@jsreport/jsreport-core 3.11.3 → 3.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +10 -0
- package/lib/main/optionsSchema.js +1 -0
- package/lib/main/reporter.js +4 -0
- package/lib/worker/sandbox/createSandbox.js +138 -641
- package/lib/worker/sandbox/isolatedRequire.js +462 -0
- package/lib/worker/sandbox/propertiesSandbox.js +521 -0
- package/lib/worker/sandbox/requireSandbox.js +117 -0
- package/lib/worker/sandbox/runInSandbox.js +257 -255
- package/package.json +5 -4
- package/test/extensions/validExtensions/listeners/worker.js +6 -0
package/README.md
CHANGED
|
@@ -282,6 +282,16 @@ jsreport.documentStore.collection('templates')
|
|
|
282
282
|
|
|
283
283
|
## Changelog
|
|
284
284
|
|
|
285
|
+
### 3.12.0
|
|
286
|
+
|
|
287
|
+
- update vm2 to fix security issues
|
|
288
|
+
- render requests are now rotated across not busy workers but considering its last usage too
|
|
289
|
+
- require in sandbox now uses a custom require implementation that takes care of isolate module resolving and that uses our own cache (different to built in require.cache) to avoid using a lot of memory when there are a lot of requests. if module isolation is not needed (because user can trust the templates) then it can be disabled by using `sandbox.isolateModules: false`
|
|
290
|
+
|
|
291
|
+
### 3.11.4
|
|
292
|
+
|
|
293
|
+
- update unset-value to fix security issue
|
|
294
|
+
|
|
285
295
|
### 3.11.3
|
|
286
296
|
|
|
287
297
|
- update vm2 to fix security issue
|
|
@@ -80,6 +80,7 @@ module.exports.getRootSchemaOptions = () => ({
|
|
|
80
80
|
type: 'object',
|
|
81
81
|
default: {},
|
|
82
82
|
properties: {
|
|
83
|
+
isolateModules: { type: 'boolean', default: true, description: 'option that control whether require/import of modules during rendering are isolated from other renders or not. when this is false the require/import of modules will behave like normal require, which means that module is evaluated only once and next require/import are resolved from a cache' },
|
|
83
84
|
allowedModules: {
|
|
84
85
|
anyOf: [{
|
|
85
86
|
type: 'string',
|
package/lib/main/reporter.js
CHANGED
|
@@ -219,6 +219,10 @@ class MainReporter extends Reporter {
|
|
|
219
219
|
this.logger.info('Code sandboxing is disabled, users can potentially penetrate the local system if you allow code from external users to be part of your reports')
|
|
220
220
|
}
|
|
221
221
|
|
|
222
|
+
if (!this.options.sandbox.isolateModules) {
|
|
223
|
+
this.logger.info('Modules isolation is disabled, require of modules during rendering will be shared across all renders')
|
|
224
|
+
}
|
|
225
|
+
|
|
222
226
|
if (explicitOptions.trustUserCode == null && explicitOptions.allowLocalFilesAccess != null) {
|
|
223
227
|
this.logger.warn('options.allowLocalFilesAccess is deprecated, use options.trustUserCode instead')
|
|
224
228
|
}
|