@jsreport/jsreport-core 3.11.4 → 4.0.0

package/README.md

@@ -282,6 +282,18 @@ jsreport.documentStore.collection('templates')
 
 ## Changelog
 
+### 4.0.0
+
+- remove old migration options `migrateXlsxTemplatesToAssets`, `migrateResourcesToAssets`
+- sandbox now uses SES instead of vm2 for evaluating user code
+- internal changes to support multi admin users
+
+### 3.12.0
+
+- update vm2 to fix security issues
+- render requests are now rotated across not busy workers but considering its last usage too
+- require in sandbox now uses a custom require implementation that takes care of isolate module resolving and that uses our own cache (different to built in require.cache) to avoid using a lot of memory when there are a lot of requests. if module isolation is not needed (because user can trust the templates) then it can be disabled by using `sandbox.isolateModules: false`
+
 ### 3.11.4
 
 - update unset-value to fix security issue

package/lib/main/optionsSchema.js

@@ -1,270 +1,263 @@
-const { getDefaultTempDirectory, getDefaultLoadConfig } = require('./defaults')
-// we use deepmerge instead of node.extend here because it supports
-// concatenating arrays instead of replacing them, something necessary
-// to support extending some values in schemas like the "enum"
-const deepMerge = require('deepmerge')
-
-module.exports.getRootSchemaOptions = () => ({
-  type: 'object',
-  properties: {
-    rootDirectory: {
-      type: 'string',
-      description: 'specifies where is the application root and where jsreport searches for extensions'
-    },
-    appDirectory: {
-      type: 'string',
-      description: 'specifies directory of the script that was used to start node.js, this value is mostly metadata that is useful for your own code inside jsreport scripts'
-    },
-    tempDirectory: {
-      type: 'string',
-      default: getDefaultTempDirectory(),
-      description: 'specifies where jsreport stores temporary files used by the conversion pipeline'
-    },
-    loadConfig: {
-      type: 'boolean',
-      default: getDefaultLoadConfig(),
-      description: 'specifies if jsreport should load configuration values from external sources (cli args, env vars, configuration files) or not'
-    },
-    autoTempCleanup: {
-      type: 'boolean',
-      default: true,
-      description: 'specifies if after some interval jsreport should automatically clean up temporary files generated while rendering reports'
-    },
-    discover: {
-      type: 'boolean',
-      defaultNotInitialized: true,
-      description: 'specifies if jsreport should discover/search installed extensions in project and use them automatically'
-    },
-    useExtensionsLocationCache: {
-      type: 'boolean',
-      default: true,
-      description: 'whether if jsreport should read list of extensions from a previous generated cache or if it should crawl and try to search extensions again, set it to false when you want to always force crawling node_modules when searching for extensions while starting jsreport'
-    },
-    logger: {
-      type: 'object',
-      properties: {
-        silent: { type: 'boolean' }
-      }
-    },
-    reportTimeout: {
-      type: ['string', 'number'],
-      '$jsreport-acceptsDuration': true,
-      description: 'global single timeout that controls how much a report generation should wait before it times out',
-      default: 60000
-    },
-    reportTimeoutMargin: {
-      type: ['string', 'number'],
-      description: 'the time to wait before the worker thread is forcibly  killed after timeout',
-      '$jsreport-acceptsDuration': true,
-      default: '2s'
-    },
-    enableRequestReportTimeout: { type: 'boolean', default: false, description: 'option that enables passing a custom report timeout per request using req.options.timeout. this enables that the caller of the report generation control the report timeout so enable it only when you trust the caller' },
-    trustUserCode: { type: 'boolean', default: false, description: 'option that control whether code sandboxing is enabled or not, code sandboxing has an impact on performance when rendering large reports. when true code sandboxing will be disabled meaning that users can potentially penetrate the local system if you allow code from external users to be part of your reports' },
-    allowLocalFilesAccess: { type: 'boolean', default: false },
-    encryption: {
-      type: 'object',
-      default: {},
-      properties: {
-        secretKey: {
-          type: 'string',
-          minLength: 16,
-          maxLength: 16
-        },
-        enabled: {
-          type: 'boolean',
-          default: true
-        }
-      }
-    },
-    sandbox: {
-      type: 'object',
-      default: {},
-      properties: {
-        allowedModules: {
-          anyOf: [{
-            type: 'string',
-            '$jsreport-constantOrArray': ['*']
-          }, {
-            type: 'array',
-            items: { type: 'string' }
-          }]
-        },
-        cache: {
-          type: 'object',
-          default: {},
-          properties: {
-            max: { type: 'number', default: 100 },
-            enabled: { type: 'boolean', default: true }
-          }
-        }
-      }
-    },
-    workers: {
-      type: 'object',
-      default: {},
-      properties: {
-        numberOfWorkers: {
-          type: 'number',
-          default: 2,
-          description: 'Number of workers allocated. Every worker can process a single request in parallel. This means increasing numberOfWorkers will increase the parallelization.'
-        },
-        initTimeout: {
-          type: ['string', 'number'],
-          '$jsreport-acceptsDuration': true,
-          description: 'Timeout for initializing a worker thread. This should be increased only when running at very slow HW environment.',
-          default: '30s'
-        },
-        resourceLimits: {
-          type: 'object',
-          description: 'Limits for the individual workers. See https://nodejs.org/api/worker_threads.html#worker_threads_worker_resourcelimits',
-          properties: {
-            maxOldGenerationSizeMb: { type: 'number' },
-            maxYoungGenerationSizeMb: { type: 'number' },
-            codeRangeSizeMb: { type: 'number' },
-            stackSizeMb: { type: 'number' }
-          }
-        }
-      }
-    },
-    store: {
-      type: 'object',
-      properties: {
-        provider: { type: 'string', enum: ['memory'] },
-        transactions: {
-          type: 'object',
-          properties: {
-            enabled: { type: 'boolean', default: true }
-          }
-        }
-      }
-    },
-    blobStorage: {
-      type: 'object',
-      properties: {
-        provider: { type: 'string', enum: ['memory'] }
-      }
-    },
-    extensions: {
-      type: 'object',
-      properties: {}
-    },
-    extensionsList: {
-      anyOf: [
-        {
-          type: 'string',
-          '$jsreport-constantOrArray': []
-        },
-        {
-          type: 'array',
-          items: { type: 'string' }
-        }
-      ]
-    },
-    migrateXlsxTemplatesToAssets: {
-      type: 'boolean',
-      default: true
-    },
-    migrateResourcesToAssets: {
-      type: 'boolean',
-      default: true
-    },
-    profiler: {
-      type: 'object',
-      default: {},
-      properties: {
-        defaultMode: {
-          type: 'string',
-          default: 'standard'
-        },
-        fullModeDurationCheckInterval: {
-          type: ['string', 'number'],
-          '$jsreport-acceptsDuration': true,
-          default: '10m'
-        },
-        fullModeDuration: {
-          type: ['string', 'number'],
-          '$jsreport-acceptsDuration': true,
-          default: '4h'
-        },
-        maxProfilesHistory: {
-          type: 'number',
-          default: 1000
-        },
-        cleanupInterval: {
-          type: ['string', 'number'],
-          '$jsreport-acceptsDuration': true,
-          default: '1m'
-        },
-        maxUnallocatedProfileAge: {
-          type: ['string', 'number'],
-          '$jsreport-acceptsDuration': true,
-          default: '24h'
-        },
-        maxDiffSize: {
-          type: ['string', 'number'],
-          '$jsreport-acceptsSize': true,
-          default: '50mb'
-        }
-      }
-    }
-  }
-})
-
-module.exports.extendRootSchemaOptions = (rootSchema, schema) => {
-  const schemasToApply = Array.isArray(schema) ? schema : [schema]
-
-  rootSchema.properties = rootSchema.properties || {}
-
-  rootSchema.properties.extensions = rootSchema.properties.extensions || {
-    type: 'object',
-    properties: {}
-  }
-
-  schemasToApply.forEach((sch) => {
-    if (sch == null) {
-      return
-    }
-
-    if (sch.schema == null && sch.name != null) {
-      rootSchema.properties.extensions.properties[sch.name] = {
-        type: 'object',
-        properties: {
-          enabled: { type: 'boolean' }
-        }
-      }
-      return
-    } else if (sch.schema == null) {
-      return
-    }
-
-    Object.keys(sch.schema).forEach((key) => {
-      const current = sch.schema[key]
-
-      if (key === 'extensions') {
-        if (current == null) {
-          return
-        }
-
-        Object.keys(current).forEach(s => {
-          rootSchema.properties.extensions.properties[s] = deepMerge(rootSchema.properties.extensions.properties[s] || {}, current[s])
-
-          if (
-            rootSchema.properties.extensions.properties[s].properties &&
-            rootSchema.properties.extensions.properties[s].properties.enabled == null
-          ) {
-            rootSchema.properties.extensions.properties[s].properties.enabled = { type: 'boolean' }
-          }
-        })
-      } else if (current != null) {
-        rootSchema.properties[key] = deepMerge(rootSchema.properties[key] || {}, current)
-      }
-    })
-  })
-
-  return rootSchema
-}
-
-module.exports.ignoreInitialSchemaProperties = [
-  'properties.store.properties.provider',
-  'properties.blobStorage.properties.provider'
-]
+const { getDefaultTempDirectory, getDefaultLoadConfig } = require('./defaults')
+// we use deepmerge instead of node.extend here because it supports
+// concatenating arrays instead of replacing them, something necessary
+// to support extending some values in schemas like the "enum"
+const deepMerge = require('deepmerge')
+
+module.exports.getRootSchemaOptions = () => ({
+  type: 'object',
+  properties: {
+    rootDirectory: {
+      type: 'string',
+      description: 'specifies where is the application root and where jsreport searches for extensions'
+    },
+    appDirectory: {
+      type: 'string',
+      description: 'specifies directory of the script that was used to start node.js, this value is mostly metadata that is useful for your own code inside jsreport scripts'
+    },
+    tempDirectory: {
+      type: 'string',
+      default: getDefaultTempDirectory(),
+      description: 'specifies where jsreport stores temporary files used by the conversion pipeline'
+    },
+    loadConfig: {
+      type: 'boolean',
+      default: getDefaultLoadConfig(),
+      description: 'specifies if jsreport should load configuration values from external sources (cli args, env vars, configuration files) or not'
+    },
+    autoTempCleanup: {
+      type: 'boolean',
+      default: true,
+      description: 'specifies if after some interval jsreport should automatically clean up temporary files generated while rendering reports'
+    },
+    discover: {
+      type: 'boolean',
+      defaultNotInitialized: true,
+      description: 'specifies if jsreport should discover/search installed extensions in project and use them automatically'
+    },
+    useExtensionsLocationCache: {
+      type: 'boolean',
+      default: true,
+      description: 'whether if jsreport should read list of extensions from a previous generated cache or if it should crawl and try to search extensions again, set it to false when you want to always force crawling node_modules when searching for extensions while starting jsreport'
+    },
+    logger: {
+      type: 'object',
+      properties: {
+        silent: { type: 'boolean' }
+      }
+    },
+    reportTimeout: {
+      type: ['string', 'number'],
+      '$jsreport-acceptsDuration': true,
+      description: 'global single timeout that controls how much a report generation should wait before it times out',
+      default: 60000
+    },
+    reportTimeoutMargin: {
+      type: ['string', 'number'],
+      description: 'the time to wait before the worker thread is forcibly  killed after timeout',
+      '$jsreport-acceptsDuration': true,
+      default: '2s'
+    },
+    enableRequestReportTimeout: { type: 'boolean', default: false, description: 'option that enables passing a custom report timeout per request using req.options.timeout. this enables that the caller of the report generation control the report timeout so enable it only when you trust the caller' },
+    trustUserCode: { type: 'boolean', default: false, description: 'option that control whether code sandboxing is enabled or not, code sandboxing has an impact on performance when rendering large reports. when true code sandboxing will be disabled meaning that users can potentially penetrate the local system if you allow code from external users to be part of your reports' },
+    allowLocalFilesAccess: { type: 'boolean', default: false },
+    encryption: {
+      type: 'object',
+      default: {},
+      properties: {
+        secretKey: {
+          type: 'string',
+          minLength: 16,
+          maxLength: 16
+        },
+        enabled: {
+          type: 'boolean',
+          default: true
+        }
+      }
+    },
+    sandbox: {
+      type: 'object',
+      default: {},
+      properties: {
+        isolateModules: { type: 'boolean', default: true, description: 'option that control whether require/import of modules during rendering are isolated from other renders or not. when this is false the require/import of modules will behave like normal require, which means that module is evaluated only once and next require/import are resolved from a cache' },
+        allowedModules: {
+          anyOf: [{
+            type: 'string',
+            '$jsreport-constantOrArray': ['*']
+          }, {
+            type: 'array',
+            items: { type: 'string' }
+          }]
+        },
+        cache: {
+          type: 'object',
+          default: {},
+          properties: {
+            max: { type: 'number', default: 100 },
+            enabled: { type: 'boolean', default: true }
+          }
+        }
+      }
+    },
+    workers: {
+      type: 'object',
+      default: {},
+      properties: {
+        numberOfWorkers: {
+          type: 'number',
+          default: 2,
+          description: 'Number of workers allocated. Every worker can process a single request in parallel. This means increasing numberOfWorkers will increase the parallelization.'
+        },
+        initTimeout: {
+          type: ['string', 'number'],
+          '$jsreport-acceptsDuration': true,
+          description: 'Timeout for initializing a worker thread. This should be increased only when running at very slow HW environment.',
+          default: '30s'
+        },
+        resourceLimits: {
+          type: 'object',
+          description: 'Limits for the individual workers. See https://nodejs.org/api/worker_threads.html#worker_threads_worker_resourcelimits',
+          properties: {
+            maxOldGenerationSizeMb: { type: 'number' },
+            maxYoungGenerationSizeMb: { type: 'number' },
+            codeRangeSizeMb: { type: 'number' },
+            stackSizeMb: { type: 'number' }
+          }
+        }
+      }
+    },
+    store: {
+      type: 'object',
+      properties: {
+        provider: { type: 'string', enum: ['memory'] },
+        transactions: {
+          type: 'object',
+          properties: {
+            enabled: { type: 'boolean', default: true }
+          }
+        }
+      }
+    },
+    blobStorage: {
+      type: 'object',
+      properties: {
+        provider: { type: 'string', enum: ['memory'] }
+      }
+    },
+    extensions: {
+      type: 'object',
+      properties: {}
+    },
+    extensionsList: {
+      anyOf: [
+        {
+          type: 'string',
+          '$jsreport-constantOrArray': []
+        },
+        {
+          type: 'array',
+          items: { type: 'string' }
+        }
+      ]
+    },
+    profiler: {
+      type: 'object',
+      default: {},
+      properties: {
+        defaultMode: {
+          type: 'string',
+          default: 'standard'
+        },
+        fullModeDurationCheckInterval: {
+          type: ['string', 'number'],
+          '$jsreport-acceptsDuration': true,
+          default: '10m'
+        },
+        fullModeDuration: {
+          type: ['string', 'number'],
+          '$jsreport-acceptsDuration': true,
+          default: '4h'
+        },
+        maxProfilesHistory: {
+          type: 'number',
+          default: 1000
+        },
+        cleanupInterval: {
+          type: ['string', 'number'],
+          '$jsreport-acceptsDuration': true,
+          default: '1m'
+        },
+        maxUnallocatedProfileAge: {
+          type: ['string', 'number'],
+          '$jsreport-acceptsDuration': true,
+          default: '24h'
+        },
+        maxDiffSize: {
+          type: ['string', 'number'],
+          '$jsreport-acceptsSize': true,
+          default: '50mb'
+        }
+      }
+    }
+  }
+})
+
+module.exports.extendRootSchemaOptions = (rootSchema, schema) => {
+  const schemasToApply = Array.isArray(schema) ? schema : [schema]
+
+  rootSchema.properties = rootSchema.properties || {}
+
+  rootSchema.properties.extensions = rootSchema.properties.extensions || {
+    type: 'object',
+    properties: {}
+  }
+
+  schemasToApply.forEach((sch) => {
+    if (sch == null) {
+      return
+    }
+
+    if (sch.schema == null && sch.name != null) {
+      rootSchema.properties.extensions.properties[sch.name] = {
+        type: 'object',
+        properties: {
+          enabled: { type: 'boolean' }
+        }
+      }
+      return
+    } else if (sch.schema == null) {
+      return
+    }
+
+    Object.keys(sch.schema).forEach((key) => {
+      const current = sch.schema[key]
+
+      if (key === 'extensions') {
+        if (current == null) {
+          return
+        }
+
+        Object.keys(current).forEach(s => {
+          rootSchema.properties.extensions.properties[s] = deepMerge(rootSchema.properties.extensions.properties[s] || {}, current[s])
+
+          if (
+            rootSchema.properties.extensions.properties[s].properties &&
+            rootSchema.properties.extensions.properties[s].properties.enabled == null
+          ) {
+            rootSchema.properties.extensions.properties[s].properties.enabled = { type: 'boolean' }
+          }
+        })
+      } else if (current != null) {
+        rootSchema.properties[key] = deepMerge(rootSchema.properties[key] || {}, current)
+      }
+    })
+  })
+
+  return rootSchema
+}
+
+module.exports.ignoreInitialSchemaProperties = [
+  'properties.store.properties.provider',
+  'properties.blobStorage.properties.provider'
+]

package/lib/main/reporter.js

@@ -6,6 +6,7 @@
 const path = require('path')
 const { Readable } = require('stream')
 const Reaper = require('@jsreport/reap')
+const pkg = require('../../package.json')
 const optionsLoad = require('./optionsLoad')
 const { createLogger, configureLogger, silentLogs } = require('./logger')
 const checkEntityName = require('./validateEntityName')
@@ -28,8 +29,6 @@ const Reporter = require('../shared/reporter')
 const Request = require('./request')
 const generateRequestId = require('../shared/generateRequestId')
 const Profiler = require('./profiler')
-const migrateXlsxTemplatesToAssets = require('./migration/xlsxTemplatesToAssets')
-const migrateResourcesToAssets = require('./migration/resourcesToAssets')
 const semver = require('semver')
 let reportCounter = 0
 
@@ -37,8 +36,8 @@ class MainReporter extends Reporter {
   constructor (options, defaults) {
     super(options)
 
-    if (!semver.satisfies(process.versions.node, '>=16.11.0')) {
-      throw this.createError('jsreport needs at least node 16.11.0 to run.')
+    if (!semver.satisfies(process.versions.node, pkg.engines.node)) {
+      throw this.createError(`jsreport needs at least node ${pkg.engines.node} to run.`)
     }
 
     this.defaults = defaults || {}
@@ -172,14 +171,6 @@ class MainReporter extends Reporter {
 
     this._initializing = true
 
-    if (this.compilation) {
-      this.compilation.resource('vm2-events.js', require.resolve('vm2/lib/events.js'))
-      this.compilation.resource('vm2-resolver-compat.js', require.resolve('vm2/lib/resolver-compat.js'))
-      this.compilation.resource('vm2-resolver.js', require.resolve('vm2/lib/resolver.js'))
-      this.compilation.resource('vm2-setup-node-sandbox.js', require.resolve('vm2/lib/setup-node-sandbox.js'))
-      this.compilation.resource('vm2-setup-sandbox.js', require.resolve('vm2/lib/setup-sandbox.js'))
-    }
-
     try {
       this._registerLogMainAction()
 
@@ -219,6 +210,10 @@ class MainReporter extends Reporter {
         this.logger.info('Code sandboxing is disabled, users can potentially penetrate the local system if you allow code from external users to be part of your reports')
       }
 
+      if (!this.options.sandbox.isolateModules) {
+        this.logger.info('Modules isolation is disabled, require of modules during rendering will be shared across all renders')
+      }
+
       if (explicitOptions.trustUserCode == null && explicitOptions.allowLocalFilesAccess != null) {
         this.logger.warn('options.allowLocalFilesAccess is deprecated, use options.trustUserCode instead')
       }
@@ -233,7 +228,11 @@ class MainReporter extends Reporter {
 
       await this.documentStore.init()
       await this.blobStorage.init()
-      await this.settings.init(this.documentStore, this.authorization)
+
+      await this.settings.init(this.documentStore, {
+        authentication: this.authentication,
+        authorization: this.authorization
+      })
 
       const extensionsForWorkers = this.extensionsManager.extensions.filter(e => e.worker)
 
@@ -263,9 +262,6 @@ class MainReporter extends Reporter {
       setupValidateId(this)
       setupValidateShortid(this)
 
-      this.initializeListeners.insert(0, 'core-resources-migration', () => migrateResourcesToAssets(this))
-      this.initializeListeners.insert(0, 'core-xlsxTemplates-migration', () => migrateXlsxTemplatesToAssets(this))
-
       await this.initializeListeners.fire()
 
       this._workersManager = this._workersManagerFactory