  ],
-  "scripts": {
-    "test": "NODE_OPTIONS='--no-warnings=ExperimentalWarning' jest",
-    "build": "tsc --project tsconfig.json --outDir build --declaration && rollup -c",
-    "lint": "prettier --check \"**/*.+(ts|json)\" && eslint --ext .ts .",
-    "lint:fix": "prettier --write \"**/*.+(ts|json)\" && eslint --ext .ts --fix .",
-    "patch": "npm version patch",
-    "minor": "npm version minor",
-    "major": "npm version major"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git@github.com:cuxt/SandboxJS.git"
-  },
-  "author": "",
-  "license": "MIT",
-  "bugs": {
-    "url": "https://github.com/cuxt/SandboxJS/issues"
-  },
-  "homepage": "https://github.com/cuxt/SandboxJS#readme",
-  "devDependencies": {
-    "@rollup/plugin-node-resolve": "^16.0.3",
-    "@rollup/plugin-terser": "^1.0.0",
-    "@rollup/plugin-typescript": "^12.3.0",
-    "@types/jest": "^30.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.53.0",
-    "@typescript-eslint/parser": "^8.53.0",
-    "eslint": "^9.39.2",
-    "eslint-config-prettier": "^10.1.8",
-    "husky": "^9.1.7",
-    "jest": "^30.2.0",
-    "lint-staged": "^16.2.7",
-    "node-fetch": "^3.3.2",
-    "prettier": "^3.8.0",
-    "rollup": "^4.55.2",
-    "rollup-plugin-bundle-stats": "^4.21.8",
-    "ts-jest": "^29.4.6",
-    "tslib": "^2.8.1",
-    "typescript": "^5.9.3"
-  },
-  "lint-staged": {
-    "*.ts": [
-      "prettier --write",
-      "eslint --fix"
-    ],
-    "*.json": [
-      "prettier --write"
-    ]
-  }
-}
+{
+  "name": "@cuxt/sandboxjs",
+  "version": "0.1.3",
+  "description": "JavaScript sandboxing library with prototype whitelist and safe globals.",
+  "main": "dist/node/Sandbox.js",
+  "module": "build/Sandbox.js",
+  "browser": "dist/Sandbox.min.js",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./build/Sandbox.js",
+      "require": "./dist/node/Sandbox.js",
+      "types": "./build/Sandbox.d.ts"
+    }
+  },
+  "files": [
+    "build",
+    "dist"
+  ],
+  "scripts": {
+    "test": "jest",
+    "test:perf": "NODE_OPTIONS='--no-warnings=ExperimentalWarning' node --expose-gc test/performance.mjs",
+    "build": "node scripts/build.mjs",
+    "lint": "prettier --check \"**/*.+(ts|json)\" && eslint --ext .ts .",
+    "lint:fix": "prettier --write \"**/*.+(ts|json)\" && eslint --ext .ts --fix .",
+    "patch": "npm version patch",
+    "minor": "npm version minor",
+    "major": "npm version major"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git@github.com:cuxt/SandboxJS.git"
+  },
+  "author": "",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/cuxt/SandboxJS/issues"
+  },
+  "homepage": "https://github.com/cuxt/SandboxJS#readme",
+  "devDependencies": {
+    "@types/jest": "^30.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.53.0",
+    "@typescript-eslint/parser": "^8.53.0",
+    "chalk": "^5.6.2",
+    "cli-table3": "^0.6.5",
+    "eslint": "^9.39.2",
+    "eslint-config-prettier": "^10.1.8",
+    "husky": "^9.1.7",
+    "jest": "^30.2.0",
+    "lint-staged": "^16.2.7",
+    "node-fetch": "^3.3.2",
+    "prettier": "^3.8.0",
+    "terser": "^5.46.1",
+    "tinybench": "^6.0.0",
+    "ts-jest": "^29.4.6",
+    "tslib": "^2.8.1",
+    "typescript": "^5.9.3",
+    "vite": "^8.0.8",
+    "vite-plugin-dts": "^4.5.4"
+  },
+  "lint-staged": {
+    "*.ts": [
+      "prettier --write",
+      "eslint --fix"
+    ],
+    "*.json": [
+      "prettier --write"
+    ]
+  }
+}

package/build/Sandbox.js

@@ -1,62 +0,0 @@
-import { createExecContext } from './utils.js';
-import { createEvalContext } from './eval.js';
-import parse from './parser.js';
-import SandboxExec from './SandboxExec.js';
-export { LocalScope, SandboxExecutionTreeError, SandboxCapabilityError, SandboxAccessError, SandboxError, } from './utils.js';
-export default class Sandbox extends SandboxExec {
-    constructor(options) {
-        super(options, createEvalContext());
-    }
-    static audit(code, scopes = []) {
-        const globals = {};
-        for (const i of Object.getOwnPropertyNames(globalThis)) {
-            globals[i] = globalThis[i];
-        }
-        const sandbox = new SandboxExec({
-            globals,
-            audit: true,
-        });
-        return sandbox.executeTree(createExecContext(sandbox, parse(code, true), createEvalContext()), scopes);
-    }
-    static parse(code) {
-        return parse(code);
-    }
-    compile(code, optimize = false) {
-        const parsed = parse(code, optimize);
-        const exec = (...scopes) => {
-            const context = createExecContext(this, parsed, this.evalContext);
-            return { context, run: () => this.executeTree(context, [...scopes]).result };
-        };
-        return exec;
-    }
-    compileAsync(code, optimize = false) {
-        const parsed = parse(code, optimize);
-        const exec = (...scopes) => {
-            const context = createExecContext(this, parsed, this.evalContext);
-            return {
-                context,
-                run: () => this.executeTreeAsync(context, [...scopes]).then((ret) => ret.result),
-            };
-        };
-        return exec;
-    }
-    compileExpression(code, optimize = false) {
-        const parsed = parse(code, optimize, true);
-        const exec = (...scopes) => {
-            const context = createExecContext(this, parsed, this.evalContext);
-            return { context, run: () => this.executeTree(context, [...scopes]).result };
-        };
-        return exec;
-    }
-    compileExpressionAsync(code, optimize = false) {
-        const parsed = parse(code, optimize, true);
-        const exec = (...scopes) => {
-            const context = createExecContext(this, parsed, this.evalContext);
-            return {
-                context,
-                run: () => this.executeTreeAsync(context, [...scopes]).then((ret) => ret.result),
-            };
-        };
-        return exec;
-    }
-}

package/build/SandboxExec.js

@@ -1,214 +0,0 @@
-import { executeTree, executeTreeAsync } from './executor.js';
-import { createContext, SandboxExecutionQuotaExceededError, SandboxGlobal, } from './utils.js';
-export { LocalScope, SandboxExecutionTreeError, SandboxCapabilityError, SandboxAccessError, SandboxError, } from './utils.js';
-function subscribeSet(obj, name, callback, context) {
-    const names = context.setSubscriptions.get(obj) || new Map();
-    context.setSubscriptions.set(obj, names);
-    const callbacks = names.get(name) || new Set();
-    names.set(name, callbacks);
-    callbacks.add(callback);
-    let changeCbs;
-    const val = obj[name];
-    if (val instanceof Object) {
-        changeCbs = context.changeSubscriptions.get(val) || new Set();
-        changeCbs.add(callback);
-        context.changeSubscriptions.set(val, changeCbs);
-    }
-    return {
-        unsubscribe: () => {
-            callbacks.delete(callback);
-            changeCbs?.delete(callback);
-        },
-    };
-}
-export default class SandboxExec {
-    constructor(options, evalContext) {
-        this.evalContext = evalContext;
-        this.setSubscriptions = new WeakMap();
-        this.changeSubscriptions = new WeakMap();
-        this.sandboxFunctions = new WeakMap();
-        this.haltSubscriptions = new Set();
-        this.resumeSubscriptions = new Set();
-        this.halted = false;
-        this.timeoutHandleCounter = 0;
-        this.setTimeoutHandles = new Map();
-        this.setIntervalHandles = new Map();
-        const opt = Object.assign({
-            audit: false,
-            forbidFunctionCalls: false,
-            forbidFunctionCreation: false,
-            globals: SandboxExec.SAFE_GLOBALS,
-            prototypeWhitelist: SandboxExec.SAFE_PROTOTYPES,
-            prototypeReplacements: new Map(),
-        }, options || {});
-        this.context = createContext(this, opt);
-    }
-    static get SAFE_GLOBALS() {
-        return {
-            globalThis,
-            Function,
-            eval,
-            console: {
-                debug: console.debug,
-                error: console.error,
-                info: console.info,
-                log: console.log,
-                table: console.table,
-                warn: console.warn,
-            },
-            isFinite,
-            isNaN,
-            parseFloat,
-            parseInt,
-            decodeURI,
-            decodeURIComponent,
-            encodeURI,
-            encodeURIComponent,
-            escape,
-            unescape,
-            Boolean,
-            Number,
-            BigInt,
-            String,
-            Object,
-            Array,
-            Symbol,
-            Error,
-            EvalError,
-            RangeError,
-            ReferenceError,
-            SyntaxError,
-            TypeError,
-            URIError,
-            Int8Array,
-            Uint8Array,
-            Uint8ClampedArray,
-            Int16Array,
-            Uint16Array,
-            Int32Array,
-            Uint32Array,
-            Float32Array,
-            Float64Array,
-            Map,
-            Set,
-            WeakMap,
-            WeakSet,
-            Promise,
-            Intl,
-            JSON,
-            Math,
-            Date,
-            RegExp,
-        };
-    }
-    static get SAFE_PROTOTYPES() {
-        const protos = [
-            SandboxGlobal,
-            Function,
-            Boolean,
-            Number,
-            BigInt,
-            String,
-            Date,
-            Error,
-            Array,
-            Int8Array,
-            Uint8Array,
-            Uint8ClampedArray,
-            Int16Array,
-            Uint16Array,
-            Int32Array,
-            Uint32Array,
-            Float32Array,
-            Float64Array,
-            Map,
-            Set,
-            WeakMap,
-            WeakSet,
-            Promise,
-            Symbol,
-            Date,
-            RegExp,
-            // Fetch API
-            Response,
-            Request,
-            Headers,
-            FormData,
-        ];
-        const map = new Map();
-        protos.forEach((proto) => {
-            map.set(proto, new Set());
-        });
-        map.set(Object, new Set([
-            'constructor',
-            'name',
-            'entries',
-            'fromEntries',
-            'getOwnPropertyNames',
-            'is',
-            'keys',
-            'hasOwnProperty',
-            'isPrototypeOf',
-            'propertyIsEnumerable',
-            'toLocaleString',
-            'toString',
-            'valueOf',
-            'values',
-        ]));
-        return map;
-    }
-    subscribeGet(callback, context) {
-        context.getSubscriptions.add(callback);
-        return { unsubscribe: () => context.getSubscriptions.delete(callback) };
-    }
-    subscribeSet(obj, name, callback, context) {
-        return subscribeSet(obj, name, callback, context);
-    }
-    subscribeSetGlobal(obj, name, callback) {
-        return subscribeSet(obj, name, callback, this);
-    }
-    subscribeHalt(cb) {
-        this.haltSubscriptions.add(cb);
-        return {
-            unsubscribe: () => {
-                this.haltSubscriptions.delete(cb);
-            },
-        };
-    }
-    subscribeResume(cb) {
-        this.resumeSubscriptions.add(cb);
-        return {
-            unsubscribe: () => {
-                this.resumeSubscriptions.delete(cb);
-            },
-        };
-    }
-    haltExecution(haltContext) {
-        if (this.halted)
-            return;
-        this.halted = true;
-        for (const cb of this.haltSubscriptions) {
-            cb(haltContext);
-        }
-    }
-    resumeExecution() {
-        if (!this.halted)
-            return;
-        if (this.context.ticks.tickLimit && this.context.ticks.ticks >= this.context.ticks.tickLimit) {
-            throw new SandboxExecutionQuotaExceededError('Cannot resume execution: tick limit exceeded');
-        }
-        this.halted = false;
-        for (const cb of this.resumeSubscriptions) {
-            cb();
-        }
-    }
-    getContext(fn) {
-        return this.sandboxFunctions.get(fn);
-    }
-    executeTree(context, scopes = []) {
-        return executeTree(context.ctx.ticks, context, context.tree, scopes);
-    }
-    executeTreeAsync(context, scopes = []) {
-        return executeTreeAsync(context.ctx.ticks, context, context.tree, scopes);
-    }
-}

package/build/eval.js

@@ -1,205 +0,0 @@
-import { createFunction, createFunctionAsync } from './executor.js';
-import parse, { lispifyFunction } from './parser.js';
-export function createEvalContext() {
-    return {
-        sandboxFunction,
-        sandboxAsyncFunction,
-        sandboxedEval,
-        sandboxedSetTimeout,
-        sandboxedSetInterval,
-        sandboxedClearTimeout,
-        sandboxedClearInterval,
-        lispifyFunction,
-    };
-}
-function SB() { }
-export function sandboxFunction(context) {
-    SandboxFunction.prototype = SB.prototype;
-    return SandboxFunction;
-    function SandboxFunction(...params) {
-        const code = params.pop() || '';
-        const parsed = parse(code);
-        return createFunction(params, parsed.tree, context.ctx.ticks, {
-            ...context,
-            constants: parsed.constants,
-            tree: parsed.tree,
-        }, undefined, 'anonymous');
-    }
-}
-function SAF() { }
-export function sandboxAsyncFunction(context) {
-    SandboxAsyncFunction.prototype = SAF.prototype;
-    return SandboxAsyncFunction;
-    function SandboxAsyncFunction(...params) {
-        const code = params.pop() || '';
-        const parsed = parse(code);
-        return createFunctionAsync(params, parsed.tree, context.ctx.ticks, {
-            ...context,
-            constants: parsed.constants,
-            tree: parsed.tree,
-        }, undefined, 'anonymous');
-    }
-}
-function SE() { }
-export function sandboxedEval(func, context) {
-    sandboxEval.prototype = SE.prototype;
-    return sandboxEval;
-    function sandboxEval(code) {
-        // Parse the code and wrap last statement in return for completion value
-        const parsed = parse(code);
-        const tree = wrapLastStatementInReturn(parsed.tree);
-        // Create and execute function with modified tree
-        return createFunction([], tree, context.ctx.ticks, {
-            ...context,
-            constants: parsed.constants,
-            tree,
-        }, undefined, 'anonymous')();
-    }
-}
-function wrapLastStatementInReturn(tree) {
-    if (tree.length === 0)
-        return tree;
-    const newTree = [...tree];
-    const lastIndex = newTree.length - 1;
-    const lastStmt = newTree[lastIndex];
-    // Only wrap if it's not already a return or throw
-    if (Array.isArray(lastStmt) && lastStmt.length >= 1) {
-        const op = lastStmt[0];
-        // Don't wrap Return (8) or Throw (47) - they already control flow
-        if (op === 8 /* LispType.Return */ || op === 46 /* LispType.Throw */) {
-            return newTree;
-        }
-        // List of statement types that should have undefined completion value
-        // These match JavaScript semantics where declarations and control structures
-        // don't produce a completion value
-        const statementTypes = [
-            3 /* LispType.Let */, // 3
-            4 /* LispType.Const */, // 4
-            34 /* LispType.Var */, // 35
-            37 /* LispType.Function */, // 38
-            13 /* LispType.If */, // 14
-            38 /* LispType.Loop */, // 39
-            39 /* LispType.Try */, // 40
-            40 /* LispType.Switch */, // 41
-            42 /* LispType.Block */, // 43
-            43 /* LispType.Expression */, // 44
-        ];
-        // If the last statement is a declaration or control structure,
-        // don't wrap it (it will naturally return undefined)
-        if (statementTypes.includes(op)) {
-            return newTree;
-        }
-        // For all other types (expressions, operators, etc.),
-        // wrap in return to capture the completion value
-        newTree[lastIndex] = [8 /* LispType.Return */, 0 /* LispType.None */, lastStmt];
-    }
-    return newTree;
-}
-function sST() { }
-export function sandboxedSetTimeout(func, context) {
-    sandboxSetTimeout.prototype = sST.prototype;
-    return sandboxSetTimeout;
-    function sandboxSetTimeout(handler, timeout, ...args) {
-        const sandbox = context.ctx.sandbox;
-        const exec = (...a) => {
-            const h = typeof handler === 'string' ? func(handler) : handler;
-            haltsub.unsubscribe();
-            contsub.unsubscribe();
-            sandbox.setTimeoutHandles.delete(sandBoxhandle);
-            return h(...a);
-        };
-        const sandBoxhandle = ++sandbox.timeoutHandleCounter;
-        let start = Date.now();
-        let handle = setTimeout(exec, timeout, ...args);
-        let elapsed = 0;
-        const haltsub = sandbox.subscribeHalt(() => {
-            elapsed = Date.now() - start + elapsed;
-            clearTimeout(handle);
-        });
-        const contsub = sandbox.subscribeResume(() => {
-            start = Date.now();
-            const remaining = Math.floor((timeout || 0) - elapsed);
-            handle = setTimeout(exec, remaining, ...args);
-            sandbox.setTimeoutHandles.set(sandBoxhandle, {
-                handle,
-                haltsub,
-                contsub,
-            });
-        });
-        sandbox.setTimeoutHandles.set(sandBoxhandle, {
-            handle,
-            haltsub,
-            contsub,
-        });
-        return sandBoxhandle;
-    }
-}
-function sCT() { }
-export function sandboxedClearTimeout(context) {
-    sandboxClearTimeout.prototype = sCT.prototype;
-    return sandboxClearTimeout;
-    function sandboxClearTimeout(handle) {
-        const sandbox = context.ctx.sandbox;
-        const timeoutHandle = sandbox.setTimeoutHandles.get(handle);
-        if (timeoutHandle) {
-            clearTimeout(timeoutHandle.handle);
-            timeoutHandle.haltsub.unsubscribe();
-            timeoutHandle.contsub.unsubscribe();
-            sandbox.setTimeoutHandles.delete(handle);
-        }
-    }
-}
-function sCI() { }
-export function sandboxedClearInterval(context) {
-    sandboxClearInterval.prototype = sCI.prototype;
-    return sandboxClearInterval;
-    function sandboxClearInterval(handle) {
-        const sandbox = context.ctx.sandbox;
-        const intervalHandle = sandbox.setIntervalHandles.get(handle);
-        if (intervalHandle) {
-            clearInterval(intervalHandle.handle);
-            intervalHandle.haltsub.unsubscribe();
-            intervalHandle.contsub.unsubscribe();
-            sandbox.setIntervalHandles.delete(handle);
-        }
-    }
-}
-function sSI() { }
-export function sandboxedSetInterval(func, context) {
-    sandboxSetInterval.prototype = sSI.prototype;
-    return sandboxSetInterval;
-    function sandboxSetInterval(handler, timeout, ...args) {
-        const sandbox = context.ctx.sandbox;
-        const h = typeof handler === 'string' ? func(handler) : handler;
-        const exec = (...a) => {
-            start = Date.now();
-            elapsed = 0;
-            return h(...a);
-        };
-        const sandBoxhandle = ++sandbox.timeoutHandleCounter;
-        let start = Date.now();
-        let handle = setInterval(exec, timeout, ...args);
-        let elapsed = 0;
-        const haltsub = sandbox.subscribeHalt(() => {
-            elapsed = Date.now() - start + elapsed;
-            clearInterval(handle);
-        });
-        const contsub = sandbox.subscribeResume(() => {
-            start = Date.now();
-            handle = setTimeout(() => {
-                start = Date.now();
-                elapsed = 0;
-                handle = setInterval(exec, timeout, ...args);
-                exec(...args);
-            }, Math.floor((timeout || 0) - elapsed), ...args);
-            handlObj.handle = handle;
-        });
-        const handlObj = {
-            handle,
-            haltsub,
-            contsub,
-        };
-        sandbox.setIntervalHandles.set(sandBoxhandle, handlObj);
-        return sandBoxhandle;
-    }
-}