@jsreport/jsreport-core 3.5.0 → 3.6.0

package/lib/main/logger.js

@@ -166,6 +166,9 @@ function configureLogger (logger, _transports) {
   }
 
   for (const { TransportClass, options } of transportsToAdd) {
+    if (options.silent) {
+      continue
+    }
     const transportInstance = new TransportClass(options)
 
     const existingTransport = logger.transports.find((t) => t.name === transportInstance.name)

package/lib/main/optionsLoad.js

@@ -39,6 +39,7 @@ async function optionsLoad ({
     loadConfigResult = await loadConfig(defaults, options, false)
   }
 
+  const explicitOptions = loadConfigResult[0]
   const appliedConfigFile = loadConfigResult[1]
 
   options.loadConfig = shouldLoadExternalConfig
@@ -79,9 +80,16 @@ async function optionsLoad ({
   options.store = options.store || { provider: 'memory' }
 
   options.sandbox = options.sandbox || {}
-  if (options.allowLocalFilesAccess === true) {
+
+  // NOTE: handling back-compatible introduction of "trustUserCode" option, "allowLocalFilesAccess" is deprecated
+  if (explicitOptions.allowLocalFilesAccess === true && explicitOptions.trustUserCode == null) {
+    options.trustUserCode = true
+  }
+
+  if (options.trustUserCode === true) {
     options.sandbox.allowedModules = '*'
   }
+
   options.sandbox.nativeModules = options.sandbox.nativeModules || []
   options.sandbox.modules = options.sandbox.modules || []
   options.sandbox.allowedModules = options.sandbox.allowedModules || []
@@ -98,7 +106,7 @@ async function optionsLoad ({
     fs.mkdirSync(options.tempCoreDirectory, { recursive: true })
   }
 
-  return appliedConfigFile
+  return [explicitOptions, appliedConfigFile]
 }
 
 /**

package/lib/main/optionsSchema.js

@@ -59,6 +59,7 @@ module.exports.getRootSchemaOptions = () => ({
       default: '2s'
     },
     enableRequestReportTimeout: { type: 'boolean', default: false, description: 'option that enables passing a custom report timeout per request using req.options.timeout. this enables that the caller of the report generation control the report timeout so enable it only when you trust the caller' },
+    trustUserCode: { type: 'boolean', default: false, description: 'option that control whether code sandboxing is enabled or not, code sandboxing has an impact on performance when rendering large reports. when true code sandboxing will be disabled meaning that users can potentially penetrate the local system if you allow code from external users to be part of your reports' },
     allowLocalFilesAccess: { type: 'boolean', default: false },
     encryption: {
       type: 'object',
@@ -77,6 +78,7 @@ module.exports.getRootSchemaOptions = () => ({
     },
     sandbox: {
       type: 'object',
+      default: {},
       properties: {
         allowedModules: {
           anyOf: [{
@@ -89,9 +91,10 @@ module.exports.getRootSchemaOptions = () => ({
         },
         cache: {
           type: 'object',
+          default: {},
           properties: {
-            max: { type: 'number' },
-            enabled: { type: 'boolean' }
+            max: { type: 'number', default: 100 },
+            enabled: { type: 'boolean', default: true }
           }
         }
       }
@@ -182,7 +185,7 @@ module.exports.getRootSchemaOptions = () => ({
           '$jsreport-acceptsDuration': true,
           default: '1m'
         },
-        maxResponseSize: {
+        maxDiffSize: {
           type: ['string', 'number'],
           '$jsreport-acceptsSize': true,
           default: '50mb'

package/lib/main/reporter.js

@@ -5,7 +5,7 @@
  */
 const path = require('path')
 const { Readable } = require('stream')
-const Reaper = require('reap2')
+const Reaper = require('@jsreport/reap')
 const optionsLoad = require('./optionsLoad')
 const { createLogger, configureLogger, silentLogs } = require('./logger')
 const checkEntityName = require('./validateEntityName')
@@ -90,8 +90,8 @@ class MainReporter extends Reporter {
     return this
   }
 
-  async extensionsLoad (opts) {
-    const appliedConfigFile = await optionsLoad({
+  async extensionsLoad (_opts = {}) {
+    const [explicitOptions, appliedConfigFile] = await optionsLoad({
       defaults: this.defaults,
       options: this.options,
       validator: this.optionsValidator,
@@ -106,6 +106,8 @@ class MainReporter extends Reporter {
       silentLogs(this.logger)
     }
 
+    const { onConfigDetails, ...opts } = _opts
+
     this.logger.info(`Initializing jsreport (version: ${this.version}, configuration file: ${appliedConfigFile || 'none'}, nodejs: ${process.versions.node})`)
 
     await this.extensionsManager.load(opts)
@@ -130,6 +132,10 @@ class MainReporter extends Reporter {
       throw new Error(`options contain values that does not match the defined full root schema. ${rootOptionsValidation.fullErrorMessage}`)
     }
 
+    if (typeof onConfigDetails === 'function') {
+      onConfigDetails(explicitOptions)
+    }
+
     return this
   }
 
@@ -157,6 +163,7 @@ class MainReporter extends Reporter {
    */
   async init () {
     this.closing = this.closed = false
+
     if (this._initialized || this._initializing) {
       throw new Error('jsreport already initialized or just initializing. Make sure init is called only once')
     }
@@ -175,7 +182,14 @@ class MainReporter extends Reporter {
 
     try {
       this._registerLogMainAction()
-      await this.extensionsLoad()
+
+      let explicitOptions
+
+      await this.extensionsLoad({
+        onConfigDetails: (_explicitOptions) => {
+          explicitOptions = _explicitOptions
+        }
+      })
 
       this.documentStore = DocumentStore(Object.assign({}, this.options, { logger: this.logger }), this.entityTypeValidator, this.encryption)
       documentStoreActions(this)
@@ -200,6 +214,14 @@ class MainReporter extends Reporter {
 
       await this.extensionsManager.init()
 
+      if (this.options.trustUserCode) {
+        this.logger.info('Code sandboxing is disabled, users can potentially penetrate the local system if you allow code from external users to be part of your reports')
+      }
+
+      if (explicitOptions.trustUserCode == null && explicitOptions.allowLocalFilesAccess != null) {
+        this.logger.warn('options.allowLocalFilesAccess is deprecated, use options.trustUserCode instead')
+      }
+
       this.logger.info(`Using general timeout for rendering (reportTimeout: ${this.options.reportTimeout})`)
 
       if (this.options.store.provider === 'memory') {

package/lib/worker/render/executeEngine.js

@@ -9,9 +9,10 @@ const LRU = require('lru-cache')
 const { nanoid } = require('nanoid')
 
 module.exports = (reporter) => {
-  const cache = LRU(reporter.options.sandbox.cache || { max: 100 })
+  const templatesCache = LRU(reporter.options.sandbox.cache)
+  let systemHelpersCache
 
-  reporter.templatingEngines = { cache }
+  reporter.templatingEngines = { cache: templatesCache }
 
   const executionFnParsedParamsMap = new Map()
   const executionAsyncResultsMap = new Map()
@@ -60,6 +61,33 @@ module.exports = (reporter) => {
       evaluate: async (executionInfo, entityInfo) => {
         return templatingEnginesEvaluate(false, executionInfo, entityInfo, req)
       },
+      waitForAsyncHelper: async (maybeAsyncContent) => {
+        if (
+          context.__executionId == null ||
+          !executionAsyncResultsMap.has(context.__executionId) ||
+          typeof maybeAsyncContent !== 'string'
+        ) {
+          return maybeAsyncContent
+        }
+
+        const asyncResultMap = executionAsyncResultsMap.get(context.__executionId)
+        const asyncHelperResultRegExp = /{#asyncHelperResult ([^{}]+)}/
+        let content = maybeAsyncContent
+        let matchResult
+
+        do {
+          if (matchResult != null) {
+            const matchedPart = matchResult[0]
+            const asyncResultId = matchResult[1]
+            const result = await asyncResultMap.get(asyncResultId)
+            content = `${content.slice(0, matchResult.index)}${result}${content.slice(matchResult.index + matchedPart.length)}`
+          }
+
+          matchResult = content.match(asyncHelperResultRegExp)
+        } while (matchResult != null)
+
+        return content
+      },
       waitForAsyncHelpers: async () => {
         if (context.__executionId != null && executionAsyncResultsMap.has(context.__executionId)) {
           const asyncResultMap = executionAsyncResultsMap.get(context.__executionId)
@@ -102,22 +130,49 @@ module.exports = (reporter) => {
       entityPath = await reporter.folders.resolveEntityPath(entity, entitySet, req)
     }
 
-    const registerResults = await reporter.registerHelpersListeners.fire(req)
-    const systemHelpers = []
+    const normalizedHelpers = `${helpers || ''}`
+    const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${normalizedHelpers}`
 
-    for (const result of registerResults) {
-      if (result == null) {
-        continue
+    const initFn = async (getTopLevelFunctions, compileScript) => {
+      if (systemHelpersCache != null) {
+        return systemHelpersCache
       }
 
-      if (typeof result === 'string') {
-        systemHelpers.push(result)
+      const registerResults = await reporter.registerHelpersListeners.fire()
+      const systemHelpers = []
+
+      for (const result of registerResults) {
+        if (result == null) {
+          continue
+        }
+
+        if (typeof result === 'string') {
+          systemHelpers.push(result)
+        }
       }
-    }
 
-    const systemHelpersStr = systemHelpers.join('\n')
-    const joinedHelpers = systemHelpersStr + '\n' + (helpers || '')
-    const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${joinedHelpers}`
+      const systemHelpersStr = systemHelpers.join('\n')
+
+      const functionNames = getTopLevelFunctions(systemHelpersStr)
+
+      const exposeSystemHelpersCode = `for (const fName of ${JSON.stringify(functionNames)}) { this[fName] = __topLevelFunctions[fName] }`
+
+      // we sync the __topLevelFunctions with system helpers and expose it immediately to the global context
+      const userCode = `(async () => { ${systemHelpersStr};
+      __topLevelFunctions = {...__topLevelFunctions, ${functionNames.map(h => `"${h}": ${h}`).join(',')}}; ${exposeSystemHelpersCode}
+      })()`
+
+      const filename = 'system-helpers.js'
+      const script = compileScript(userCode, filename)
+
+      systemHelpersCache = {
+        filename,
+        source: systemHelpersStr,
+        script
+      }
+
+      return systemHelpersCache
+    }
 
     const executionFn = async ({ require, console, topLevelFunctions, context }) => {
       const asyncResultMap = new Map()
@@ -129,17 +184,16 @@ module.exports = (reporter) => {
 
       const key = `template:${content}:${engine.name}`
 
-      if (!cache.has(key)) {
+      if (!templatesCache.has(key)) {
         try {
-          cache.set(key, engine.compile(content, { require }))
+          templatesCache.set(key, engine.compile(content, { require }))
         } catch (e) {
           e.property = 'content'
           throw e
         }
       }
 
-      const compiledTemplate = cache.get(key)
-
+      const compiledTemplate = templatesCache.get(key)
       const wrappedTopLevelFunctions = {}
 
       for (const h of Object.keys(topLevelFunctions)) {
@@ -147,7 +201,9 @@ module.exports = (reporter) => {
       }
 
       let contentResult = await engine.execute(compiledTemplate, wrappedTopLevelFunctions, data, { require })
+
       const resolvedResultsMap = new Map()
+
       while (asyncResultMap.size > 0) {
         await Promise.all([...asyncResultMap.keys()].map(async (k) => {
           resolvedResultsMap.set(k, `${await asyncResultMap.get(k)}`)
@@ -178,14 +234,16 @@ module.exports = (reporter) => {
       return executionFn({ require, console, topLevelFunctions, context })
     } else {
       const awaiter = {}
+
       awaiter.promise = new Promise((resolve) => {
         awaiter.resolve = resolve
       })
+
       executionFnParsedParamsMap.get(req.context.id).set(executionFnParsedParamsKey, awaiter)
     }
 
     if (reporter.options.sandbox.cache && reporter.options.sandbox.cache.enabled === false) {
-      cache.reset()
+      templatesCache.reset()
     }
 
     try {
@@ -193,10 +251,10 @@ module.exports = (reporter) => {
         context: {
           ...(engine.createContext ? engine.createContext() : {})
         },
-        userCode: joinedHelpers,
+        userCode: normalizedHelpers,
+        initFn,
         executionFn,
         currentPath: entityPath,
-        errorLineNumberOffset: systemHelpersStr.split('\n').length,
         onRequire: (moduleName, { context }) => {
           if (engine.onRequire) {
             return engine.onRequire(moduleName, { context })

package/lib/worker/render/moduleHelper.js

@@ -4,7 +4,7 @@ const path = require('path')
 module.exports = (reporter) => {
   let helpersScript
 
-  reporter.registerHelpersListeners.add('core-helpers', (req) => {
+  reporter.registerHelpersListeners.add('core-helpers', () => {
     return helpersScript
   })
 
@@ -12,11 +12,11 @@ module.exports = (reporter) => {
     helpersScript = await fs.readFile(path.join(__dirname, '../../static/helpers.js'), 'utf8')
   })
 
-  reporter.extendProxy((proxy, req, { safeRequire }) => {
+  reporter.extendProxy((proxy, req, { sandboxRequire }) => {
     proxy.module = async (module) => {
-      if (!reporter.options.allowLocalFilesAccess && reporter.options.sandbox.allowedModules !== '*') {
+      if (!reporter.options.trustUserCode && reporter.options.sandbox.allowedModules !== '*') {
         if (reporter.options.sandbox.allowedModules.indexOf(module) === -1) {
-          throw reporter.createError(`require of module ${module} was rejected. Either set allowLocalFilesAccess=true or sandbox.allowLocalModules='*' or sandbox.allowLocalModules=['${module}'] `, { status: 400 })
+          throw reporter.createError(`require of module ${module} was rejected. Either set trustUserCode=true or sandbox.allowLocalModules='*' or sandbox.allowLocalModules=['${module}'] `, { status: 400 })
         }
       }
 

package/lib/worker/render/profiler.js

@@ -72,7 +72,7 @@ class Profiler {
       let content = res.content
 
       if (content != null) {
-        if (content.length > this.reporter.options.profiler.maxResponseSize) {
+        if (content.length > this.reporter.options.profiler.maxDiffSize) {
           content = {
             tooLarge: true
           }
@@ -97,7 +97,12 @@ class Profiler {
 
       const stringifiedReq = JSON.stringify({ template: req.template, data: req.data }, null, 2)
 
-      m.req = { diff: createPatch('req', req.context.profiling.reqLastVal || '', stringifiedReq, 0) }
+      m.req = { }
+      if (stringifiedReq.length * 4 > this.reporter.options.profiler.maxDiffSize) {
+        m.req.tooLarge = true
+      } else {
+        m.req.diff = createPatch('req', req.context.profiling.reqLastVal || '', stringifiedReq, 0)
+      }
 
       req.context.profiling.resLastVal = (res.content == null || isbinaryfile(res.content) || content.tooLarge) ? null : res.content.toString()
       req.context.profiling.resMetaLastVal = stringifiedResMeta

package/lib/worker/reporter.js

@@ -111,14 +111,14 @@ class WorkerReporter extends Reporter {
     this._proxyRegistrationFns.push(registrationFn)
   }
 
-  createProxy ({ req, runInSandbox, context, getTopLevelFunctions, safeRequire }) {
+  createProxy ({ req, runInSandbox, context, getTopLevelFunctions, sandboxRequire }) {
     const proxyInstance = {}
     for (const fn of this._proxyRegistrationFns) {
       fn(proxyInstance, req, {
         runInSandbox,
         context,
         getTopLevelFunctions,
-        safeRequire
+        sandboxRequire
       })
     }
     return proxyInstance
@@ -137,10 +137,11 @@ class WorkerReporter extends Reporter {
     manager,
     context,
     userCode,
+    initFn,
     executionFn,
+    currentPath,
     onRequire,
     propertiesConfig,
-    currentPath,
     errorLineNumberOffset
   }, req) {
     // we flush before running code in sandbox because it can potentially
@@ -152,10 +153,11 @@ class WorkerReporter extends Reporter {
       manager,
       context,
       userCode,
+      initFn,
       executionFn,
+      currentPath,
       onRequire,
       propertiesConfig,
-      currentPath,
       errorLineNumberOffset
     }, req)
   }

package/lib/worker/sandbox/{safeSandbox.js → createSandbox.js}

@@ -19,6 +19,7 @@ module.exports = (_sandbox, options = {}) => {
     propertiesConfig = {},
     globalModules = [],
     allowedModules = [],
+    safeExecution,
     requireMap
   } = options
 
@@ -65,7 +66,7 @@ module.exports = (_sandbox, options = {}) => {
       }
     }
 
-    if (allowAllModules || allowedModules === '*') {
+    if (!safeExecution || allowAllModules || allowedModules === '*') {
       return doRequire(moduleName, requirePaths, modulesCache)
     }
 
@@ -111,14 +112,28 @@ module.exports = (_sandbox, options = {}) => {
     require: (m) => _require(m, { context: _sandbox })
   })
 
-  const vm = new VM()
+  let safeVM
+  let vmSandbox
 
-  // delete the vm.sandbox.global because it introduces json stringify issues
-  // and we don't need such global in context
-  delete vm.sandbox.global
+  if (safeExecution) {
+    safeVM = new VM()
 
-  for (const name in sandbox) {
-    vm.setGlobal(name, sandbox[name])
+    // delete the vm.sandbox.global because it introduces json stringify issues
+    // and we don't need such global in context
+    delete safeVM.sandbox.global
+
+    for (const name in sandbox) {
+      safeVM.setGlobal(name, sandbox[name])
+    }
+
+    vmSandbox = safeVM.sandbox
+  } else {
+    vmSandbox = originalVM.createContext(undefined)
+    vmSandbox.Buffer = Buffer
+
+    for (const name in sandbox) {
+      vmSandbox[name] = sandbox[name]
+    }
   }
 
   // processing top level props because getter/setter descriptors
@@ -127,49 +142,46 @@ module.exports = (_sandbox, options = {}) => {
     const currentConfig = propsConfig[key]
 
     if (currentConfig.root && currentConfig.root.sandboxReadOnly) {
-      readOnlyProp(vm.sandbox, key, [], customProxies, { onlyTopLevel: true })
+      readOnlyProp(vmSandbox, key, [], customProxies, { onlyTopLevel: true })
     }
   })
 
   const sourceFilesInfo = new Map()
 
   return {
-    sandbox: vm.sandbox,
+    sandbox: vmSandbox,
     console: _console,
     sourceFilesInfo,
+    compileScript: (code, filename) => {
+      return doCompileScript(code, filename, safeExecution)
+    },
     restore: () => {
-      return restoreProperties(vm.sandbox, originalValues, proxiesInVM, customProxies)
+      return restoreProperties(vmSandbox, originalValues, proxiesInVM, customProxies)
     },
-    safeRequire: (modulePath) => _require(modulePath, { context: _sandbox, allowAllModules: true }),
-    run: async (code, { filename, errorLineNumberOffset = 0, source, entity, entitySet } = {}) => {
-      const script = new VMScript(code, filename)
+    sandboxRequire: (modulePath) => _require(modulePath, { context: _sandbox, allowAllModules: true }),
+    run: async (codeOrScript, { filename, errorLineNumberOffset = 0, source, entity, entitySet } = {}) => {
+      let run
 
       if (filename != null && source != null) {
         sourceFilesInfo.set(filename, { filename, source, entity, entitySet, errorLineNumberOffset })
       }
 
-      // NOTE: if we need to upgrade vm2 we will need to check the source of this function
-      // in vm2 repo and see if we need to change this,
-      // we needed to override this method because we want "displayErrors" to be true in order
-      // to show nice error when the compile of a script fails
-      script._compile = function (prefix, suffix) {
-        return new originalVM.Script(prefix + this.getCompiledCode() + suffix, {
-          __proto__: null,
-          filename: this.filename,
-          displayErrors: true,
-          lineOffset: this.lineOffset,
-          columnOffset: this.columnOffset,
-          // THIS FN WAS TAKEN FROM vm2 source, nothing special here
-          importModuleDynamically: () => {
-            // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
-            // eslint-disable-next-line no-throw-literal
-            throw 'Dynamic imports are not allowed.'
-          }
-        })
+      const script = typeof codeOrScript !== 'string' ? codeOrScript : doCompileScript(codeOrScript, filename, safeExecution)
+
+      if (safeExecution) {
+        run = async () => {
+          return safeVM.run(script)
+        }
+      } else {
+        run = async () => {
+          return script.runInContext(vmSandbox, {
+            displayErrors: true
+          })
+        }
       }
 
       try {
-        const result = await vm.run(script)
+        const result = await run()
         return result
       } catch (e) {
         decorateErrorMessage(e, sourceFilesInfo)
@@ -180,10 +192,53 @@ module.exports = (_sandbox, options = {}) => {
   }
 }
 
+function doCompileScript (code, filename, safeExecution) {
+  let script
+
+  if (safeExecution) {
+    script = new VMScript(code, filename)
+
+    // NOTE: if we need to upgrade vm2 we will need to check the source of this function
+    // in vm2 repo and see if we need to change this,
+    // we needed to override this method because we want "displayErrors" to be true in order
+    // to show nice error when the compile of a script fails
+    script._compile = function (prefix, suffix) {
+      return new originalVM.Script(prefix + this.getCompiledCode() + suffix, {
+        __proto__: null,
+        filename: this.filename,
+        displayErrors: true,
+        lineOffset: this.lineOffset,
+        columnOffset: this.columnOffset,
+        // THIS FN WAS TAKEN FROM vm2 source, nothing special here
+        importModuleDynamically: () => {
+          // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
+          // eslint-disable-next-line no-throw-literal
+          throw 'Dynamic imports are not allowed.'
+        }
+      })
+    }
+
+    // do the compilation
+    script._compileVM()
+  } else {
+    script = new originalVM.Script(code, {
+      filename,
+      displayErrors: true,
+      importModuleDynamically: () => {
+        // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
+        // eslint-disable-next-line no-throw-literal
+        throw 'Dynamic imports are not allowed.'
+      }
+    })
+  }
+
+  return script
+}
+
 function doRequire (moduleName, requirePaths = [], modulesCache) {
   const searchedPaths = []
 
-  function safeRequire (require, modulePath) {
+  function optimizedRequire (require, modulePath) {
     // save the current module cache, we will use this to restore the cache to the
     // original values after the require finish
     const originalModuleCache = Object.assign(Object.create(null), require.cache)
@@ -238,13 +293,13 @@ function doRequire (moduleName, requirePaths = [], modulesCache) {
     }
   }
 
-  let result = safeRequire(require, moduleName)
+  let result = optimizedRequire(require, moduleName)
 
   if (!result) {
     let pathsSearched = 0
 
     while (!result && pathsSearched < requirePaths.length) {
-      result = safeRequire(require, path.join(requirePaths[pathsSearched], moduleName))
+      result = optimizedRequire(require, path.join(requirePaths[pathsSearched], moduleName))
       pathsSearched++
     }
   }

package/lib/worker/sandbox/runInSandbox.js

@@ -1,14 +1,17 @@
 const LRU = require('lru-cache')
 const stackTrace = require('stack-trace')
 const { customAlphabet } = require('nanoid')
-const safeSandbox = require('./safeSandbox')
+const createSandbox = require('./createSandbox')
 const nanoid = customAlphabet('abcdefghijklmnopqrstuvwxyz', 10)
 
 module.exports = (reporter) => {
-  return ({
+  const functionsCache = LRU(reporter.options.sandbox.cache)
+
+  return async ({
     manager = {},
     context,
     userCode,
+    initFn,
     executionFn,
     currentPath,
     onRequire,
@@ -19,7 +22,8 @@ module.exports = (reporter) => {
 
     // we use dynamic name because of the potential nested vm2 execution in the jsreportProxy.assets.require
     // it may turn out it is a bad approach in assets so we gonna delete it here
-    const executionFnName = nanoid() + '_executionFn'
+    const executionFnName = `${nanoid()}_executionFn`
+
     context[executionFnName] = executionFn
     context.__appDirectory = reporter.options.appDirectory
     context.__rootDirectory = reporter.options.rootDirectory
@@ -28,13 +32,14 @@ module.exports = (reporter) => {
     context.__topLevelFunctions = {}
     context.__handleError = (err) => handleError(reporter, err)
 
-    const { sourceFilesInfo, run, restore, sandbox, safeRequire } = safeSandbox(context, {
+    const { sourceFilesInfo, run, compileScript, restore, sandbox, sandboxRequire } = createSandbox(context, {
       onLog: (log) => {
         reporter.logger[log.level](log.message, { ...req, timestamp: log.timestamp })
       },
       formatError: (error, moduleName) => {
-        error.message += ` To be able to require custom modules you need to add to configuration { "allowLocalFilesAccess": true } or enable just specific module using { sandbox: { allowedModules": ["${moduleName}"] }`
+        error.message += ` To be able to require custom modules you need to add to configuration { "trustUserCode": true } or enable just specific module using { sandbox: { allowedModules": ["${moduleName}"] }`
       },
+      safeExecution: reporter.options.trustUserCode === false,
       modulesCache: reporter.requestModulesCache.get(req.context.rootId),
       globalModules: reporter.options.sandbox.nativeModules || [],
       allowedModules: reporter.options.sandbox.allowedModules,
@@ -61,7 +66,17 @@ module.exports = (reporter) => {
       }
     })
 
-    jsreportProxy = reporter.createProxy({ req, runInSandbox: run, context: sandbox, getTopLevelFunctions, safeRequire })
+    const _getTopLevelFunctions = (code) => {
+      return getTopLevelFunctions(functionsCache, code)
+    }
+
+    jsreportProxy = reporter.createProxy({
+      req,
+      runInSandbox: run,
+      context: sandbox,
+      getTopLevelFunctions: _getTopLevelFunctions,
+      sandboxRequire
+    })
 
     jsreportProxy.currentPath = async () => {
       // we get the current path by throwing an error, which give us a stack trace
@@ -114,7 +129,18 @@ module.exports = (reporter) => {
     // be passed in options
     manager.restore = restore
 
-    const functionNames = getTopLevelFunctions(userCode)
+    if (typeof initFn === 'function') {
+      const initScriptInfo = await initFn(_getTopLevelFunctions, compileScript)
+
+      if (initScriptInfo) {
+        await run(initScriptInfo.script, {
+          filename: initScriptInfo.filename || 'sandbox-init.js',
+          source: initScriptInfo.source
+        })
+      }
+    }
+
+    const functionNames = getTopLevelFunctions(functionsCache, userCode)
     const functionsCode = `return {${functionNames.map(h => `"${h}": ${h}`).join(',')}}`
     const executionCode = `;(async () => { ${userCode} \n\n;${functionsCode} })()
         .then((topLevelFunctions) => {
@@ -180,12 +206,11 @@ function handleError (reporter, errValue) {
   })
 }
 
-const functionsCache = LRU({ max: 100 })
-function getTopLevelFunctions (code) {
+function getTopLevelFunctions (cache, code) {
   const key = `functions:${code}`
 
-  if (functionsCache.has(key)) {
-    return functionsCache.get(key)
+  if (cache.has(key)) {
+    return cache.get(key)
   }
 
   // lazy load to speed up boot
@@ -223,6 +248,6 @@ function getTopLevelFunctions (code) {
     return []
   }
 
-  functionsCache.set(key, names)
+  cache.set(key, names)
   return names
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsreport/jsreport-core",
-  "version": "3.5.0",
+  "version": "3.6.0",
   "description": "javascript based business reporting",
   "keywords": [
     "report",
@@ -32,10 +32,10 @@
     "@babel/code-frame": "7.12.13",
     "@babel/parser": "7.14.4",
     "@babel/traverse": "7.12.9",
-    "@jsreport/advanced-workers": "1.2.1",
+    "@jsreport/advanced-workers": "1.2.2",
     "@jsreport/mingo": "2.4.1",
     "ajv": "6.12.6",
-    "app-root-path": "2.0.1",
+    "app-root-path": "3.0.0",
     "bytes": "3.1.2",
     "camelcase": "5.0.0",
     "debug": "4.3.2",
@@ -56,14 +56,14 @@
     "nanoid": "3.2.0",
     "nconf": "0.12.0",
     "node.extend.without.arrays": "1.1.6",
-    "reap2": "1.0.1",
+    "@jsreport/reap": "0.1.0",
     "semver": "7.3.5",
     "serializator": "1.0.2",
     "stack-trace": "0.0.10",
     "triple-beam": "1.3.0",
     "unset-value": "1.0.0",
     "uuid": "8.3.2",
-    "vm2": "3.9.7",
+    "vm2": "3.9.9",
     "winston": "3.3.3",
     "winston-transport": "4.4.0"
   },