@jsreport/jsreport-core 3.5.0 → 3.7.0

package/lib/worker/sandbox/runInSandbox.js

@@ -1,14 +1,17 @@
 const LRU = require('lru-cache')
 const stackTrace = require('stack-trace')
 const { customAlphabet } = require('nanoid')
-const safeSandbox = require('./safeSandbox')
+const createSandbox = require('./createSandbox')
 const nanoid = customAlphabet('abcdefghijklmnopqrstuvwxyz', 10)
 
 module.exports = (reporter) => {
-  return ({
+  const functionsCache = LRU(reporter.options.sandbox.cache)
+
+  return async ({
     manager = {},
     context,
     userCode,
+    initFn,
     executionFn,
     currentPath,
     onRequire,
@@ -19,7 +22,8 @@ module.exports = (reporter) => {
 
     // we use dynamic name because of the potential nested vm2 execution in the jsreportProxy.assets.require
     // it may turn out it is a bad approach in assets so we gonna delete it here
-    const executionFnName = nanoid() + '_executionFn'
+    const executionFnName = `${nanoid()}_executionFn`
+
     context[executionFnName] = executionFn
     context.__appDirectory = reporter.options.appDirectory
     context.__rootDirectory = reporter.options.rootDirectory
@@ -28,13 +32,16 @@ module.exports = (reporter) => {
     context.__topLevelFunctions = {}
     context.__handleError = (err) => handleError(reporter, err)
 
-    const { sourceFilesInfo, run, restore, sandbox, safeRequire } = safeSandbox(context, {
+    const { sourceFilesInfo, run, compileScript, restore, sandbox, sandboxRequire } = createSandbox(context, {
       onLog: (log) => {
-        reporter.logger[log.level](log.message, { ...req, timestamp: log.timestamp })
+        // we mark any log done in sandbox as userLevel: true, this allows us to detect which logs belongs to user
+        // and can potentially contain sensitive information
+        reporter.logger[log.level](log.message, { ...req, timestamp: log.timestamp, userLevel: true })
       },
       formatError: (error, moduleName) => {
-        error.message += ` To be able to require custom modules you need to add to configuration { "allowLocalFilesAccess": true } or enable just specific module using { sandbox: { allowedModules": ["${moduleName}"] }`
+        error.message += ` To be able to require custom modules you need to add to configuration { "trustUserCode": true } or enable just specific module using { sandbox: { allowedModules": ["${moduleName}"] }`
       },
+      safeExecution: reporter.options.trustUserCode === false,
       modulesCache: reporter.requestModulesCache.get(req.context.rootId),
       globalModules: reporter.options.sandbox.nativeModules || [],
       allowedModules: reporter.options.sandbox.allowedModules,
@@ -61,7 +68,17 @@ module.exports = (reporter) => {
       }
     })
 
-    jsreportProxy = reporter.createProxy({ req, runInSandbox: run, context: sandbox, getTopLevelFunctions, safeRequire })
+    const _getTopLevelFunctions = (code) => {
+      return getTopLevelFunctions(functionsCache, code)
+    }
+
+    jsreportProxy = reporter.createProxy({
+      req,
+      runInSandbox: run,
+      context: sandbox,
+      getTopLevelFunctions: _getTopLevelFunctions,
+      sandboxRequire
+    })
 
     jsreportProxy.currentPath = async () => {
       // we get the current path by throwing an error, which give us a stack trace
@@ -114,7 +131,18 @@ module.exports = (reporter) => {
     // be passed in options
     manager.restore = restore
 
-    const functionNames = getTopLevelFunctions(userCode)
+    if (typeof initFn === 'function') {
+      const initScriptInfo = await initFn(_getTopLevelFunctions, compileScript)
+
+      if (initScriptInfo) {
+        await run(initScriptInfo.script, {
+          filename: initScriptInfo.filename || 'sandbox-init.js',
+          source: initScriptInfo.source
+        })
+      }
+    }
+
+    const functionNames = getTopLevelFunctions(functionsCache, userCode)
     const functionsCode = `return {${functionNames.map(h => `"${h}": ${h}`).join(',')}}`
     const executionCode = `;(async () => { ${userCode} \n\n;${functionsCode} })()
         .then((topLevelFunctions) => {
@@ -180,12 +208,11 @@ function handleError (reporter, errValue) {
   })
 }
 
-const functionsCache = LRU({ max: 100 })
-function getTopLevelFunctions (code) {
+function getTopLevelFunctions (cache, code) {
   const key = `functions:${code}`
 
-  if (functionsCache.has(key)) {
-    return functionsCache.get(key)
+  if (cache.has(key)) {
+    return cache.get(key)
   }
 
   // lazy load to speed up boot
@@ -223,6 +250,6 @@ function getTopLevelFunctions (code) {
     return []
   }
 
-  functionsCache.set(key, names)
+  cache.set(key, names)
   return names
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsreport/jsreport-core",
-  "version": "3.5.0",
+  "version": "3.7.0",
   "description": "javascript based business reporting",
   "keywords": [
     "report",
@@ -17,12 +17,19 @@
     "name": "Jan Blaha",
     "email": "jan.blaha@hotmail.com"
   },
+  "maintainers": [
+    {
+      "name": "pofider",
+      "email": "jan.blaha@hotmail.com"
+    }
+  ],
   "main": "index.js",
   "files": [
     "lib",
     "index.js",
     "test/store/common.js",
-    "test/blobStorage/common.js"
+    "test/blobStorage/common.js",
+    "test/extensions/validExtensions/listeners"
   ],
   "scripts": {
     "test": "mocha --timeout 5000 --recursive test --exit && standard",
@@ -32,10 +39,12 @@
     "@babel/code-frame": "7.12.13",
     "@babel/parser": "7.14.4",
     "@babel/traverse": "7.12.9",
-    "@jsreport/advanced-workers": "1.2.1",
+    "@colors/colors": "1.5.0",
+    "@jsreport/advanced-workers": "1.2.3",
     "@jsreport/mingo": "2.4.1",
+    "@jsreport/reap": "0.1.0",
     "ajv": "6.12.6",
-    "app-root-path": "2.0.1",
+    "app-root-path": "3.0.0",
     "bytes": "3.1.2",
     "camelcase": "5.0.0",
     "debug": "4.3.2",
@@ -56,16 +65,15 @@
     "nanoid": "3.2.0",
     "nconf": "0.12.0",
     "node.extend.without.arrays": "1.1.6",
-    "reap2": "1.0.1",
     "semver": "7.3.5",
     "serializator": "1.0.2",
     "stack-trace": "0.0.10",
     "triple-beam": "1.3.0",
     "unset-value": "1.0.0",
     "uuid": "8.3.2",
-    "vm2": "3.9.7",
-    "winston": "3.3.3",
-    "winston-transport": "4.4.0"
+    "vm2": "3.9.9",
+    "winston": "3.8.1",
+    "winston-transport": "4.5.0"
   },
   "devDependencies": {
     "mocha": "9.2.2",
@@ -77,12 +85,6 @@
   "engines": {
     "node": ">=16.11"
   },
-  "maintainers": [
-    {
-      "name": "pofider",
-      "email": "jan.blaha@hotmail.com"
-    }
-  ],
   "standard": {
     "env": {
       "mocha": true

package/test/extensions/validExtensions/listeners/jsreport.dontdiscover.config.js

@@ -0,0 +1,9 @@
+module.exports = {
+  name: 'listeners',
+  main: 'main.js',
+  worker: 'worker.js',
+  dependencies: ['a', 'b', 'c', 'd', 'e', 'f'],
+  requires: {},
+  hasPublicPart: false,
+  directory: __dirname
+}

package/test/extensions/validExtensions/listeners/main.js

@@ -0,0 +1,51 @@
+
+module.exports = (reporter, definition) => {
+  reporter.tests = reporter.tests || {}
+  reporter.tests.beforeRenderListeners = reporter.createListenerCollection()
+  reporter.tests.afterRenderListeners = reporter.createListenerCollection()
+  reporter.tests.validateRenderListeners = reporter.createListenerCollection()
+  reporter.tests.afterTemplatingEnginesExecutedListeners = reporter.createListenerCollection()
+
+  reporter.registerMainAction('test-beforeRender-listeners', async (data, req) => {
+    data.req = reporter.Request(data.req)
+    await reporter.tests.beforeRenderListeners.fire(data.req, data.res)
+    return { req: data.req, res: data.res }
+  })
+  reporter.registerMainAction('test-afterRender-listeners', async (data, req) => {
+    data.req = reporter.Request(data.req)
+    await reporter.tests.afterRenderListeners.fire(data.req, data.res)
+    return { req: data.req, res: data.res }
+  })
+  reporter.registerMainAction('test-validateRender-listeners', async (data, req) => {
+    data.req = reporter.Request(data.req)
+    await reporter.tests.validateRenderListeners.fire(data.req, data.res)
+    return { req: data.req, res: data.res }
+  })
+  reporter.registerMainAction('test-afterTemplatingEnginesExecuted-listeners', async (data, req) => {
+    data.req = reporter.Request(data.req)
+    await reporter.tests.afterTemplatingEnginesExecutedListeners.fire(data.req, data.res)
+    return { req: data.req, res: data.res }
+  })
+
+  let beforeRenderEval
+  reporter.tests.beforeRenderEval = (fn) => {
+    beforeRenderEval = fn
+  }
+  reporter.registerMainAction('test-beforeRenderEval', async (data, req) => {
+    if (beforeRenderEval == null) {
+      return
+    }
+    return beforeRenderEval.toString()
+  })
+
+  let afterRenderEval
+  reporter.tests.afterRenderEval = (fn) => {
+    afterRenderEval = fn
+  }
+  reporter.registerMainAction('test-afterRenderEval', async (data, req) => {
+    if (afterRenderEval == null) {
+      return
+    }
+    return afterRenderEval.toString()
+  })
+}

package/test/extensions/validExtensions/listeners/worker.js

@@ -0,0 +1,68 @@
+const extend = require('node.extend.without.arrays')
+const vm = require('vm')
+const path = require('path')
+const process = require('process')
+
+module.exports = (reporter, definition) => {
+  reporter.initializeListeners.add('test-listeners', () => {
+    reporter.beforeRenderListeners.add('listeners', async (req, res) => {
+      const result = await reporter.executeMainAction('test-beforeRender-listeners', { req, res }, req)
+      extend(true, req, result.req)
+      extend(true, res, result.res)
+    })
+
+    reporter.afterRenderListeners.add('listeners', async (req, res) => {
+      const result = await reporter.executeMainAction('test-afterRender-listeners', { req, res }, req)
+      extend(true, req, result.req)
+      extend(true, res, result.res)
+    })
+
+    reporter.validateRenderListeners.add('listeners', async (req, res) => {
+      const result = await reporter.executeMainAction('test-validateRender-listeners', { req, res }, req)
+      extend(true, req, result.req)
+      extend(true, res, result.res)
+    })
+
+    reporter.afterTemplatingEnginesExecutedListeners.add('listeners', async (req, res) => {
+      const result = await reporter.executeMainAction('test-afterTemplatingEnginesExecuted-listeners', { req, res }, req)
+      extend(true, req, result.req)
+      extend(true, res, result.res)
+    })
+
+    const evalInWorker = (code, req, res) => {
+      const script = new vm.Script(`
+          ;(function () {
+            return ${code}
+          })()
+      `)
+
+      return script.runInThisContext({
+        displayErrors: true
+      })(req, res, {
+        require: (m) => {
+          try {
+            return require(path.join(process.cwd(), 'node_modules', m))
+          } catch (e) {
+            // hack, make it working in monorepo as well as normal extension
+            return require(path.join(process.cwd(), '../../node_modules', m))
+          }
+        },
+        reporter
+      })
+    }
+
+    reporter.afterRenderListeners.add('eval-listeners', async (req, res) => {
+      const code = await reporter.executeMainAction('test-afterRenderEval', {}, req)
+      if (code) {
+        return evalInWorker(code, req, res)
+      }
+    })
+
+    reporter.beforeRenderListeners.insert(0, 'eval-listeners', async (req, res) => {
+      const code = await reporter.executeMainAction('test-beforeRenderEval', {}, req)
+      if (code) {
+        return evalInWorker(code, req, res)
+      }
+    })
+  })
+}

package/test/store/common.js

@@ -228,7 +228,7 @@ function collectionTests (store, isInternal, runTransactions) {
     const colName = !isInternal ? 'templates' : 'internalTemplates'
 
     await getCollection(colName).insert({ name: '1', engine: 'none', recipe: 'a' })
-    await getCollection(colName).insert({ name: '2', engine: 'none', recipe: 'a' })
+    await getCollection(colName).insert({ name: '2', engine: 'test2', recipe: 'a' })
     const res = await getCollection(colName).update({ recipe: 'a' }, { $set: { engine: 'test2' } })
     res.should.be.eql(2)
   })