@hostwebhook/template-engine 1.1.1 → 1.3.0

package/dist/index.d.mts

@@ -55,6 +55,41 @@ interface CodeResult {
  */
 declare function renderTemplate(template: string, ctx: TemplateContext, opts?: TemplateOptions): TemplateResult | CodeResult;
 
+/**
+ * Resolve a single input value — literal string or {{expression}}.
+ *
+ * If the value is wrapped in `{{...}}`, it's evaluated as a template expression
+ * (supports paths, pipes, $() cross-node references, JS when allowJs).
+ * Otherwise, the value is returned as-is (literal).
+ *
+ * Preserves types: `{{payload.count}}` returns the original number, not a string.
+ *
+ * @example
+ * resolveInput("active", payload)                          // → "active"
+ * resolveInput("{{payload.status}}", payload)              // → "delivered"
+ * resolveInput("{{payload.amount}}", payload)              // → 1500 (number)
+ * resolveInput("{{payload.date | formatDate}}", payload)   // → "2024-06-15"
+ * resolveInput('{{$("Filter").count}}', payload, { allowJs: true, workspacePayloads }) // → 42
+ * resolveInput(undefined, payload)                         // → undefined
+ */
+declare function resolveInput(value: string | undefined | null, payload: unknown, opts?: Pick<TemplateOptions, 'allowJs' | 'workspacePayloads'>): unknown;
+/**
+ * Normalize a field path — strips `{{`, `}}`, and `payload.` prefix.
+ *
+ * Accepts any of these formats and returns the plain dot-notation path:
+ * - `"{{payload.customer.name}}"` → `"customer.name"`
+ * - `"payload.customer.name"` → `"customer.name"`
+ * - `"customer.name"` → `"customer.name"`
+ * - `"{{customer.name}}"` → `"customer.name"`
+ */
+declare function resolveFieldPath(field: string): string;
+
+/**
+ * Validate code/expression against blocked patterns.
+ * Throws if any dangerous pattern is detected.
+ */
+declare function validateCode(code: string): void;
+
 /**
  * Resolve a dot-notation path against a TemplateContext.
  * Supports bracket notation for array indexing: `payload.items[0].name`
@@ -87,4 +122,4 @@ declare function applyPipe(pipe: string, val: unknown, arg?: string, ctx?: Templ
  */
 declare function evaluate(expr: string, ctx: TemplateContext, opts?: TemplateOptions): string;
 
-export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolvePath, tryNullCoalesce, tryTernary, valueToString };
+export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, validateCode, valueToString };

package/dist/index.d.ts

@@ -55,6 +55,41 @@ interface CodeResult {
  */
 declare function renderTemplate(template: string, ctx: TemplateContext, opts?: TemplateOptions): TemplateResult | CodeResult;
 
+/**
+ * Resolve a single input value — literal string or {{expression}}.
+ *
+ * If the value is wrapped in `{{...}}`, it's evaluated as a template expression
+ * (supports paths, pipes, $() cross-node references, JS when allowJs).
+ * Otherwise, the value is returned as-is (literal).
+ *
+ * Preserves types: `{{payload.count}}` returns the original number, not a string.
+ *
+ * @example
+ * resolveInput("active", payload)                          // → "active"
+ * resolveInput("{{payload.status}}", payload)              // → "delivered"
+ * resolveInput("{{payload.amount}}", payload)              // → 1500 (number)
+ * resolveInput("{{payload.date | formatDate}}", payload)   // → "2024-06-15"
+ * resolveInput('{{$("Filter").count}}', payload, { allowJs: true, workspacePayloads }) // → 42
+ * resolveInput(undefined, payload)                         // → undefined
+ */
+declare function resolveInput(value: string | undefined | null, payload: unknown, opts?: Pick<TemplateOptions, 'allowJs' | 'workspacePayloads'>): unknown;
+/**
+ * Normalize a field path — strips `{{`, `}}`, and `payload.` prefix.
+ *
+ * Accepts any of these formats and returns the plain dot-notation path:
+ * - `"{{payload.customer.name}}"` → `"customer.name"`
+ * - `"payload.customer.name"` → `"customer.name"`
+ * - `"customer.name"` → `"customer.name"`
+ * - `"{{customer.name}}"` → `"customer.name"`
+ */
+declare function resolveFieldPath(field: string): string;
+
+/**
+ * Validate code/expression against blocked patterns.
+ * Throws if any dangerous pattern is detected.
+ */
+declare function validateCode(code: string): void;
+
 /**
  * Resolve a dot-notation path against a TemplateContext.
  * Supports bracket notation for array indexing: `payload.items[0].name`
@@ -87,4 +122,4 @@ declare function applyPipe(pipe: string, val: unknown, arg?: string, ctx?: Templ
  */
 declare function evaluate(expr: string, ctx: TemplateContext, opts?: TemplateOptions): string;
 
-export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolvePath, tryNullCoalesce, tryTernary, valueToString };
+export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, validateCode, valueToString };

package/dist/index.js

@@ -33,9 +33,12 @@ __export(index_exports, {
   applyPipe: () => applyPipe,
   evaluate: () => evaluate,
   renderTemplate: () => renderTemplate,
+  resolveFieldPath: () => resolveFieldPath,
+  resolveInput: () => resolveInput,
   resolvePath: () => resolvePath,
   tryNullCoalesce: () => tryNullCoalesce,
   tryTernary: () => tryTernary,
+  validateCode: () => validateCode,
   valueToString: () => valueToString
 });
 module.exports = __toCommonJS(index_exports);
@@ -88,6 +91,72 @@ function valueToString(val) {
 
 // src/sandbox.ts
 var vm = __toESM(require("vm"));
+var BLOCKED_PATTERNS = [
+  /\bconstructor\b/,
+  // this.constructor.constructor('return process')()
+  /\b__proto__\b/,
+  // prototype chain traversal
+  /\bprototype\b/,
+  // prototype manipulation
+  /\bprocess\b/,
+  // Node.js process object
+  /\brequire\s*\(/,
+  // CommonJS require
+  /\bimport\s*\(/,
+  // Dynamic import
+  /\bglobal\b/,
+  // global object
+  /\bglobalThis\b/,
+  // globalThis reference
+  /\beval\s*\(/,
+  // eval()
+  /\bFunction\s*\(/,
+  // new Function()
+  /\bProxy\s*\(/,
+  // Proxy constructor
+  /\bReflect\b/,
+  // Reflect API
+  /\bBuffer\b/,
+  // Node.js Buffer
+  /\bSharedArrayBuffer\b/,
+  // SharedArrayBuffer
+  /\bAtomics\b/,
+  // Atomics API
+  /\bWebAssembly\b/,
+  // WebAssembly
+  /\b__defineGetter__\b/,
+  // Legacy property definition
+  /\b__defineSetter__\b/,
+  // Legacy property definition
+  /\b__lookupGetter__\b/,
+  // Legacy property lookup
+  /\b__lookupSetter__\b/
+  // Legacy property lookup
+];
+function validateCode(code) {
+  for (const pattern of BLOCKED_PATTERNS) {
+    if (pattern.test(code)) {
+      throw new Error(`Blocked: unsafe pattern "${pattern.source}" detected`);
+    }
+  }
+}
+function deepFreeze(obj, seen = /* @__PURE__ */ new WeakSet()) {
+  if (obj === null || obj === void 0) return;
+  if (typeof obj !== "object" && typeof obj !== "function") return;
+  if (seen.has(obj)) return;
+  seen.add(obj);
+  try {
+    Object.freeze(obj);
+    for (const key of Object.getOwnPropertyNames(obj)) {
+      try {
+        const val = obj[key];
+        deepFreeze(val, seen);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
 function buildNodeLookup(workspacePayloads) {
   return (nodeName) => {
     if (!workspacePayloads) throw new Error("$() requires workspace context");
@@ -118,16 +187,23 @@ function buildSandbox(ctx, opts, logs) {
     }
     return String(v);
   };
+  let safePayload;
+  try {
+    safePayload = structuredClone(ctx.payload);
+  } catch {
+    safePayload = JSON.parse(JSON.stringify(ctx.payload ?? null));
+  }
   const sandbox = {
-    payload: ctx.payload,
+    payload: safePayload,
     $: buildNodeLookup(opts.workspacePayloads),
-    headers: ctx.headers,
-    meta: ctx.meta,
-    JSON,
+    headers: { ...ctx.headers ?? {} },
+    meta: { ...ctx.meta ?? {} },
+    // Safe builtins only — no process, require, import, eval, Function, Proxy, Reflect
+    JSON: { parse: JSON.parse, stringify: JSON.stringify },
     Math,
     Date,
-    Array,
-    Object,
+    Array: { isArray: Array.isArray, from: Array.from, of: Array.of },
+    Object: { keys: Object.keys, values: Object.values, entries: Object.entries, assign: Object.assign, freeze: Object.freeze },
     String,
     Number,
     Boolean,
@@ -139,7 +215,8 @@ function buildSandbox(ctx, opts, logs) {
     encodeURIComponent,
     decodeURIComponent,
     Map,
-    Set
+    Set,
+    undefined: void 0
   };
   if (opts.mode === "code" && logs) {
     sandbox.console = {
@@ -148,9 +225,21 @@ function buildSandbox(ctx, opts, logs) {
       error: (...args) => logs.push(`[error] ${args.map(stringify).join(" ")}`)
     };
   }
+  for (const key of Object.keys(sandbox)) {
+    const val = sandbox[key];
+    if (typeof val === "object" && val !== null && key !== "payload") {
+      deepFreeze(val);
+    }
+  }
   return vm.createContext(sandbox);
 }
 function evalJsExpression(expr, ctx, opts) {
+  try {
+    validateCode(expr);
+  } catch (err) {
+    console.error(`[template-engine] ${err instanceof Error ? err.message : err}: "${expr.slice(0, 80)}"`);
+    return void 0;
+  }
   const context = buildSandbox(ctx, { ...opts, mode: "text" });
   try {
     const script = new vm.Script(`(${expr})`, { filename: "template-expr.js" });
@@ -444,6 +533,12 @@ var vm2 = __toESM(require("vm"));
 function executeCodeTemplate(code, ctx, opts) {
   const logs = [];
   const timeout = opts.timeout ?? 5e3;
+  try {
+    validateCode(code);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { output: null, statusCode: 500, logs, error: message };
+  }
   let sandboxPayload = ctx.payload;
   if (opts.batchMode) {
     const meta = ctx.payload?._meta;
@@ -533,13 +628,36 @@ function renderTemplate(template, ctx, opts) {
       return resolveTextTemplate(template, ctx, opts);
   }
 }
+
+// src/resolve-input.ts
+function resolveInput(value, payload, opts) {
+  if (value == null || value === "") return value;
+  const str = String(value);
+  const match = str.match(/^\{\{([\s\S]+)\}\}$/);
+  if (!match) return value;
+  const expr = match[1].trim();
+  const ctx = { payload, headers: {}, meta: {} };
+  const resolved = resolvePath(expr, ctx);
+  if (resolved !== void 0) return resolved;
+  const evalOpts = opts ? { allowJs: opts.allowJs, workspacePayloads: opts.workspacePayloads } : void 0;
+  const result = evaluate(expr, ctx, evalOpts);
+  if (result !== "") return result;
+  return value;
+}
+function resolveFieldPath(field) {
+  if (!field) return "";
+  return field.replace(/^\{\{\s*/, "").replace(/\s*\}\}$/, "").replace(/^payload\./, "").trim();
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   applyPipe,
   evaluate,
   renderTemplate,
+  resolveFieldPath,
+  resolveInput,
   resolvePath,
   tryNullCoalesce,
   tryTernary,
+  validateCode,
   valueToString
 });

package/dist/index.mjs

@@ -46,6 +46,72 @@ function valueToString(val) {
 
 // src/sandbox.ts
 import * as vm from "vm";
+var BLOCKED_PATTERNS = [
+  /\bconstructor\b/,
+  // this.constructor.constructor('return process')()
+  /\b__proto__\b/,
+  // prototype chain traversal
+  /\bprototype\b/,
+  // prototype manipulation
+  /\bprocess\b/,
+  // Node.js process object
+  /\brequire\s*\(/,
+  // CommonJS require
+  /\bimport\s*\(/,
+  // Dynamic import
+  /\bglobal\b/,
+  // global object
+  /\bglobalThis\b/,
+  // globalThis reference
+  /\beval\s*\(/,
+  // eval()
+  /\bFunction\s*\(/,
+  // new Function()
+  /\bProxy\s*\(/,
+  // Proxy constructor
+  /\bReflect\b/,
+  // Reflect API
+  /\bBuffer\b/,
+  // Node.js Buffer
+  /\bSharedArrayBuffer\b/,
+  // SharedArrayBuffer
+  /\bAtomics\b/,
+  // Atomics API
+  /\bWebAssembly\b/,
+  // WebAssembly
+  /\b__defineGetter__\b/,
+  // Legacy property definition
+  /\b__defineSetter__\b/,
+  // Legacy property definition
+  /\b__lookupGetter__\b/,
+  // Legacy property lookup
+  /\b__lookupSetter__\b/
+  // Legacy property lookup
+];
+function validateCode(code) {
+  for (const pattern of BLOCKED_PATTERNS) {
+    if (pattern.test(code)) {
+      throw new Error(`Blocked: unsafe pattern "${pattern.source}" detected`);
+    }
+  }
+}
+function deepFreeze(obj, seen = /* @__PURE__ */ new WeakSet()) {
+  if (obj === null || obj === void 0) return;
+  if (typeof obj !== "object" && typeof obj !== "function") return;
+  if (seen.has(obj)) return;
+  seen.add(obj);
+  try {
+    Object.freeze(obj);
+    for (const key of Object.getOwnPropertyNames(obj)) {
+      try {
+        const val = obj[key];
+        deepFreeze(val, seen);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
 function buildNodeLookup(workspacePayloads) {
   return (nodeName) => {
     if (!workspacePayloads) throw new Error("$() requires workspace context");
@@ -76,16 +142,23 @@ function buildSandbox(ctx, opts, logs) {
     }
     return String(v);
   };
+  let safePayload;
+  try {
+    safePayload = structuredClone(ctx.payload);
+  } catch {
+    safePayload = JSON.parse(JSON.stringify(ctx.payload ?? null));
+  }
   const sandbox = {
-    payload: ctx.payload,
+    payload: safePayload,
     $: buildNodeLookup(opts.workspacePayloads),
-    headers: ctx.headers,
-    meta: ctx.meta,
-    JSON,
+    headers: { ...ctx.headers ?? {} },
+    meta: { ...ctx.meta ?? {} },
+    // Safe builtins only — no process, require, import, eval, Function, Proxy, Reflect
+    JSON: { parse: JSON.parse, stringify: JSON.stringify },
     Math,
     Date,
-    Array,
-    Object,
+    Array: { isArray: Array.isArray, from: Array.from, of: Array.of },
+    Object: { keys: Object.keys, values: Object.values, entries: Object.entries, assign: Object.assign, freeze: Object.freeze },
     String,
     Number,
     Boolean,
@@ -97,7 +170,8 @@ function buildSandbox(ctx, opts, logs) {
     encodeURIComponent,
     decodeURIComponent,
     Map,
-    Set
+    Set,
+    undefined: void 0
   };
   if (opts.mode === "code" && logs) {
     sandbox.console = {
@@ -106,9 +180,21 @@ function buildSandbox(ctx, opts, logs) {
       error: (...args) => logs.push(`[error] ${args.map(stringify).join(" ")}`)
     };
   }
+  for (const key of Object.keys(sandbox)) {
+    const val = sandbox[key];
+    if (typeof val === "object" && val !== null && key !== "payload") {
+      deepFreeze(val);
+    }
+  }
   return vm.createContext(sandbox);
 }
 function evalJsExpression(expr, ctx, opts) {
+  try {
+    validateCode(expr);
+  } catch (err) {
+    console.error(`[template-engine] ${err instanceof Error ? err.message : err}: "${expr.slice(0, 80)}"`);
+    return void 0;
+  }
   const context = buildSandbox(ctx, { ...opts, mode: "text" });
   try {
     const script = new vm.Script(`(${expr})`, { filename: "template-expr.js" });
@@ -402,6 +488,12 @@ import * as vm2 from "vm";
 function executeCodeTemplate(code, ctx, opts) {
   const logs = [];
   const timeout = opts.timeout ?? 5e3;
+  try {
+    validateCode(code);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { output: null, statusCode: 500, logs, error: message };
+  }
   let sandboxPayload = ctx.payload;
   if (opts.batchMode) {
     const meta = ctx.payload?._meta;
@@ -491,12 +583,35 @@ function renderTemplate(template, ctx, opts) {
       return resolveTextTemplate(template, ctx, opts);
   }
 }
+
+// src/resolve-input.ts
+function resolveInput(value, payload, opts) {
+  if (value == null || value === "") return value;
+  const str = String(value);
+  const match = str.match(/^\{\{([\s\S]+)\}\}$/);
+  if (!match) return value;
+  const expr = match[1].trim();
+  const ctx = { payload, headers: {}, meta: {} };
+  const resolved = resolvePath(expr, ctx);
+  if (resolved !== void 0) return resolved;
+  const evalOpts = opts ? { allowJs: opts.allowJs, workspacePayloads: opts.workspacePayloads } : void 0;
+  const result = evaluate(expr, ctx, evalOpts);
+  if (result !== "") return result;
+  return value;
+}
+function resolveFieldPath(field) {
+  if (!field) return "";
+  return field.replace(/^\{\{\s*/, "").replace(/\s*\}\}$/, "").replace(/^payload\./, "").trim();
+}
 export {
   applyPipe,
   evaluate,
   renderTemplate,
+  resolveFieldPath,
+  resolveInput,
   resolvePath,
   tryNullCoalesce,
   tryTernary,
+  validateCode,
   valueToString
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hostwebhook/template-engine",
-  "version": "1.1.1",
+  "version": "1.3.0",
   "description": "Template interpolation and sandboxed JS execution engine for HostWebhook",
   "main": "dist/index.js",
   "module": "dist/index.mjs",