@jsreport/jsreport-core 3.4.1 → 3.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +5 -1
  2. package/lib/worker/sandbox/runInSandbox.js +1 -4
  3. package/lib/worker/sandbox/safeSandbox.js +8 -30
  4. package/package.json +2 -2
package/README.md CHANGED
@@ -36,7 +36,7 @@ const result = await jsreport.render({
36
36
  foo: "world"
37
37
  }
38
38
  })
39
- await fs.writeFile('out.pdf', resp.content)
39
+ await fs.writeFile('out.pdf', result.content)
40
40
  ```
41
41
 
42
42
  ## Render
@@ -282,6 +282,10 @@ jsreport.documentStore.collection('templates')
282
282
 
283
283
  ## Changelog
284
284
 
285
+ ### 3.4.2
286
+
287
+ - update dep `vm2` to fix security vulnerability in sandbox
288
+
285
289
  ### 3.4.1
286
290
 
287
291
  - fix passing data to async report
package/lib/worker/sandbox/runInSandbox.js CHANGED
@@ -28,7 +28,7 @@ module.exports = (reporter) => {
28
28
  context.__topLevelFunctions = {}
29
29
  context.__handleError = (err) => handleError(reporter, err)
30
30
 
31
- const { sourceFilesInfo, run, restore, contextifyValue, decontextifyValue, unproxyValue, sandbox, safeRequire } = safeSandbox(context, {
31
+ const { sourceFilesInfo, run, restore, sandbox, safeRequire } = safeSandbox(context, {
32
32
  onLog: (log) => {
33
33
  reporter.logger[log.level](log.message, { ...req, timestamp: log.timestamp })
34
34
  },
@@ -113,9 +113,6 @@ module.exports = (reporter) => {
113
113
  // we don't attach these methods to the sandbox, and instead share them through a "manager" object that should
114
114
  // be passed in options
115
115
  manager.restore = restore
116
- manager.contextifyValue = contextifyValue
117
- manager.decontextifyValue = decontextifyValue
118
- manager.unproxyValue = unproxyValue
119
116
 
120
117
  const functionNames = getTopLevelFunctions(userCode)
121
118
  const functionsCode = `return {${functionNames.map(h => `"${h}": ${h}`).join(',')}}`
package/lib/worker/sandbox/safeSandbox.js CHANGED
@@ -113,26 +113,12 @@ module.exports = (_sandbox, options = {}) => {
113
113
 
114
114
  const vm = new VM()
115
115
 
116
- // NOTE: we wrap the Contextify.object, Decontextify.object methods because those are the
117
- // methods that returns the proxies created by vm2 in the sandbox, we want to have a list of those
118
- // to later use them
119
- const wrapAndSaveProxyResult = (originalFn, thisArg) => {
120
- return (value, ...args) => {
121
- const result = originalFn.call(thisArg, value, ...args)
122
-
123
- if (result != null && result.isVMProxy === true) {
124
- proxiesInVM.set(result, value)
125
- }
126
-
127
- return result
128
- }
129
- }
130
-
131
- vm._internal.Contextify.object = wrapAndSaveProxyResult(vm._internal.Contextify.object, vm._internal.Contextify)
132
- vm._internal.Decontextify.object = wrapAndSaveProxyResult(vm._internal.Decontextify.object, vm._internal.Decontextify)
116
+ // delete the vm.sandbox.global because it introduces json stringify issues
117
+ // and we don't need such global in context
118
+ delete vm.sandbox.global
133
119
 
134
120
  for (const name in sandbox) {
135
- vm._internal.Contextify.setGlobal(name, sandbox[name])
121
+ vm.setGlobal(name, sandbox[name])
136
122
  }
137
123
 
138
124
  // processing top level props because getter/setter descriptors
@@ -141,27 +127,18 @@ module.exports = (_sandbox, options = {}) => {
141
127
  const currentConfig = propsConfig[key]
142
128
 
143
129
  if (currentConfig.root && currentConfig.root.sandboxReadOnly) {
144
- readOnlyProp(vm._context, key, [], customProxies, { onlyTopLevel: true })
130
+ readOnlyProp(vm.sandbox, key, [], customProxies, { onlyTopLevel: true })
145
131
  }
146
132
  })
147
133
 
148
134
  const sourceFilesInfo = new Map()
149
135
 
150
136
  return {
151
- sandbox: vm._context,
137
+ sandbox: vm.sandbox,
152
138
  console: _console,
153
139
  sourceFilesInfo,
154
- contextifyValue: (value) => {
155
- return vm._internal.Contextify.value(value)
156
- },
157
- decontextifyValue: (value) => {
158
- return vm._internal.Decontextify.value(value)
159
- },
160
140
  restore: () => {
161
- return restoreProperties(vm._context, originalValues, proxiesInVM, customProxies)
162
- },
163
- unproxyValue: (value) => {
164
- return getOriginalFromProxy(proxiesInVM, customProxies, value)
141
+ return restoreProperties(vm.sandbox, originalValues, proxiesInVM, customProxies)
165
142
  },
166
143
  safeRequire: (modulePath) => _require(modulePath, { context: _sandbox, allowAllModules: true }),
167
144
  run: async (code, { filename, errorLineNumberOffset = 0, source, entity, entitySet } = {}) => {
@@ -177,6 +154,7 @@ module.exports = (_sandbox, options = {}) => {
177
154
  // to show nice error when the compile of a script fails
178
155
  script._compile = function (prefix, suffix) {
179
156
  return new originalVM.Script(prefix + this.getCompiledCode() + suffix, {
157
+ __proto__: null,
180
158
  filename: this.filename,
181
159
  displayErrors: true,
182
160
  lineOffset: this.lineOffset,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@jsreport/jsreport-core",
3
- "version": "3.4.1",
3
+ "version": "3.4.2",
4
4
  "description": "javascript based business reporting",
5
5
  "keywords": [
6
6
  "report",
@@ -63,7 +63,7 @@
63
63
  "triple-beam": "1.3.0",
64
64
  "unset-value": "1.0.0",
65
65
  "uuid": "8.3.2",
66
- "vm2": "3.9.5",
66
+ "vm2": "3.9.7",
67
67
  "winston": "3.3.3",
68
68
  "winston-transport": "4.4.0"
69
69
  },