@jsreport/jsreport-core 3.12.0 → 4.0.1

package/lib/main/settings.js

@@ -47,40 +47,46 @@ Settings.prototype.addOrSet = async function (key, avalue, req) {
   }
 }
 
-Settings.prototype.init = async function (documentStore, authorization) {
+Settings.prototype.init = async function (documentStore, { authentication, authorization }) {
   this.documentStore = documentStore
 
-  if (authorization != null) {
+  if (authentication != null && authorization != null) {
     const col = documentStore.collection('settings')
 
     // settings can be read by anyone so we don't add find listeners,
     // we only care about modification listeners
-    col.beforeInsertListeners.add('settings', (doc, req) => {
+    col.beforeInsertListeners.add('settings', async (doc, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })
 
-    col.beforeUpdateListeners.add('settings', (q, u, options, req) => {
+    col.beforeUpdateListeners.add('settings', async (q, u, options, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })
 
-    col.beforeRemoveListeners.add('settings', (q, req) => {
+    col.beforeRemoveListeners.add('settings', async (q, req) => {
       if (req && req.context && req.context.skipAuthorization) {
         return
       }
 
-      if (req && req.context && req.context.user && !req.context.user.isAdmin) {
+      const isAdmin = await authentication.isUserAdmin(req?.context?.user, req)
+
+      if (req && req.context && req.context.user && !isAdmin) {
         throw authorization.createAuthorizationError(col.name)
       }
     })

package/lib/main/store/memoryStoreProvider.js

@@ -1,99 +1,104 @@
-/*!
- * Copyright(c) 2018 Jan Blaha
- *
- * DocumentStore data layer provider using just memory.
- */
-
-const extend = require('node.extend.without.arrays')
-const { nanoid } = require('nanoid')
-const omit = require('lodash.omit')
-const mingo = require('@jsreport/mingo')
-const Transaction = require('./transaction')
-const Queue = require('./queue')
-
-module.exports = () => {
-  return {
-    load (model) {
-      this.model = model
-      this.transaction = Transaction({ queue: Queue() })
-
-      return this.transaction.operation(async (documents) => {
-        Object.keys(model.entitySets).forEach((e) => (documents[e] = []))
-      })
-    },
-
-    beginTransaction () {
-      return this.transaction.begin()
-    },
-
-    async commitTransaction (tran) {
-      await this.transaction.commit(tran)
-    },
-
-    async rollbackTransaction (tran) {
-      return this.transaction.rollback(tran)
-    },
-
-    find (entitySet, query, fields, opts = {}) {
-      const documents = this.transaction.getCurrentDocuments(opts)
-      const cursor = mingo.find(documents[entitySet], query, fields)
-
-      // the queue is not used here because reads are supposed to not block
-      cursor.toArray = () => cursor.all().map((e) => extend(true, {}, omit(e, '$$etag')))
-
-      return cursor
-    },
-
-    insert (entitySet, doc, opts = {}) {
-      return this.transaction.operation(opts, async (documents) => {
-        doc._id = doc._id || nanoid(16)
-        const newDoc = extend(true, {}, doc)
-        newDoc.$$etag = Date.now()
-        documents[entitySet].push(newDoc)
-        return doc
-      })
-    },
-
-    async update (entitySet, q, u, opts = {}) {
-      let count
-
-      const res = await this.transaction.operation(opts, async (documents) => {
-        const toUpdate = mingo.find(documents[entitySet], q).all()
-
-        count = toUpdate.length
-
-        // need to get of queue first before calling insert, otherwise we get a deathlock
-        if (toUpdate.length === 0 && opts.upsert) {
-          return 'insert'
-        }
-
-        for (const doc of toUpdate) {
-          Object.assign(doc, u.$set || {})
-          doc.$$etag = Date.now()
-        }
-      })
-
-      if (res === 'insert') {
-        await this.insert(entitySet, u.$set, opts)
-        return 1
-      }
-
-      return count
-    },
-
-    remove (entitySet, q, opts = {}) {
-      return this.transaction.operation(opts, async (documents) => {
-        const toRemove = mingo.find(documents[entitySet], q).all()
-        documents[entitySet] = documents[entitySet].filter(d => !toRemove.includes(d))
-      })
-    },
-
-    drop (opts = {}) {
-      return this.transaction.operation(opts, async (documents) => {
-        for (const [entitySetName] of Object.entries(documents)) {
-          documents[entitySetName] = []
-        }
-      })
-    }
-  }
-}
+/*!
+ * Copyright(c) 2018 Jan Blaha
+ *
+ * DocumentStore data layer provider using just memory.
+ */
+
+const extend = require('node.extend.without.arrays')
+const { nanoid } = require('nanoid')
+const omit = require('lodash.omit')
+const mingo = require('@jsreport/mingo')
+const Transaction = require('./transaction')
+const Queue = require('./queue')
+
+module.exports = () => {
+  return {
+    load (model) {
+      this.model = model
+      this.transaction = Transaction({ queue: Queue() })
+
+      return this.transaction.operation(async (documents) => {
+        Object.keys(model.entitySets).forEach((e) => (documents[e] = []))
+      })
+    },
+
+    beginTransaction () {
+      return this.transaction.begin()
+    },
+
+    async commitTransaction (tran) {
+      await this.transaction.commit(tran)
+    },
+
+    async rollbackTransaction (tran) {
+      return this.transaction.rollback(tran)
+    },
+
+    find (entitySet, query, fields, opts = {}) {
+      const documents = this.transaction.getCurrentDocuments(opts)
+      const cursor = mingo.find(documents[entitySet], query, fields)
+
+      // the queue is not used here because reads are supposed to not block
+      cursor.toArray = () => cursor.all().map((e) => extend(true, {}, omit(e, '$$etag')))
+
+      return cursor
+    },
+
+    insert (entitySet, doc, opts = {}) {
+      doc._id = doc._id || nanoid(16)
+      const clonnedDoc = extend(true, {}, doc)
+      clonnedDoc.$$etag = Date.now()
+
+      return this.transaction.operation(opts, async (documents) => {
+        documents[entitySet].push(clonnedDoc)
+        return doc
+      })
+    },
+
+    async update (entitySet, q, u, opts = {}) {
+      let count
+      const qClone = extend(true, {}, q)
+      const setClone = extend(true, {}, u.$set)
+
+      const res = await this.transaction.operation(opts, async (documents) => {
+        const toUpdate = mingo.find(documents[entitySet], qClone).all()
+
+        count = toUpdate.length
+
+        // need to get of queue first before calling insert, otherwise we get a deathlock
+        if (toUpdate.length === 0 && opts.upsert) {
+          return 'insert'
+        }
+
+        for (const doc of toUpdate) {
+          Object.assign(doc, setClone)
+          doc.$$etag = Date.now()
+        }
+      })
+
+      if (res === 'insert') {
+        await this.insert(entitySet, setClone, opts)
+        return 1
+      }
+
+      return count
+    },
+
+    remove (entitySet, q, opts = {}) {
+      const qClone = extend(true, {}, q)
+
+      return this.transaction.operation(opts, async (documents) => {
+        const toRemove = mingo.find(documents[entitySet], qClone).all()
+        documents[entitySet] = documents[entitySet].filter(d => !toRemove.includes(d))
+      })
+    },
+
+    drop (opts = {}) {
+      return this.transaction.operation(opts, async (documents) => {
+        for (const [entitySetName] of Object.entries(documents)) {
+          documents[entitySetName] = []
+        }
+      })
+    }
+  }
+}

package/lib/worker/render/executeEngine.js

@@ -140,6 +140,10 @@ module.exports = (reporter) => {
     const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${normalizedHelpers}`
 
     const initFn = async (getTopLevelFunctions, compileScript) => {
+      if (reporter.options.trustUserCode === false) {
+        return null
+      }
+
       if (systemHelpersCache != null) {
         return systemHelpersCache
       }
@@ -259,12 +263,30 @@ module.exports = (reporter) => {
       templatesCache.reset()
     }
 
+    let helpersStr = normalizedHelpers
+    if (reporter.options.trustUserCode === false) {
+      const registerResults = await reporter.registerHelpersListeners.fire()
+      const systemHelpers = []
+
+      for (const result of registerResults) {
+        if (result == null) {
+          continue
+        }
+
+        if (typeof result === 'string') {
+          systemHelpers.push(result)
+        }
+      }
+      const systemHelpersStr = systemHelpers.join('\n')
+      helpersStr = normalizedHelpers + '\n' + systemHelpersStr
+    }
+
     try {
       return await reporter.runInSandbox({
         context: {
           ...(engine.createContext ? engine.createContext(req) : {})
         },
-        userCode: normalizedHelpers,
+        userCode: helpersStr,
         initFn,
         executionFn,
         currentPath: entityPath,

package/lib/worker/reporter.js

@@ -19,6 +19,7 @@ class WorkerReporter extends Reporter {
 
     this._executeMain = executeMain
     this._initialized = false
+    this._lockedDown = false
     this._documentStoreData = documentStore
     this._requestContextMetaConfigCollection = new Map()
     this._proxyRegistrationFns = []
@@ -80,6 +81,50 @@ class WorkerReporter extends Reporter {
 
     await this.initializeListeners.fire()
 
+    if (!this._lockedDown && this.options.trustUserCode === false) {
+      require('@jsreport/ses')
+
+      // eslint-disable-next-line
+      lockdown({
+        // don't change locale based methods which users may be using in their templates
+        localeTaming: 'unsafe',
+        errorTaming: 'unsafe',
+        stackFiltering: 'verbose',
+        /*
+            FROM SES DOCS
+            The 'severe' setting enables all the properties on at least Object.prototype, which is sometimes needed for compatibility with code generated by rollup or webpack.
+            However, this extra compatibility comes at the price of a miserable debugging experience.
+
+            We need this to make jsrender working, which overrides constructor.
+            In case we need to put back default, we will need to fork jsrender and change the following line
+            (Tag.prototype = compiledDef).constructor = compiledDef._ctr = Tag;
+            x
+            Tag.prototype = compiledDef
+            compiledDef._ctr = Tag
+            */
+        overrideTaming: 'severe'
+      })
+
+      // in this mode we alias the unsafe methods to safe ones
+      Buffer.allocUnsafe = function allocUnsafe (size) {
+        return Buffer.alloc(size)
+      }
+
+      Buffer.allocUnsafeSlow = function allocUnsafeSlow (size) {
+        return Buffer.alloc(size)
+      }
+
+      // we also harden Buffer because we expose it to sandbox
+      // eslint-disable-next-line
+      harden(Buffer)
+
+      // we need to expose Intl to sandbox
+      // eslint-disable-next-line
+      harden(Intl)
+
+      this._lockedDown = true
+    }
+
     this._initialized = true
   }
 

package/lib/worker/sandbox/createSandbox.js

@@ -1,12 +1,11 @@
 const util = require('util')
-const { VM, VMScript } = require('vm2')
-const originalVM = require('vm')
+const vm = require('vm')
 const stackTrace = require('stack-trace')
 const { codeFrameColumns } = require('@babel/code-frame')
 const createPropertiesManager = require('./propertiesSandbox')
 const createSandboxRequire = require('./requireSandbox')
 
-module.exports = function createSandbox (_sandbox, options = {}) {
+module.exports = async function createSandbox (_sandbox, options = {}) {
   const {
     rootDirectory,
     onLog,
@@ -47,11 +46,35 @@ module.exports = function createSandbox (_sandbox, options = {}) {
 
   propsManager.applyPropertiesConfigTo(sandbox)
 
-  let safeVM
-  // with standard vm this variable is the same as context, with vm2 it is a proxy of context
-  // (which is not the real internal context)
+  const sourceFilesInfo = new Map()
+  // eslint-disable-next-line
+  let compartment
+
+  if (safeExecution) {
+    // eslint-disable-next-line
+    compartment = new Compartment()
+  }
+
   let vmSandbox
 
+  if (safeExecution) {
+    vmSandbox = compartment.globalThis
+
+    vmSandbox = Object.assign(vmSandbox, {
+      // SES does not expose the Buffer, Intl by default, we expose it because it is handy for users,
+      // it is exposed as it is, because we already harden() it on reporter init
+      Buffer,
+      Intl,
+      // we need to expose Date, and Math to allow Date.now(), Math.random()
+      // these objects are already hardened by lockdown()
+      Date,
+      Math
+    })
+  } else {
+    vmSandbox = vm.createContext(undefined)
+    vmSandbox.Buffer = Buffer
+  }
+
   const doSandboxRequire = createSandboxRequire(safeExecution, isolateModules, modulesCache, {
     rootDirectory,
     requirePaths,
@@ -63,43 +86,17 @@ module.exports = function createSandbox (_sandbox, options = {}) {
 
   Object.assign(sandbox, {
     console: _console,
-    require (m) { return doSandboxRequire(m, { context: vmSandbox }) }
-  })
-
-  if (safeExecution) {
-    safeVM = new VM()
-
-    // delete the vm.sandbox.global because it introduces json stringify issues
-    // and we don't need such global in context
-    delete safeVM.sandbox.global
-
-    for (const name in sandbox) {
-      safeVM.setGlobal(name, sandbox[name])
+    require: (m) => { return doSandboxRequire(m, { context: vmSandbox }) },
+    setTimeout: (...args) => {
+      return setTimeout(...args)
+    },
+    clearTimeout: (...args) => {
+      return clearTimeout(...args)
     }
+  })
 
-    // so far we don't have the need to have access to real vm context inside vm2,
-    // but if we need it, we should use the code bellow to get it.
-    // NOTE: if we need to upgrade vm2 we will need to check the source of this function
-    // in vm2 repo and see if we need to change this,
-    // we just execute this to get access to the internal context, so we can use it later
-    // with the our require function, in newer versions of vm2 we may need to change how to
-    // get access to it
-    // https://github.com/patriksimek/vm2/blob/3.9.17/lib/vm.js#L281
-    // safeVM._runScript({
-    //   runInContext: (_context) => {
-    //     vmContext = _context
-    //     return ''
-    //   }
-    // })
-
-    vmSandbox = safeVM.sandbox
-  } else {
-    vmSandbox = originalVM.createContext(undefined)
-    vmSandbox.Buffer = Buffer
-
-    for (const name in sandbox) {
-      vmSandbox[name] = sandbox[name]
-    }
+  for (const name in sandbox) {
+    vmSandbox[name] = sandbox[name]
   }
 
   // processing top level props here because getter/setter descriptors
@@ -112,8 +109,6 @@ module.exports = function createSandbox (_sandbox, options = {}) {
     vmSandbox[info.globalVariableName] = doSandboxRequire(info.module, { context: vmSandbox, useMap: false, allowAllModules: true })
   }
 
-  const sourceFilesInfo = new Map()
-
   return {
     sandbox: vmSandbox,
     console: _console,
@@ -128,29 +123,20 @@ module.exports = function createSandbox (_sandbox, options = {}) {
       return doSandboxRequire(modulePath, { context: vmSandbox, allowAllModules: true })
     },
     async run (codeOrScript, { filename, errorLineNumberOffset = 0, source, entity, entitySet } = {}) {
-      let runScript
-
       if (filename != null && source != null) {
         sourceFilesInfo.set(filename, { filename, source, entity, entitySet, errorLineNumberOffset })
       }
 
-      const script = typeof codeOrScript !== 'string' ? codeOrScript : doCompileScript(codeOrScript, filename, safeExecution)
-
-      if (safeExecution) {
-        runScript = async function runScript () {
-          return safeVM.run(script)
-        }
-      } else {
-        runScript = async function runScript () {
-          return script.runInContext(vmSandbox, {
-            displayErrors: true
-          })
+      try {
+        if (safeExecution) {
+          return await compartment.evaluate(codeOrScript + `\n//# sourceURL=${filename}`)
         }
-      }
 
-      try {
-        const result = await runScript()
-        return result
+        const script = typeof codeOrScript !== 'string' ? codeOrScript : doCompileScript(codeOrScript, filename, safeExecution)
+
+        return await script.runInContext(vmSandbox, {
+          displayErrors: true
+        })
       } catch (e) {
         decorateErrorMessage(e, sourceFilesInfo)
 
@@ -161,47 +147,19 @@ module.exports = function createSandbox (_sandbox, options = {}) {
 }
 
 function doCompileScript (code, filename, safeExecution) {
-  let script
-
   if (safeExecution) {
-    script = new VMScript(code, filename)
-
-    // NOTE: if we need to upgrade vm2 we will need to check the source of this function
-    // in vm2 repo and see if we need to change this,
-    // we needed to override this method because we want "displayErrors" to be true in order
-    // to show nice error when the compile of a script fails
-    // https://github.com/patriksimek/vm2/blob/3.9.17/lib/script.js#L329
-    script._compile = function (prefix, suffix) {
-      return new originalVM.Script(prefix + this.getCompiledCode() + suffix, {
-        __proto__: null,
-        filename: this.filename,
-        displayErrors: true,
-        lineOffset: this.lineOffset,
-        columnOffset: this.columnOffset,
-        // THIS FN WAS TAKEN FROM vm2 source, nothing special here
-        importModuleDynamically: () => {
-          // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
-          // eslint-disable-next-line no-throw-literal
-          throw 'Dynamic imports are not allowed.'
-        }
-      })
-    }
-
-    // do the compilation
-    script._compileVM()
-  } else {
-    script = new originalVM.Script(code, {
-      filename,
-      displayErrors: true,
-      importModuleDynamically: () => {
-        // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
-        // eslint-disable-next-line no-throw-literal
-        throw 'Dynamic imports are not allowed.'
-      }
-    })
+    return code
   }
 
-  return script
+  return new vm.Script(code, {
+    filename,
+    displayErrors: true,
+    importModuleDynamically: () => {
+      // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
+      // eslint-disable-next-line no-throw-literal
+      throw 'Dynamic imports are not allowed.'
+    }
+  })
 }
 
 function decorateErrorMessage (e, sourceFilesInfo) {

package/lib/worker/sandbox/isolatedRequire.js

@@ -6,8 +6,6 @@ const REQUIRE_RESOLVE_CACHE = new Map()
 const REQUIRE_SCRIPT_CACHE = new Map()
 const PACKAGE_JSON_CACHE = new Map()
 
-let ALL_BUILTIN_MODULES
-
 // The isolated require is a function that replicates the node.js require but that does not
 // cache the modules with the standard node.js cache, instead its uses its own cache in order
 // to bring isolated modules across renders and without memory leaks.
@@ -24,7 +22,7 @@ function isolatedRequire (_moduleId, requireFromRootDirectory, isolatedModulesMe
     throw createInvalidArgValueError('id', moduleId, 'must be a non-empty string')
   }
 
-  if (isBuiltinModule(moduleId)) {
+  if (Module.isBuiltin(moduleId)) {
     // built-in modules can not be require from other part than the node.js require
     // perhaps in the future it can be possible:
     // https://github.com/nodejs/node/issues/31852
@@ -174,24 +172,6 @@ function IsolatedModule (id = '', parent) {
   })
 }
 
-// NOTE: we can not use Module.isBuiltin because it is not available on node 16
-// we can upgrade our implementation to just use Module.isBuiltin when we drop support for node 16
-// https://github.com/nodejs/node/blob/v18.14.2/lib/internal/modules/cjs/loader.js#L252
-function isBuiltinModule (moduleId) {
-  // use the standard function when available
-  if (Module.isBuiltin) {
-    return Module.isBuiltin(moduleId)
-  }
-
-  // the only version in which this code would run is node 16 and early versions of node 18
-  // https://github.com/nodejs/node/blob/v18.14.2/lib/internal/modules/cjs/loader.js#L252
-  if (!ALL_BUILTIN_MODULES) {
-    ALL_BUILTIN_MODULES = new Set(Module.builtinModules.flatMap((bm) => [bm, `node:${bm}`]))
-  }
-
-  return ALL_BUILTIN_MODULES.has(moduleId)
-}
-
 // https://github.com/nodejs/node/blob/v18.14.2/lib/internal/modules/cjs/helpers.js#L65
 function makeRequireFunction (mod, requireFromRootDirectory, currentExtensions) {
   const requireFn = function require (path) {

package/lib/worker/sandbox/propertiesSandbox.js

@@ -1,7 +1,7 @@
 const extend = require('node.extend.without.arrays')
 const groupBy = require('lodash.groupby')
 const get = require('lodash.get')
-const set = require('lodash.set')
+const set = require('set-value')
 const hasOwn = require('has-own-deep')
 const unsetValue = require('unset-value')
 
@@ -420,7 +420,7 @@ function sortPropertiesByLevel (a, b) {
 }
 
 function omitProp (context, prop) {
-  // if property has value, then set it to undefined first,
+  // if property has value, then set it to some value first,
   // unsetValue expects that property has some non empty value to remove the property
   // so we set to "true" to ensure it works for all cases,
   // we use unsetValue instead of lodash.omit because