@hostwebhook/template-engine 1.2.0 → 1.3.0

package/dist/index.d.mts

@@ -84,6 +84,12 @@ declare function resolveInput(value: string | undefined | null, payload: unknown
  */
 declare function resolveFieldPath(field: string): string;
 
+/**
+ * Validate code/expression against blocked patterns.
+ * Throws if any dangerous pattern is detected.
+ */
+declare function validateCode(code: string): void;
+
 /**
  * Resolve a dot-notation path against a TemplateContext.
  * Supports bracket notation for array indexing: `payload.items[0].name`
@@ -116,4 +122,4 @@ declare function applyPipe(pipe: string, val: unknown, arg?: string, ctx?: Templ
  */
 declare function evaluate(expr: string, ctx: TemplateContext, opts?: TemplateOptions): string;
 
-export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, valueToString };
+export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, validateCode, valueToString };

package/dist/index.d.ts

@@ -84,6 +84,12 @@ declare function resolveInput(value: string | undefined | null, payload: unknown
  */
 declare function resolveFieldPath(field: string): string;
 
+/**
+ * Validate code/expression against blocked patterns.
+ * Throws if any dangerous pattern is detected.
+ */
+declare function validateCode(code: string): void;
+
 /**
  * Resolve a dot-notation path against a TemplateContext.
  * Supports bracket notation for array indexing: `payload.items[0].name`
@@ -116,4 +122,4 @@ declare function applyPipe(pipe: string, val: unknown, arg?: string, ctx?: Templ
  */
 declare function evaluate(expr: string, ctx: TemplateContext, opts?: TemplateOptions): string;
 
-export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, valueToString };
+export { type CodeResult, type TemplateContext, type TemplateMode, type TemplateOptions, type TemplateResult, applyPipe, evaluate, renderTemplate, resolveFieldPath, resolveInput, resolvePath, tryNullCoalesce, tryTernary, validateCode, valueToString };

package/dist/index.js

@@ -38,6 +38,7 @@ __export(index_exports, {
   resolvePath: () => resolvePath,
   tryNullCoalesce: () => tryNullCoalesce,
   tryTernary: () => tryTernary,
+  validateCode: () => validateCode,
   valueToString: () => valueToString
 });
 module.exports = __toCommonJS(index_exports);
@@ -90,6 +91,72 @@ function valueToString(val) {
 
 // src/sandbox.ts
 var vm = __toESM(require("vm"));
+var BLOCKED_PATTERNS = [
+  /\bconstructor\b/,
+  // this.constructor.constructor('return process')()
+  /\b__proto__\b/,
+  // prototype chain traversal
+  /\bprototype\b/,
+  // prototype manipulation
+  /\bprocess\b/,
+  // Node.js process object
+  /\brequire\s*\(/,
+  // CommonJS require
+  /\bimport\s*\(/,
+  // Dynamic import
+  /\bglobal\b/,
+  // global object
+  /\bglobalThis\b/,
+  // globalThis reference
+  /\beval\s*\(/,
+  // eval()
+  /\bFunction\s*\(/,
+  // new Function()
+  /\bProxy\s*\(/,
+  // Proxy constructor
+  /\bReflect\b/,
+  // Reflect API
+  /\bBuffer\b/,
+  // Node.js Buffer
+  /\bSharedArrayBuffer\b/,
+  // SharedArrayBuffer
+  /\bAtomics\b/,
+  // Atomics API
+  /\bWebAssembly\b/,
+  // WebAssembly
+  /\b__defineGetter__\b/,
+  // Legacy property definition
+  /\b__defineSetter__\b/,
+  // Legacy property definition
+  /\b__lookupGetter__\b/,
+  // Legacy property lookup
+  /\b__lookupSetter__\b/
+  // Legacy property lookup
+];
+function validateCode(code) {
+  for (const pattern of BLOCKED_PATTERNS) {
+    if (pattern.test(code)) {
+      throw new Error(`Blocked: unsafe pattern "${pattern.source}" detected`);
+    }
+  }
+}
+function deepFreeze(obj, seen = /* @__PURE__ */ new WeakSet()) {
+  if (obj === null || obj === void 0) return;
+  if (typeof obj !== "object" && typeof obj !== "function") return;
+  if (seen.has(obj)) return;
+  seen.add(obj);
+  try {
+    Object.freeze(obj);
+    for (const key of Object.getOwnPropertyNames(obj)) {
+      try {
+        const val = obj[key];
+        deepFreeze(val, seen);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
 function buildNodeLookup(workspacePayloads) {
   return (nodeName) => {
     if (!workspacePayloads) throw new Error("$() requires workspace context");
@@ -120,16 +187,23 @@ function buildSandbox(ctx, opts, logs) {
     }
     return String(v);
   };
+  let safePayload;
+  try {
+    safePayload = structuredClone(ctx.payload);
+  } catch {
+    safePayload = JSON.parse(JSON.stringify(ctx.payload ?? null));
+  }
   const sandbox = {
-    payload: ctx.payload,
+    payload: safePayload,
     $: buildNodeLookup(opts.workspacePayloads),
-    headers: ctx.headers,
-    meta: ctx.meta,
-    JSON,
+    headers: { ...ctx.headers ?? {} },
+    meta: { ...ctx.meta ?? {} },
+    // Safe builtins only — no process, require, import, eval, Function, Proxy, Reflect
+    JSON: { parse: JSON.parse, stringify: JSON.stringify },
     Math,
     Date,
-    Array,
-    Object,
+    Array: { isArray: Array.isArray, from: Array.from, of: Array.of },
+    Object: { keys: Object.keys, values: Object.values, entries: Object.entries, assign: Object.assign, freeze: Object.freeze },
     String,
     Number,
     Boolean,
@@ -141,7 +215,8 @@ function buildSandbox(ctx, opts, logs) {
     encodeURIComponent,
     decodeURIComponent,
     Map,
-    Set
+    Set,
+    undefined: void 0
   };
   if (opts.mode === "code" && logs) {
     sandbox.console = {
@@ -150,9 +225,21 @@ function buildSandbox(ctx, opts, logs) {
       error: (...args) => logs.push(`[error] ${args.map(stringify).join(" ")}`)
     };
   }
+  for (const key of Object.keys(sandbox)) {
+    const val = sandbox[key];
+    if (typeof val === "object" && val !== null && key !== "payload") {
+      deepFreeze(val);
+    }
+  }
   return vm.createContext(sandbox);
 }
 function evalJsExpression(expr, ctx, opts) {
+  try {
+    validateCode(expr);
+  } catch (err) {
+    console.error(`[template-engine] ${err instanceof Error ? err.message : err}: "${expr.slice(0, 80)}"`);
+    return void 0;
+  }
   const context = buildSandbox(ctx, { ...opts, mode: "text" });
   try {
     const script = new vm.Script(`(${expr})`, { filename: "template-expr.js" });
@@ -446,6 +533,12 @@ var vm2 = __toESM(require("vm"));
 function executeCodeTemplate(code, ctx, opts) {
   const logs = [];
   const timeout = opts.timeout ?? 5e3;
+  try {
+    validateCode(code);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { output: null, statusCode: 500, logs, error: message };
+  }
   let sandboxPayload = ctx.payload;
   if (opts.batchMode) {
     const meta = ctx.payload?._meta;
@@ -565,5 +658,6 @@ function resolveFieldPath(field) {
   resolvePath,
   tryNullCoalesce,
   tryTernary,
+  validateCode,
   valueToString
 });

package/dist/index.mjs

@@ -46,6 +46,72 @@ function valueToString(val) {
 
 // src/sandbox.ts
 import * as vm from "vm";
+var BLOCKED_PATTERNS = [
+  /\bconstructor\b/,
+  // this.constructor.constructor('return process')()
+  /\b__proto__\b/,
+  // prototype chain traversal
+  /\bprototype\b/,
+  // prototype manipulation
+  /\bprocess\b/,
+  // Node.js process object
+  /\brequire\s*\(/,
+  // CommonJS require
+  /\bimport\s*\(/,
+  // Dynamic import
+  /\bglobal\b/,
+  // global object
+  /\bglobalThis\b/,
+  // globalThis reference
+  /\beval\s*\(/,
+  // eval()
+  /\bFunction\s*\(/,
+  // new Function()
+  /\bProxy\s*\(/,
+  // Proxy constructor
+  /\bReflect\b/,
+  // Reflect API
+  /\bBuffer\b/,
+  // Node.js Buffer
+  /\bSharedArrayBuffer\b/,
+  // SharedArrayBuffer
+  /\bAtomics\b/,
+  // Atomics API
+  /\bWebAssembly\b/,
+  // WebAssembly
+  /\b__defineGetter__\b/,
+  // Legacy property definition
+  /\b__defineSetter__\b/,
+  // Legacy property definition
+  /\b__lookupGetter__\b/,
+  // Legacy property lookup
+  /\b__lookupSetter__\b/
+  // Legacy property lookup
+];
+function validateCode(code) {
+  for (const pattern of BLOCKED_PATTERNS) {
+    if (pattern.test(code)) {
+      throw new Error(`Blocked: unsafe pattern "${pattern.source}" detected`);
+    }
+  }
+}
+function deepFreeze(obj, seen = /* @__PURE__ */ new WeakSet()) {
+  if (obj === null || obj === void 0) return;
+  if (typeof obj !== "object" && typeof obj !== "function") return;
+  if (seen.has(obj)) return;
+  seen.add(obj);
+  try {
+    Object.freeze(obj);
+    for (const key of Object.getOwnPropertyNames(obj)) {
+      try {
+        const val = obj[key];
+        deepFreeze(val, seen);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
 function buildNodeLookup(workspacePayloads) {
   return (nodeName) => {
     if (!workspacePayloads) throw new Error("$() requires workspace context");
@@ -76,16 +142,23 @@ function buildSandbox(ctx, opts, logs) {
     }
     return String(v);
   };
+  let safePayload;
+  try {
+    safePayload = structuredClone(ctx.payload);
+  } catch {
+    safePayload = JSON.parse(JSON.stringify(ctx.payload ?? null));
+  }
   const sandbox = {
-    payload: ctx.payload,
+    payload: safePayload,
     $: buildNodeLookup(opts.workspacePayloads),
-    headers: ctx.headers,
-    meta: ctx.meta,
-    JSON,
+    headers: { ...ctx.headers ?? {} },
+    meta: { ...ctx.meta ?? {} },
+    // Safe builtins only — no process, require, import, eval, Function, Proxy, Reflect
+    JSON: { parse: JSON.parse, stringify: JSON.stringify },
     Math,
     Date,
-    Array,
-    Object,
+    Array: { isArray: Array.isArray, from: Array.from, of: Array.of },
+    Object: { keys: Object.keys, values: Object.values, entries: Object.entries, assign: Object.assign, freeze: Object.freeze },
     String,
     Number,
     Boolean,
@@ -97,7 +170,8 @@ function buildSandbox(ctx, opts, logs) {
     encodeURIComponent,
     decodeURIComponent,
     Map,
-    Set
+    Set,
+    undefined: void 0
   };
   if (opts.mode === "code" && logs) {
     sandbox.console = {
@@ -106,9 +180,21 @@ function buildSandbox(ctx, opts, logs) {
       error: (...args) => logs.push(`[error] ${args.map(stringify).join(" ")}`)
     };
   }
+  for (const key of Object.keys(sandbox)) {
+    const val = sandbox[key];
+    if (typeof val === "object" && val !== null && key !== "payload") {
+      deepFreeze(val);
+    }
+  }
   return vm.createContext(sandbox);
 }
 function evalJsExpression(expr, ctx, opts) {
+  try {
+    validateCode(expr);
+  } catch (err) {
+    console.error(`[template-engine] ${err instanceof Error ? err.message : err}: "${expr.slice(0, 80)}"`);
+    return void 0;
+  }
   const context = buildSandbox(ctx, { ...opts, mode: "text" });
   try {
     const script = new vm.Script(`(${expr})`, { filename: "template-expr.js" });
@@ -402,6 +488,12 @@ import * as vm2 from "vm";
 function executeCodeTemplate(code, ctx, opts) {
   const logs = [];
   const timeout = opts.timeout ?? 5e3;
+  try {
+    validateCode(code);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { output: null, statusCode: 500, logs, error: message };
+  }
   let sandboxPayload = ctx.payload;
   if (opts.batchMode) {
     const meta = ctx.payload?._meta;
@@ -520,5 +612,6 @@ export {
   resolvePath,
   tryNullCoalesce,
   tryTernary,
+  validateCode,
   valueToString
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hostwebhook/template-engine",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Template interpolation and sandboxed JS execution engine for HostWebhook",
   "main": "dist/index.js",
   "module": "dist/index.mjs",