@jsreport/jsreport-core 3.5.0 → 3.7.0

package/lib/main/reporter.js

@@ -5,7 +5,7 @@
  */
 const path = require('path')
 const { Readable } = require('stream')
-const Reaper = require('reap2')
+const Reaper = require('@jsreport/reap')
 const optionsLoad = require('./optionsLoad')
 const { createLogger, configureLogger, silentLogs } = require('./logger')
 const checkEntityName = require('./validateEntityName')
@@ -90,8 +90,8 @@ class MainReporter extends Reporter {
     return this
   }
 
-  async extensionsLoad (opts) {
-    const appliedConfigFile = await optionsLoad({
+  async extensionsLoad (_opts = {}) {
+    const [explicitOptions, appliedConfigFile] = await optionsLoad({
       defaults: this.defaults,
       options: this.options,
       validator: this.optionsValidator,
@@ -106,6 +106,8 @@ class MainReporter extends Reporter {
       silentLogs(this.logger)
     }
 
+    const { onConfigDetails, ...opts } = _opts
+
     this.logger.info(`Initializing jsreport (version: ${this.version}, configuration file: ${appliedConfigFile || 'none'}, nodejs: ${process.versions.node})`)
 
     await this.extensionsManager.load(opts)
@@ -130,6 +132,10 @@ class MainReporter extends Reporter {
       throw new Error(`options contain values that does not match the defined full root schema. ${rootOptionsValidation.fullErrorMessage}`)
     }
 
+    if (typeof onConfigDetails === 'function') {
+      onConfigDetails(explicitOptions)
+    }
+
     return this
   }
 
@@ -157,6 +163,7 @@ class MainReporter extends Reporter {
    */
   async init () {
     this.closing = this.closed = false
+
     if (this._initialized || this._initializing) {
       throw new Error('jsreport already initialized or just initializing. Make sure init is called only once')
     }
@@ -175,14 +182,22 @@ class MainReporter extends Reporter {
 
     try {
       this._registerLogMainAction()
-      await this.extensionsLoad()
+
+      let explicitOptions
+
+      await this.extensionsLoad({
+        onConfigDetails: (_explicitOptions) => {
+          explicitOptions = _explicitOptions
+        }
+      })
 
       this.documentStore = DocumentStore(Object.assign({}, this.options, { logger: this.logger }), this.entityTypeValidator, this.encryption)
       documentStoreActions(this)
       this.blobStorage = BlobStorage(this, this.options)
       blobStorageActions(this)
       Templates(this)
-      Profiler(this)
+
+      this._cleanProfileInRequest = Profiler(this)
 
       this.folders = Object.assign(this.folders, Folders(this))
 
@@ -200,6 +215,14 @@ class MainReporter extends Reporter {
 
       await this.extensionsManager.init()
 
+      if (this.options.trustUserCode) {
+        this.logger.info('Code sandboxing is disabled, users can potentially penetrate the local system if you allow code from external users to be part of your reports')
+      }
+
+      if (explicitOptions.trustUserCode == null && explicitOptions.allowLocalFilesAccess != null) {
+        this.logger.warn('options.allowLocalFilesAccess is deprecated, use options.trustUserCode instead')
+      }
+
       this.logger.info(`Using general timeout for rendering (reportTimeout: ${this.options.reportTimeout})`)
 
       if (this.options.store.provider === 'memory') {
@@ -450,11 +473,17 @@ class MainReporter extends Reporter {
       }, req)
 
       Object.assign(res, responseResult)
+
       await this.afterRenderListeners.fire(req, res)
+
       res.stream = Readable.from(res.content)
+
+      this._cleanProfileInRequest(req)
+
       return res
     } catch (err) {
       await this._handleRenderError(req, res, err)
+      this._cleanProfileInRequest(req)
       throw err
     } finally {
       if (worker && !workerAborted && !dontCloseProcessing) {

package/lib/worker/render/executeEngine.js

@@ -9,9 +9,10 @@ const LRU = require('lru-cache')
 const { nanoid } = require('nanoid')
 
 module.exports = (reporter) => {
-  const cache = LRU(reporter.options.sandbox.cache || { max: 100 })
+  const templatesCache = LRU(reporter.options.sandbox.cache)
+  let systemHelpersCache
 
-  reporter.templatingEngines = { cache }
+  reporter.templatingEngines = { cache: templatesCache }
 
   const executionFnParsedParamsMap = new Map()
   const executionAsyncResultsMap = new Map()
@@ -60,11 +61,44 @@ module.exports = (reporter) => {
       evaluate: async (executionInfo, entityInfo) => {
         return templatingEnginesEvaluate(false, executionInfo, entityInfo, req)
       },
+      waitForAsyncHelper: async (maybeAsyncContent) => {
+        if (
+          context.__executionId == null ||
+          !executionAsyncResultsMap.has(context.__executionId) ||
+          typeof maybeAsyncContent !== 'string'
+        ) {
+          return maybeAsyncContent
+        }
+
+        const asyncResultMap = executionAsyncResultsMap.get(context.__executionId)
+        const asyncHelperResultRegExp = /{#asyncHelperResult ([^{}]+)}/
+        let content = maybeAsyncContent
+        let matchResult
+
+        do {
+          if (matchResult != null) {
+            const matchedPart = matchResult[0]
+            const asyncResultId = matchResult[1]
+            const result = await asyncResultMap.get(asyncResultId)
+            content = `${content.slice(0, matchResult.index)}${result}${content.slice(matchResult.index + matchedPart.length)}`
+          }
+
+          matchResult = content.match(asyncHelperResultRegExp)
+        } while (matchResult != null)
+
+        return content
+      },
       waitForAsyncHelpers: async () => {
         if (context.__executionId != null && executionAsyncResultsMap.has(context.__executionId)) {
           const asyncResultMap = executionAsyncResultsMap.get(context.__executionId)
           return Promise.all([...asyncResultMap.keys()].map((k) => asyncResultMap.get(k)))
         }
+      },
+      createAsyncHelperResult: (v) => {
+        const asyncResultMap = executionAsyncResultsMap.get(context.__executionId)
+        const asyncResultId = nanoid(7)
+        asyncResultMap.set(asyncResultId, v)
+        return `{#asyncHelperResult ${asyncResultId}}`
       }
     }
   })
@@ -102,22 +136,49 @@ module.exports = (reporter) => {
       entityPath = await reporter.folders.resolveEntityPath(entity, entitySet, req)
     }
 
-    const registerResults = await reporter.registerHelpersListeners.fire(req)
-    const systemHelpers = []
+    const normalizedHelpers = `${helpers || ''}`
+    const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${normalizedHelpers}`
 
-    for (const result of registerResults) {
-      if (result == null) {
-        continue
+    const initFn = async (getTopLevelFunctions, compileScript) => {
+      if (systemHelpersCache != null) {
+        return systemHelpersCache
       }
 
-      if (typeof result === 'string') {
-        systemHelpers.push(result)
+      const registerResults = await reporter.registerHelpersListeners.fire()
+      const systemHelpers = []
+
+      for (const result of registerResults) {
+        if (result == null) {
+          continue
+        }
+
+        if (typeof result === 'string') {
+          systemHelpers.push(result)
+        }
       }
-    }
 
-    const systemHelpersStr = systemHelpers.join('\n')
-    const joinedHelpers = systemHelpersStr + '\n' + (helpers || '')
-    const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${joinedHelpers}`
+      const systemHelpersStr = systemHelpers.join('\n')
+
+      const functionNames = getTopLevelFunctions(systemHelpersStr)
+
+      const exposeSystemHelpersCode = `for (const fName of ${JSON.stringify(functionNames)}) { this[fName] = __topLevelFunctions[fName] }`
+
+      // we sync the __topLevelFunctions with system helpers and expose it immediately to the global context
+      const userCode = `(async () => { ${systemHelpersStr};
+      __topLevelFunctions = {...__topLevelFunctions, ${functionNames.map(h => `"${h}": ${h}`).join(',')}}; ${exposeSystemHelpersCode}
+      })()`
+
+      const filename = 'system-helpers.js'
+      const script = compileScript(userCode, filename)
+
+      systemHelpersCache = {
+        filename,
+        source: systemHelpersStr,
+        script
+      }
+
+      return systemHelpersCache
+    }
 
     const executionFn = async ({ require, console, topLevelFunctions, context }) => {
       const asyncResultMap = new Map()
@@ -129,25 +190,30 @@ module.exports = (reporter) => {
 
       const key = `template:${content}:${engine.name}`
 
-      if (!cache.has(key)) {
+      if (!templatesCache.has(key)) {
         try {
-          cache.set(key, engine.compile(content, { require }))
+          templatesCache.set(key, engine.compile(content, { require }))
         } catch (e) {
           e.property = 'content'
           throw e
         }
       }
 
-      const compiledTemplate = cache.get(key)
-
+      const compiledTemplate = templatesCache.get(key)
       const wrappedTopLevelFunctions = {}
 
       for (const h of Object.keys(topLevelFunctions)) {
-        wrappedTopLevelFunctions[h] = wrapHelperForAsyncSupport(topLevelFunctions[h], asyncResultMap)
+        if (engine.getWrappingHelpersEnabled && engine.getWrappingHelpersEnabled(req) === false) {
+          wrappedTopLevelFunctions[h] = engine.wrapHelper(topLevelFunctions[h], { context })
+        } else {
+          wrappedTopLevelFunctions[h] = wrapHelperForAsyncSupport(topLevelFunctions[h], asyncResultMap)
+        }
       }
 
       let contentResult = await engine.execute(compiledTemplate, wrappedTopLevelFunctions, data, { require })
+
       const resolvedResultsMap = new Map()
+
       while (asyncResultMap.size > 0) {
         await Promise.all([...asyncResultMap.keys()].map(async (k) => {
           resolvedResultsMap.set(k, `${await asyncResultMap.get(k)}`)
@@ -178,25 +244,27 @@ module.exports = (reporter) => {
       return executionFn({ require, console, topLevelFunctions, context })
     } else {
       const awaiter = {}
+
       awaiter.promise = new Promise((resolve) => {
         awaiter.resolve = resolve
       })
+
       executionFnParsedParamsMap.get(req.context.id).set(executionFnParsedParamsKey, awaiter)
     }
 
     if (reporter.options.sandbox.cache && reporter.options.sandbox.cache.enabled === false) {
-      cache.reset()
+      templatesCache.reset()
     }
 
     try {
       return await reporter.runInSandbox({
         context: {
-          ...(engine.createContext ? engine.createContext() : {})
+          ...(engine.createContext ? engine.createContext(req) : {})
         },
-        userCode: joinedHelpers,
+        userCode: normalizedHelpers,
+        initFn,
         executionFn,
         currentPath: entityPath,
-        errorLineNumberOffset: systemHelpersStr.split('\n').length,
         onRequire: (moduleName, { context }) => {
           if (engine.onRequire) {
             return engine.onRequire(moduleName, { context })

package/lib/worker/render/moduleHelper.js

@@ -4,7 +4,7 @@ const path = require('path')
 module.exports = (reporter) => {
   let helpersScript
 
-  reporter.registerHelpersListeners.add('core-helpers', (req) => {
+  reporter.registerHelpersListeners.add('core-helpers', () => {
     return helpersScript
   })
 
@@ -12,11 +12,11 @@ module.exports = (reporter) => {
     helpersScript = await fs.readFile(path.join(__dirname, '../../static/helpers.js'), 'utf8')
   })
 
-  reporter.extendProxy((proxy, req, { safeRequire }) => {
+  reporter.extendProxy((proxy, req, { sandboxRequire }) => {
     proxy.module = async (module) => {
-      if (!reporter.options.allowLocalFilesAccess && reporter.options.sandbox.allowedModules !== '*') {
+      if (!reporter.options.trustUserCode && reporter.options.sandbox.allowedModules !== '*') {
         if (reporter.options.sandbox.allowedModules.indexOf(module) === -1) {
-          throw reporter.createError(`require of module ${module} was rejected. Either set allowLocalFilesAccess=true or sandbox.allowLocalModules='*' or sandbox.allowLocalModules=['${module}'] `, { status: 400 })
+          throw reporter.createError(`require of module ${module} was rejected. Either set trustUserCode=true or sandbox.allowLocalModules='*' or sandbox.allowLocalModules=['${module}'] `, { status: 400 })
         }
       }
 

package/lib/worker/render/profiler.js

@@ -36,7 +36,10 @@ class Profiler {
       if (profilingInfo) {
         const batch = profilingInfo.batch
         profilingInfo.batch = []
-        await this.reporter.executeMainAction('profile', batch, profilingInfo.req).catch((e) => this.reporter.logger.error(e, profilingInfo.req))
+
+        if (batch.length > 0) {
+          await this.reporter.executeMainAction('profile', batch, profilingInfo.req).catch((e) => this.reporter.logger.error(e, profilingInfo.req))
+        }
       }
     }
   }
@@ -72,7 +75,7 @@ class Profiler {
       let content = res.content
 
       if (content != null) {
-        if (content.length > this.reporter.options.profiler.maxResponseSize) {
+        if (content.length > this.reporter.options.profiler.maxDiffSize) {
           content = {
             tooLarge: true
           }
@@ -97,7 +100,12 @@ class Profiler {
 
       const stringifiedReq = JSON.stringify({ template: req.template, data: req.data }, null, 2)
 
-      m.req = { diff: createPatch('req', req.context.profiling.reqLastVal || '', stringifiedReq, 0) }
+      m.req = { }
+      if (stringifiedReq.length * 4 > this.reporter.options.profiler.maxDiffSize) {
+        m.req.tooLarge = true
+      } else {
+        m.req.diff = createPatch('req', req.context.profiling.reqLastVal || '', stringifiedReq, 0)
+      }
 
       req.context.profiling.resLastVal = (res.content == null || isbinaryfile(res.content) || content.tooLarge) ? null : res.content.toString()
       req.context.profiling.resMetaLastVal = stringifiedResMeta
@@ -153,7 +161,10 @@ class Profiler {
       const profilingInfo = this.profiledRequestsMap.get(req.context.rootId)
       if (profilingInfo) {
         this.profiledRequestsMap.delete(req.context.rootId)
-        await this.reporter.executeMainAction('profile', profilingInfo.batch, req)
+
+        if (profilingInfo.batch.length > 0) {
+          await this.reporter.executeMainAction('profile', profilingInfo.batch, req)
+        }
       }
     }
   }

package/lib/worker/render/render.js

@@ -130,7 +130,7 @@ module.exports = (reporter) => {
         reporter.requestModulesCache.set(request.context.rootId, Object.create(null))
       }
 
-      reporter.logger.info(`Starting rendering request ${request.context.reportCounter} (user: ${(request.context.user ? request.context.user.username : 'null')})`, request)
+      reporter.logger.info(`Starting rendering request ${request.context.reportCounter} (user: ${(request.context.user ? request.context.user.name : 'null')})`, request)
 
       // TODO
       /* if (reporter.entityTypeValidator.getSchema('TemplateType') != null) {

package/lib/worker/reporter.js

@@ -111,14 +111,14 @@ class WorkerReporter extends Reporter {
     this._proxyRegistrationFns.push(registrationFn)
   }
 
-  createProxy ({ req, runInSandbox, context, getTopLevelFunctions, safeRequire }) {
+  createProxy ({ req, runInSandbox, context, getTopLevelFunctions, sandboxRequire }) {
     const proxyInstance = {}
     for (const fn of this._proxyRegistrationFns) {
       fn(proxyInstance, req, {
         runInSandbox,
         context,
         getTopLevelFunctions,
-        safeRequire
+        sandboxRequire
       })
     }
     return proxyInstance
@@ -137,10 +137,11 @@ class WorkerReporter extends Reporter {
     manager,
     context,
     userCode,
+    initFn,
     executionFn,
+    currentPath,
     onRequire,
     propertiesConfig,
-    currentPath,
     errorLineNumberOffset
   }, req) {
     // we flush before running code in sandbox because it can potentially
@@ -152,10 +153,11 @@ class WorkerReporter extends Reporter {
       manager,
       context,
       userCode,
+      initFn,
       executionFn,
+      currentPath,
       onRequire,
       propertiesConfig,
-      currentPath,
       errorLineNumberOffset
     }, req)
   }

package/lib/worker/sandbox/{safeSandbox.js → createSandbox.js}

@@ -19,6 +19,7 @@ module.exports = (_sandbox, options = {}) => {
     propertiesConfig = {},
     globalModules = [],
     allowedModules = [],
+    safeExecution,
     requireMap
   } = options
 
@@ -65,7 +66,7 @@ module.exports = (_sandbox, options = {}) => {
       }
     }
 
-    if (allowAllModules || allowedModules === '*') {
+    if (!safeExecution || allowAllModules || allowedModules === '*') {
       return doRequire(moduleName, requirePaths, modulesCache)
     }
 
@@ -111,14 +112,28 @@ module.exports = (_sandbox, options = {}) => {
     require: (m) => _require(m, { context: _sandbox })
   })
 
-  const vm = new VM()
+  let safeVM
+  let vmSandbox
 
-  // delete the vm.sandbox.global because it introduces json stringify issues
-  // and we don't need such global in context
-  delete vm.sandbox.global
+  if (safeExecution) {
+    safeVM = new VM()
 
-  for (const name in sandbox) {
-    vm.setGlobal(name, sandbox[name])
+    // delete the vm.sandbox.global because it introduces json stringify issues
+    // and we don't need such global in context
+    delete safeVM.sandbox.global
+
+    for (const name in sandbox) {
+      safeVM.setGlobal(name, sandbox[name])
+    }
+
+    vmSandbox = safeVM.sandbox
+  } else {
+    vmSandbox = originalVM.createContext(undefined)
+    vmSandbox.Buffer = Buffer
+
+    for (const name in sandbox) {
+      vmSandbox[name] = sandbox[name]
+    }
   }
 
   // processing top level props because getter/setter descriptors
@@ -127,49 +142,46 @@ module.exports = (_sandbox, options = {}) => {
     const currentConfig = propsConfig[key]
 
     if (currentConfig.root && currentConfig.root.sandboxReadOnly) {
-      readOnlyProp(vm.sandbox, key, [], customProxies, { onlyTopLevel: true })
+      readOnlyProp(vmSandbox, key, [], customProxies, { onlyTopLevel: true })
     }
   })
 
   const sourceFilesInfo = new Map()
 
   return {
-    sandbox: vm.sandbox,
+    sandbox: vmSandbox,
     console: _console,
     sourceFilesInfo,
+    compileScript: (code, filename) => {
+      return doCompileScript(code, filename, safeExecution)
+    },
     restore: () => {
-      return restoreProperties(vm.sandbox, originalValues, proxiesInVM, customProxies)
+      return restoreProperties(vmSandbox, originalValues, proxiesInVM, customProxies)
     },
-    safeRequire: (modulePath) => _require(modulePath, { context: _sandbox, allowAllModules: true }),
-    run: async (code, { filename, errorLineNumberOffset = 0, source, entity, entitySet } = {}) => {
-      const script = new VMScript(code, filename)
+    sandboxRequire: (modulePath) => _require(modulePath, { context: _sandbox, allowAllModules: true }),
+    run: async (codeOrScript, { filename, errorLineNumberOffset = 0, source, entity, entitySet } = {}) => {
+      let run
 
       if (filename != null && source != null) {
         sourceFilesInfo.set(filename, { filename, source, entity, entitySet, errorLineNumberOffset })
       }
 
-      // NOTE: if we need to upgrade vm2 we will need to check the source of this function
-      // in vm2 repo and see if we need to change this,
-      // we needed to override this method because we want "displayErrors" to be true in order
-      // to show nice error when the compile of a script fails
-      script._compile = function (prefix, suffix) {
-        return new originalVM.Script(prefix + this.getCompiledCode() + suffix, {
-          __proto__: null,
-          filename: this.filename,
-          displayErrors: true,
-          lineOffset: this.lineOffset,
-          columnOffset: this.columnOffset,
-          // THIS FN WAS TAKEN FROM vm2 source, nothing special here
-          importModuleDynamically: () => {
-            // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
-            // eslint-disable-next-line no-throw-literal
-            throw 'Dynamic imports are not allowed.'
-          }
-        })
+      const script = typeof codeOrScript !== 'string' ? codeOrScript : doCompileScript(codeOrScript, filename, safeExecution)
+
+      if (safeExecution) {
+        run = async () => {
+          return safeVM.run(script)
+        }
+      } else {
+        run = async () => {
+          return script.runInContext(vmSandbox, {
+            displayErrors: true
+          })
+        }
       }
 
       try {
-        const result = await vm.run(script)
+        const result = await run()
         return result
       } catch (e) {
         decorateErrorMessage(e, sourceFilesInfo)
@@ -180,10 +192,53 @@ module.exports = (_sandbox, options = {}) => {
   }
 }
 
+function doCompileScript (code, filename, safeExecution) {
+  let script
+
+  if (safeExecution) {
+    script = new VMScript(code, filename)
+
+    // NOTE: if we need to upgrade vm2 we will need to check the source of this function
+    // in vm2 repo and see if we need to change this,
+    // we needed to override this method because we want "displayErrors" to be true in order
+    // to show nice error when the compile of a script fails
+    script._compile = function (prefix, suffix) {
+      return new originalVM.Script(prefix + this.getCompiledCode() + suffix, {
+        __proto__: null,
+        filename: this.filename,
+        displayErrors: true,
+        lineOffset: this.lineOffset,
+        columnOffset: this.columnOffset,
+        // THIS FN WAS TAKEN FROM vm2 source, nothing special here
+        importModuleDynamically: () => {
+          // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
+          // eslint-disable-next-line no-throw-literal
+          throw 'Dynamic imports are not allowed.'
+        }
+      })
+    }
+
+    // do the compilation
+    script._compileVM()
+  } else {
+    script = new originalVM.Script(code, {
+      filename,
+      displayErrors: true,
+      importModuleDynamically: () => {
+        // We can't throw an error object here because since vm.Script doesn't store a context, we can't properly contextify that error object.
+        // eslint-disable-next-line no-throw-literal
+        throw 'Dynamic imports are not allowed.'
+      }
+    })
+  }
+
+  return script
+}
+
 function doRequire (moduleName, requirePaths = [], modulesCache) {
   const searchedPaths = []
 
-  function safeRequire (require, modulePath) {
+  function optimizedRequire (require, modulePath) {
     // save the current module cache, we will use this to restore the cache to the
     // original values after the require finish
     const originalModuleCache = Object.assign(Object.create(null), require.cache)
@@ -238,13 +293,13 @@ function doRequire (moduleName, requirePaths = [], modulesCache) {
     }
   }
 
-  let result = safeRequire(require, moduleName)
+  let result = optimizedRequire(require, moduleName)
 
   if (!result) {
     let pathsSearched = 0
 
     while (!result && pathsSearched < requirePaths.length) {
-      result = safeRequire(require, path.join(requirePaths[pathsSearched], moduleName))
+      result = optimizedRequire(require, path.join(requirePaths[pathsSearched], moduleName))
       pathsSearched++
     }
   }