@jsreport/jsreport-core 3.11.4 → 4.0.0

package/lib/main/settings.js

@@ -47,40 +47,46 @@ Settings.prototype.addOrSet = async function (key, avalue, req) {
   }
 }
 
-Settings.prototype.init = async function (documentStore, authorization) {
+Settings.prototype.init = async function (documentStore, { authentication, authorization }) {
   this.documentStore = documentStore
 
-  if (authorization != null) {
+  if (authentication != null && authorization != null) {
     const col = documentStore.collection('settings')
 
     // settings can be read by anyone so we don't add find listeners,
     // we only care about modification listeners
-    col.beforeInsertListeners.add('settings', (doc, req) => {
+    col.beforeInsertListeners.add('settings', async (doc, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })
 
-    col.beforeUpdateListeners.add('settings', (q, u, options, req) => {
+    col.beforeUpdateListeners.add('settings', async (q, u, options, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })
 
-    col.beforeRemoveListeners.add('settings', (q, req) => {
+    col.beforeRemoveListeners.add('settings', async (q, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })

package/lib/worker/render/executeEngine.js

@@ -140,6 +140,10 @@ module.exports = (reporter) => {
     const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${normalizedHelpers}`
 
     const initFn = async (getTopLevelFunctions, compileScript) => {
+      if (reporter.options.trustUserCode === false) {
+        return null
+      }
+
       if (systemHelpersCache != null) {
         return systemHelpersCache
       }
@@ -259,12 +263,30 @@ module.exports = (reporter) => {
       templatesCache.reset()
     }
 
+    let helpersStr = normalizedHelpers
+    if (reporter.options.trustUserCode === false) {
+      const registerResults = await reporter.registerHelpersListeners.fire()
+      const systemHelpers = []
+
+      for (const result of registerResults) {
+        if (result == null) {
+          continue
+        }
+
+        if (typeof result === 'string') {
+          systemHelpers.push(result)
+        }
+      }
+      const systemHelpersStr = systemHelpers.join('\n')
+      helpersStr = normalizedHelpers + '\n' + systemHelpersStr
+    }
+
     try {
       return await reporter.runInSandbox({
         context: {
           ...(engine.createContext ? engine.createContext(req) : {})
         },
-        userCode: normalizedHelpers,
+        userCode: helpersStr,
         initFn,
         executionFn,
         currentPath: entityPath,

package/lib/worker/reporter.js

@@ -19,6 +19,7 @@ class WorkerReporter extends Reporter {
 
     this._executeMain = executeMain
     this._initialized = false
+    this._lockedDown = false
     this._documentStoreData = documentStore
     this._requestContextMetaConfigCollection = new Map()
     this._proxyRegistrationFns = []
@@ -80,6 +81,50 @@ class WorkerReporter extends Reporter {
 
     await this.initializeListeners.fire()
 
+    if (!this._lockedDown && this.options.trustUserCode === false) {
+      require('@jsreport/ses')
+
+      // eslint-disable-next-line
+      lockdown({
+        // don't change locale based methods which users may be using in their templates
+        localeTaming: 'unsafe',
+        errorTaming: 'unsafe',
+        stackFiltering: 'verbose',
+        /*
+            FROM SES DOCS
+            The 'severe' setting enables all the properties on at least Object.prototype, which is sometimes needed for compatibility with code generated by rollup or webpack.
+            However, this extra compatibility comes at the price of a miserable debugging experience.
+
+            We need this to make jsrender working, which overrides constructor.
+            In case we need to put back default, we will need to fork jsrender and change the following line
+            (Tag.prototype = compiledDef).constructor = compiledDef._ctr = Tag;
+            x
+            Tag.prototype = compiledDef
+            compiledDef._ctr = Tag
+            */
+        overrideTaming: 'severe'
+      })
+
+      // in this mode we alias the unsafe methods to safe ones
+      Buffer.allocUnsafe = function allocUnsafe (size) {
+        return Buffer.alloc(size)
+      }
+
+      Buffer.allocUnsafeSlow = function allocUnsafeSlow (size) {
+        return Buffer.alloc(size)
+      }
+
+      // we also harden Buffer because we expose it to sandbox
+      // eslint-disable-next-line
+      harden(Buffer)
+
+      // we need to expose Intl to sandbox
+      // eslint-disable-next-line
+      harden(Intl)
+
+      this._lockedDown = true
+    }
+
     this._initialized = true
   }