@jsreport/jsreport-core 3.12.0 → 4.0.0

package/lib/main/settings.js

@@ -47,40 +47,46 @@ Settings.prototype.addOrSet = async function (key, avalue, req) {
   }
 }
 
-Settings.prototype.init = async function (documentStore, authorization) {
+Settings.prototype.init = async function (documentStore, { authentication, authorization }) {
   this.documentStore = documentStore
 
-  if (authorization != null) {
+  if (authentication != null && authorization != null) {
     const col = documentStore.collection('settings')
 
     // settings can be read by anyone so we don't add find listeners,
     // we only care about modification listeners
-    col.beforeInsertListeners.add('settings', (doc, req) => {
+    col.beforeInsertListeners.add('settings', async (doc, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })
 
-    col.beforeUpdateListeners.add('settings', (q, u, options, req) => {
+    col.beforeUpdateListeners.add('settings', async (q, u, options, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })
 
-    col.beforeRemoveListeners.add('settings', (q, req) => {
+    col.beforeRemoveListeners.add('settings', async (q, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })

package/lib/worker/render/executeEngine.js

@@ -140,6 +140,10 @@ module.exports = (reporter) => {
     const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${normalizedHelpers}`
 
     const initFn = async (getTopLevelFunctions, compileScript) => {
+      if (reporter.options.trustUserCode === false) {
+        return null
+      }
+
       if (systemHelpersCache != null) {
         return systemHelpersCache
       }
@@ -259,12 +263,30 @@ module.exports = (reporter) => {
       templatesCache.reset()
     }
 
+    let helpersStr = normalizedHelpers
+    if (reporter.options.trustUserCode === false) {
+      const registerResults = await reporter.registerHelpersListeners.fire()
+      const systemHelpers = []
+
+      for (const result of registerResults) {
+        if (result == null) {
+          continue
+        }
+
+        if (typeof result === 'string') {
+          systemHelpers.push(result)
+        }
+      }
+      const systemHelpersStr = systemHelpers.join('\n')
+      helpersStr = normalizedHelpers + '\n' + systemHelpersStr
+    }
+
     try {
       return await reporter.runInSandbox({
         context: {
           ...(engine.createContext ? engine.createContext(req) : {})
         },
-        userCode: normalizedHelpers,
+        userCode: helpersStr,
         initFn,
         executionFn,
         currentPath: entityPath,

package/lib/worker/reporter.js

@@ -19,6 +19,7 @@ class WorkerReporter extends Reporter {
 
     this._executeMain = executeMain
     this._initialized = false
+    this._lockedDown = false
     this._documentStoreData = documentStore
     this._requestContextMetaConfigCollection = new Map()
     this._proxyRegistrationFns = []
@@ -80,6 +81,50 @@ class WorkerReporter extends Reporter {
 
     await this.initializeListeners.fire()
 
+    if (!this._lockedDown && this.options.trustUserCode === false) {
+      require('@jsreport/ses')
+
+      // eslint-disable-next-line
+      lockdown({
+        // don't change locale based methods which users may be using in their templates
+        localeTaming: 'unsafe',
+        errorTaming: 'unsafe',
+        stackFiltering: 'verbose',
+        /*
+            FROM SES DOCS
+            The 'severe' setting enables all the properties on at least Object.prototype, which is sometimes needed for compatibility with code generated by rollup or webpack.
+            However, this extra compatibility comes at the price of a miserable debugging experience.
+
+            We need this to make jsrender working, which overrides constructor.
+            In case we need to put back default, we will need to fork jsrender and change the following line
+            (Tag.prototype = compiledDef).constructor = compiledDef._ctr = Tag;
+            x
+            Tag.prototype = compiledDef
+            compiledDef._ctr = Tag
+            */
+        overrideTaming: 'severe'
+      })
+
+      // in this mode we alias the unsafe methods to safe ones
+      Buffer.allocUnsafe = function allocUnsafe (size) {
+        return Buffer.alloc(size)
+      }
+
+      Buffer.allocUnsafeSlow = function allocUnsafeSlow (size) {
+        return Buffer.alloc(size)
+      }
+
+      // we also harden Buffer because we expose it to sandbox
+      // eslint-disable-next-line
+      harden(Buffer)
+
+      // we need to expose Intl to sandbox
+      // eslint-disable-next-line
+      harden(Intl)
+
+      this._lockedDown = true
+    }
+
     this._initialized = true
   }
 

package/lib/worker/sandbox/createSandbox.js

@@ -1,12 +1,11 @@
 const util = require('util')
-const { VM, VMScript } = require('vm2')
-const originalVM = require('vm')
+const vm = require('vm')
 const stackTrace = require('stack-trace')
 const { codeFrameColumns } = require('@babel/code-frame')
 const createPropertiesManager = require('./propertiesSandbox')
 const createSandboxRequire = require('./requireSandbox')
 
-module.exports = function createSandbox (_sandbox, options = {}) {
+module.exports = async function createSandbox (_sandbox, options = {}) {
   const {
     rootDirectory,
     onLog,
@@ -47,11 +46,35 @@ module.exports = function createSandbox (_sandbox, options = {}) {
 
   propsManager.applyPropertiesConfigTo(sandbox)
 
-  let safeVM
-  // with standard vm this variable is the same as context, with vm2 it is a proxy of context
-  // (which is not the real internal context)
+  const sourceFilesInfo = new Map()
+  // eslint-disable-next-line
+  let compartment
+
+  if (safeExecution) {
+    // eslint-disable-next-line
+    compartment = new Compartment()
+  }
+
   let vmSandbox
 
+  if (safeExecution) {
+    vmSandbox = compartment.globalThis
+
+    vmSandbox = Object.assign(vmSandbox, {
+      // SES does not expose the Buffer, Intl by default, we expose it because it is handy for users,
+      // it is exposed as it is, because we already harden() it on reporter init
+      Buffer,
+      Intl,
+      // we need to expose Date, and Math to allow Date.now(), Math.random()
+      // these objects are already hardened by lockdown()
+      Date,
+      Math
+    })
+  } else {
+    vmSandbox = vm.createContext(undefined)
+    vmSandbox.Buffer = Buffer
+  }
+
   const doSandboxRequire = createSandboxRequire(safeExecution, isolateModules, modulesCache, {
     rootDirectory,
     requirePaths,
@@ -63,43 +86,17 @@ module.exports = function createSandbox (_sandbox, options = {}) {
 
   Object.assign(sandbox, {
     console: _console,
-    require (m) { return doSandboxRequire(m, { context: vmSandbox }) }
-  })
-
-  if (safeExecution) {
-    safeVM = new VM()
-
-    // delete the vm.sandbox.global because it introduces json stringify issues
-    // and we don't need such global in context
-    delete safeVM.sandbox.global
-
-    for (const name in sandbox) {
-      safeVM.setGlobal(name, sandbox[name])
+    require: (m) => { return doSandboxRequire(m, { context: vmSandbox }) },
+    setTimeout: (...args) => {
+      return setTimeout(...args)
+    },
+    clearTimeout: (...args) => {
+      return clearTimeout(...args)
     }
+  })
 
-    // so far we don't have the need to have access to real vm context inside vm2,
-    // but if we need it, we should use the code bellow to get it.
-    // NOTE: if we need to upgrade vm2 we will need to check the source of this function
-    // in vm2 repo and see if we need to change this,
-    // we just execute this to get access to the internal context, so we can use it later
-    // with the our require function, in newer versions of vm2 we may need to change how to
-    // get access to it
-    // https://github.com/patriksimek/vm2/blob/3.9.17/lib/vm.js#L281
-    // safeVM._runScript({
-    //   runInContext: (_context) => {
-    //     vmContext = _context
-    //     return ''
-    //   }
-    // })
-
-    vmSandbox = safeVM.sandbox
-  } else {
-    vmSandbox = originalVM.createContext(undefined)
-    vmSandbox.Buffer = Buffer
-
-    for (const name in sandbox) {
-      vmSandbox[name] = sandbox[name]
-    }
+  for (const name in sandbox) {
+    vmSandbox[name] = sandbox[name]
   }
 
   // processing top level props here because getter/setter descriptors
@@ -112,8 +109,6 @@ module.exports = function createSandbox (_sandbox, options = {}) {
     vmSandbox[info.globalVariableName] = doSandboxRequire(info.module, { context: vmSandbox, useMap: false, allowAllModules: true })
   }
 
-  const sourceFilesInfo = new Map()
-
   return {
     sandbox: vmSandbox,
     console: _console,
@@ -128,29 +123,20 @@ module.exports = function createSandbox (_sandbox, options = {}) {
       return doSandboxRequire(modulePath, { context: vmSandbox, allowAllModules: true })
     },
     async run (codeOrScript, { filename, errorLineNumberOffset = 0, source, entity, entitySet } = {}) {
-      let runScript
-
       if (filename != null && source != null) {
         sourceFilesInfo.set(filename, { filename, source, entity, entitySet, errorLineNumberOffset })
       }
 
-      const script = typeof codeOrScript !== 'string' ? codeOrScript : doCompileScript(codeOrScript, filename, safeExecution)
-
-      if (safeExecution) {
-        runScript = async function runScript () {
-          return safeVM.run(script)
-        }
-      } else {
-        runScript = async function runScript () {
-          return script.runInContext(vmSandbox, {
-            displayErrors: true
-          })
+      try {
+        if (safeExecution) {
+          return await compartment.evaluate(codeOrScript + `\n//# sourceURL=${filename}`)
         }
-      }
 
-      try {
-        const result = await runScript()
-        return result
+        const script = typeof codeOrScript !== 'string' ? codeOrScript : doCompileScript(codeOrScript, filename, safeExecution)
+
+        return await script.runInContext(vmSandbox, {
+          displayErrors: true
+        })
       } catch (e) {
         decorateErrorMessage(e, sourceFilesInfo)
 
@@ -161,47 +147,19 @@ module.exports = function createSandbox (_sandbox, options = {}) {
 }
 
 function doCompileScript (code, filename, safeExecution) {
-  let script
-
   if (safeExecution) {
-    script = new VMScript(code, filename)
-
-    // NOTE: if we need to upgrade vm2 we will need to check the source of this function
-    // in vm2 repo and see if we need to change this,
-    // we needed to override this method because we want "displayErrors" to be true in order
-    // to show nice error when the compile of a script fails
-    // https://github.com/patriksimek/vm2/blob/3.9.17/lib/script.js#L329
-    script._compile = function (prefix, suffix) {
-      return new originalVM.Script(prefix + this.getCompiledCode() + suffix, {
-        __proto__: null,
-        filename: this.filename,
-        displayErrors: true,
-        lineOffset: this.lineOffset,
-        columnOffset: this.columnOffset,
-        // THIS FN WAS TAKEN FROM vm2 source, nothing special here
-        importModuleDynamically: () => {
-          // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
-          // eslint-disable-next-line no-throw-literal
-          throw 'Dynamic imports are not allowed.'
-        }
-      })
-    }
-
-    // do the compilation
-    script._compileVM()
-  } else {
-    script = new originalVM.Script(code, {
-      filename,
-      displayErrors: true,
-      importModuleDynamically: () => {
-        // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
-        // eslint-disable-next-line no-throw-literal
-        throw 'Dynamic imports are not allowed.'
-      }
-    })
+    return code
   }
 
-  return script
+  return new vm.Script(code, {
+    filename,
+    displayErrors: true,
+    importModuleDynamically: () => {
+      // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
+      // eslint-disable-next-line no-throw-literal
+      throw 'Dynamic imports are not allowed.'
+    }
+  })
 }
 
 function decorateErrorMessage (e, sourceFilesInfo) {

package/lib/worker/sandbox/isolatedRequire.js

@@ -6,8 +6,6 @@ const REQUIRE_RESOLVE_CACHE = new Map()
 const REQUIRE_SCRIPT_CACHE = new Map()
 const PACKAGE_JSON_CACHE = new Map()
 
-let ALL_BUILTIN_MODULES
-
 // The isolated require is a function that replicates the node.js require but that does not
 // cache the modules with the standard node.js cache, instead its uses its own cache in order
 // to bring isolated modules across renders and without memory leaks.
@@ -24,7 +22,7 @@ function isolatedRequire (_moduleId, requireFromRootDirectory, isolatedModulesMe
     throw createInvalidArgValueError('id', moduleId, 'must be a non-empty string')
   }
 
-  if (isBuiltinModule(moduleId)) {
+  if (Module.isBuiltin(moduleId)) {
     // built-in modules can not be require from other part than the node.js require
     // perhaps in the future it can be possible:
     // https://github.com/nodejs/node/issues/31852
@@ -174,24 +172,6 @@ function IsolatedModule (id = '', parent) {
   })
 }
 
-// NOTE: we can not use Module.isBuiltin because it is not available on node 16
-// we can upgrade our implementation to just use Module.isBuiltin when we drop support for node 16
-// https://github.com/nodejs/node/blob/v18.14.2/lib/internal/modules/cjs/loader.js#L252
-function isBuiltinModule (moduleId) {
-  // use the standard function when available
-  if (Module.isBuiltin) {
-    return Module.isBuiltin(moduleId)
-  }
-
-  // the only version in which this code would run is node 16 and early versions of node 18
-  // https://github.com/nodejs/node/blob/v18.14.2/lib/internal/modules/cjs/loader.js#L252
-  if (!ALL_BUILTIN_MODULES) {
-    ALL_BUILTIN_MODULES = new Set(Module.builtinModules.flatMap((bm) => [bm, `node:${bm}`]))
-  }
-
-  return ALL_BUILTIN_MODULES.has(moduleId)
-}
-
 // https://github.com/nodejs/node/blob/v18.14.2/lib/internal/modules/cjs/helpers.js#L65
 function makeRequireFunction (mod, requireFromRootDirectory, currentExtensions) {
   const requireFn = function require (path) {

package/lib/worker/sandbox/runInSandbox.js

@@ -21,7 +21,7 @@ module.exports = function createRunInSandbox (reporter) {
   }, req) {
     let jsreportProxy = null
 
-    // we use dynamic name because of the potential nested vm2 execution in the jsreportProxy.assets.require
+    // we use dynamic name because of the potential nested vm execution in the jsreportProxy.assets.require
     // it may turn out it is a bad approach in assets so we gonna delete it here
     const executionFnName = `${nanoid()}_executionFn`
 
@@ -29,11 +29,10 @@ module.exports = function createRunInSandbox (reporter) {
     context.__appDirectory = reporter.options.appDirectory
     context.__rootDirectory = reporter.options.rootDirectory
     context.__parentModuleDirectory = reporter.options.parentModuleDirectory
-    context.setTimeout = setTimeout
     context.__topLevelFunctions = {}
     context.__handleError = (err) => handleError(reporter, err)
 
-    const { sourceFilesInfo, run, compileScript, restore, sandbox, sandboxRequire } = createSandbox(context, {
+    const { sourceFilesInfo, run, compileScript, restore, sandbox, sandboxRequire } = await createSandbox(context, {
       rootDirectory: reporter.options.rootDirectory,
       onLog: (log) => {
         // we mark any log done in sandbox as userLevel: true, this allows us to detect which logs belongs to user
@@ -159,9 +158,23 @@ module.exports = function createRunInSandbox (reporter) {
     }
 
     const functionNames = getTopLevelFunctions(functionsCache, userCode)
-    const functionsCode = `return {${functionNames.map(h => `"${h}": ${h}`).join(',')}}`
-    const executionCode = `;(async () => { ${userCode} \n\n;${functionsCode} })()
-        .then((topLevelFunctions) => {
+
+    // it is better we remove our internal functions so we avoid user having the chance
+    // to call them, as long as we force the execution to be truly async (with the await 1)
+    // then it is safe to delete __handleError from context, when the execution is truly
+    // async then it means the __handleError was already passed to catch handler,
+    // therefore safe to delete
+    const contextNormalizeCode = [
+      'await 1;',
+      `const ${executionFnName}_expose = ${executionFnName};`,
+      'delete this.__handleError;',
+      `delete this['${executionFnName}'];`
+    ].join('')
+
+    const functionsCode = `return {topLevelFunctions: {${functionNames.map(h => `"${h}": ${h}`).join(',')}}, fnToExecute: ${executionFnName}_expose}`
+
+    const executionCode = `;(async () => { ${contextNormalizeCode}${userCode} \n\n;${functionsCode} })()
+        .then(({ topLevelFunctions, fnToExecute }) => {
           const mergedTopLevelFunctions = { ...topLevelFunctions, ...__topLevelFunctions }
 
           // expose top level functions to the sandbox context
@@ -170,7 +183,7 @@ module.exports = function createRunInSandbox (reporter) {
             this[topLevelFnName] = topLevelFn
           }
 
-          return ${executionFnName}({
+          return fnToExecute({
               topLevelFunctions: mergedTopLevelFunctions,
               require,
               console,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsreport/jsreport-core",
-  "version": "3.12.0",
+  "version": "4.0.0",
   "description": "javascript based business reporting",
   "keywords": [
     "report",
@@ -40,9 +40,11 @@
     "@babel/parser": "7.14.4",
     "@babel/traverse": "7.12.9",
     "@colors/colors": "1.5.0",
-    "@jsreport/advanced-workers": "1.3.0",
+    "@jsreport/advanced-workers": "2.0.0",
     "@jsreport/mingo": "2.4.1",
     "@jsreport/reap": "0.1.0",
+    "@jsreport/serializator": "1.0.0",
+    "@jsreport/ses": "1.0.0",
     "ajv": "6.12.6",
     "app-root-path": "3.0.0",
     "bytes": "3.1.2",
@@ -65,13 +67,11 @@
     "nanoid": "3.2.0",
     "nconf": "0.12.0",
     "node.extend.without.arrays": "1.1.6",
-    "semver": "7.3.5",
-    "serializator": "1.0.2",
+    "semver": "7.5.4",
     "stack-trace": "0.0.10",
     "triple-beam": "1.3.0",
     "unset-value": "2.0.1",
     "uuid": "8.3.2",
-    "vm2": "3.9.19",
     "winston": "3.8.1",
     "winston-transport": "4.5.0",
     "yieldable-json": "2.0.1"
@@ -85,7 +85,7 @@
     "winston-loggly-bulk": "3.2.1"
   },
   "engines": {
-    "node": ">=16.11"
+    "node": ">=18.15"
   },
   "standard": {
     "env": {

package/test/extensions/validExtensions/listeners/main.js

@@ -1,51 +1,62 @@
-
-module.exports = (reporter, definition) => {
-  reporter.tests = reporter.tests || {}
-  reporter.tests.beforeRenderListeners = reporter.createListenerCollection()
-  reporter.tests.afterRenderListeners = reporter.createListenerCollection()
-  reporter.tests.validateRenderListeners = reporter.createListenerCollection()
-  reporter.tests.afterTemplatingEnginesExecutedListeners = reporter.createListenerCollection()
-
-  reporter.registerMainAction('test-beforeRender-listeners', async (data, req) => {
-    data.req = reporter.Request(data.req)
-    await reporter.tests.beforeRenderListeners.fire(data.req, data.res)
-    return { req: data.req, res: data.res }
-  })
-  reporter.registerMainAction('test-afterRender-listeners', async (data, req) => {
-    data.req = reporter.Request(data.req)
-    await reporter.tests.afterRenderListeners.fire(data.req, data.res)
-    return { req: data.req, res: data.res }
-  })
-  reporter.registerMainAction('test-validateRender-listeners', async (data, req) => {
-    data.req = reporter.Request(data.req)
-    await reporter.tests.validateRenderListeners.fire(data.req, data.res)
-    return { req: data.req, res: data.res }
-  })
-  reporter.registerMainAction('test-afterTemplatingEnginesExecuted-listeners', async (data, req) => {
-    data.req = reporter.Request(data.req)
-    await reporter.tests.afterTemplatingEnginesExecutedListeners.fire(data.req, data.res)
-    return { req: data.req, res: data.res }
-  })
-
-  let beforeRenderEval
-  reporter.tests.beforeRenderEval = (fn) => {
-    beforeRenderEval = fn
-  }
-  reporter.registerMainAction('test-beforeRenderEval', async (data, req) => {
-    if (beforeRenderEval == null) {
-      return
-    }
-    return beforeRenderEval.toString()
-  })
-
-  let afterRenderEval
-  reporter.tests.afterRenderEval = (fn) => {
-    afterRenderEval = fn
-  }
-  reporter.registerMainAction('test-afterRenderEval', async (data, req) => {
-    if (afterRenderEval == null) {
-      return
-    }
-    return afterRenderEval.toString()
-  })
-}
+
+module.exports = (reporter, definition) => {
+  reporter.tests = reporter.tests || {}
+  reporter.tests.beforeRenderListeners = reporter.createListenerCollection()
+  reporter.tests.afterRenderListeners = reporter.createListenerCollection()
+  reporter.tests.validateRenderListeners = reporter.createListenerCollection()
+  reporter.tests.afterTemplatingEnginesExecutedListeners = reporter.createListenerCollection()
+
+  reporter.registerMainAction('test-beforeRender-listeners', async (data, req) => {
+    data.req = reporter.Request(data.req)
+    await reporter.tests.beforeRenderListeners.fire(data.req, data.res)
+    return { req: data.req, res: data.res }
+  })
+  reporter.registerMainAction('test-afterRender-listeners', async (data, req) => {
+    data.req = reporter.Request(data.req)
+    await reporter.tests.afterRenderListeners.fire(data.req, data.res)
+    return { req: data.req, res: data.res }
+  })
+  reporter.registerMainAction('test-validateRender-listeners', async (data, req) => {
+    data.req = reporter.Request(data.req)
+    await reporter.tests.validateRenderListeners.fire(data.req, data.res)
+    return { req: data.req, res: data.res }
+  })
+  reporter.registerMainAction('test-afterTemplatingEnginesExecuted-listeners', async (data, req) => {
+    data.req = reporter.Request(data.req)
+    await reporter.tests.afterTemplatingEnginesExecutedListeners.fire(data.req, data.res)
+    return { req: data.req, res: data.res }
+  })
+
+  let beforeRenderEval
+  reporter.tests.beforeRenderEval = (fn) => {
+    beforeRenderEval = fn
+  }
+  reporter.registerMainAction('test-beforeRenderEval', async (data, req) => {
+    if (beforeRenderEval == null) {
+      return
+    }
+    return beforeRenderEval.toString()
+  })
+
+  let afterRenderEval
+  reporter.tests.afterRenderEval = (fn) => {
+    afterRenderEval = fn
+  }
+  reporter.registerMainAction('test-afterRenderEval', async (data, req) => {
+    if (afterRenderEval == null) {
+      return
+    }
+    return afterRenderEval.toString()
+  })
+
+  let afterTemplatingEnginesExecutedEval
+  reporter.tests.afterTemplatingEnginesExecutedEval = (fn) => {
+    afterTemplatingEnginesExecutedEval = fn
+  }
+  reporter.registerMainAction('test-afterTemplatingEnginesExecutedEval', async (data, req) => {
+    if (afterTemplatingEnginesExecutedEval == null) {
+      return
+    }
+    return afterTemplatingEnginesExecutedEval.toString()
+  })
+}