@jsreport/jsreport-core 4.2.1 → 4.3.0

package/README.md

@@ -256,7 +256,7 @@ jsreport currently support these main listeners
 - `closeListeners()` called when jsreport is about to be closed, you will usually put here some code that clean up some resource
 
 ## Studio
-jsreport includes also visual html studio and rest API. This is provided through two extensions, [@jsreport/jsreport-express](https://github.com/jsreport/jsreport/tree/master/packages/jsreport-express) extension to have a web server available and [@jsreport/jsreport-studio](https://github.com/jsreport/jsreport/tree/master/packages/jsreport-studio) for the web UI, both extensions should be installed in order to have the studio ready. See the documentation of each extension for the details.
+jsreport includes also visual html studio and rest API. This is provided through two extensions, [@jsreport/jsreport-express](https://github.com/jsreport/jsreport/tree/master/packages/jsreport-express) extension to have a web server available and [@jsreport/jsreport-studio](https://github.com/jsreport/jsreport/tree/master/packages/jsreport-studio) for the web UI, both extensions should be installed in order to have the studio ready. See the documentation of each extension for the details
 
 ## Template store
 `jsreport-core` includes API for persisting and accessing report templates. This API is then used by extensions mainly in combination with jsreport [studio](#studio). `jsreport-core` implements just in-memory persistence, but you can add other persistence methods through extensions, see the [template stores](https://jsreport.net/learn/template-stores) docummentation
@@ -282,6 +282,20 @@ jsreport.documentStore.collection('templates')
 
 ## Changelog
 
+### 4.3.0
+
+- expose safe properties of `req.context.user` in sandbox
+- fix component execution when wrapped with async helper
+- fix jsdom require in sandbox
+
+### 4.2.2
+
+- fix recursive component rendering
+
+### 4.2.1
+
+- response.output.update now accepts Web ReadableStream (which is what new version of puppeteer returns)
+
 ### 4.2.0
 
 - the response object has new structure and api, the `response.output` is new addition and contains different methods to work with the response output. the  `response.content`, `response.stream` are now soft deprecated (will be removed in future versions)

package/lib/worker/render/executeEngine.js

@@ -14,8 +14,10 @@ module.exports = (reporter) => {
 
   reporter.templatingEngines = { cache: templatesCache }
 
+  const contextExecutionChainMap = new WeakMap()
   const executionFnParsedParamsMap = new Map()
   const executionAsyncResultsMap = new Map()
+  const executionAsyncCallChainMap = new Map()
   const executionFinishListenersMap = new Map()
 
   const templatingEnginesEvaluate = async (mainCall, { engine, content, helpers, data }, { entity, entitySet }, req) => {
@@ -48,11 +50,14 @@ module.exports = (reporter) => {
       }
 
       executionAsyncResultsMap.delete(executionId)
+      executionAsyncCallChainMap.delete(executionId)
       executionFinishListenersMap.delete(executionId)
     }
   }
 
-  reporter.templatingEngines.evaluate = (executionInfo, entityInfo, req) => templatingEnginesEvaluate(true, executionInfo, entityInfo, req)
+  reporter.templatingEngines.evaluate = (executionInfo, entityInfo, req) => {
+    return templatingEnginesEvaluate(true, executionInfo, entityInfo, req)
+  }
 
   reporter.extendProxy((proxy, req, {
     runInSandbox,
@@ -64,15 +69,18 @@ module.exports = (reporter) => {
         return templatingEnginesEvaluate(false, executionInfo, entityInfo, req)
       },
       waitForAsyncHelper: async (maybeAsyncContent) => {
+        const executionChain = contextExecutionChainMap.get(context) || []
+        const executionId = executionChain[executionChain.length - 1]
+
         if (
-          context.__executionId == null ||
-          !executionAsyncResultsMap.has(context.__executionId) ||
+          executionId == null ||
+          !executionAsyncResultsMap.has(executionId) ||
           typeof maybeAsyncContent !== 'string'
         ) {
           return maybeAsyncContent
         }
 
-        const asyncResultMap = executionAsyncResultsMap.get(context.__executionId)
+        const asyncResultMap = executionAsyncResultsMap.get(executionId)
         const asyncHelperResultRegExp = /{#asyncHelperResult ([^{}]+)}/
         let content = maybeAsyncContent
         let matchResult
@@ -91,18 +99,34 @@ module.exports = (reporter) => {
         return content
       },
       waitForAsyncHelpers: async () => {
-        if (context.__executionId != null && executionAsyncResultsMap.has(context.__executionId)) {
-          const asyncResultMap = executionAsyncResultsMap.get(context.__executionId)
-          return Promise.all([...asyncResultMap.keys()].map((k) => asyncResultMap.get(k)))
+        const executionChain = contextExecutionChainMap.get(context) || []
+        const executionId = executionChain[executionChain.length - 1]
+
+        if (executionId != null && executionAsyncResultsMap.has(executionId)) {
+          const asyncCallChainSet = executionAsyncCallChainMap.get(executionId)
+          const lastAsyncCall = [...asyncCallChainSet].pop()
+
+          const asyncResultMap = executionAsyncResultsMap.get(executionId)
+          // we should exclude the last async call because if it exists it represents the parent
+          // async call that called .waitForAsyncHelpers, it is not going to be resolved at this point
+          const targetAsyncResultKeys = [...asyncResultMap.keys()].filter((key) => key !== lastAsyncCall)
+
+          return Promise.all(targetAsyncResultKeys.map((k) => asyncResultMap.get(k)))
         }
       },
       addFinishListener: (fn) => {
-        if (executionFinishListenersMap.has(context.__executionId)) {
-          executionFinishListenersMap.get(context.__executionId).add('finish', fn)
+        const executionChain = contextExecutionChainMap.get(context) || []
+        const executionId = executionChain[executionChain.length - 1]
+
+        if (executionId && executionFinishListenersMap.has(executionId)) {
+          executionFinishListenersMap.get(executionId).add('finish', fn)
         }
       },
       createAsyncHelperResult: (v) => {
-        const asyncResultMap = executionAsyncResultsMap.get(context.__executionId)
+        const executionChain = contextExecutionChainMap.get(context) || []
+        const executionId = executionChain[executionChain.length - 1]
+
+        const asyncResultMap = executionAsyncResultsMap.get(executionId)
         const asyncResultId = nanoid(7)
         asyncResultMap.set(asyncResultId, v)
         return `{#asyncHelperResult ${asyncResultId}}`
@@ -133,6 +157,7 @@ module.exports = (reporter) => {
     } finally {
       executionFnParsedParamsMap.delete(req.context.id)
       executionAsyncResultsMap.delete(executionId)
+      executionAsyncCallChainMap.delete(executionId)
     }
   }
 
@@ -147,10 +172,6 @@ module.exports = (reporter) => {
     const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${normalizedHelpers}`
 
     const initFn = async (getTopLevelFunctions, compileScript) => {
-      if (reporter.options.trustUserCode === false) {
-        return null
-      }
-
       if (systemHelpersCache != null) {
         return systemHelpersCache
       }
@@ -193,10 +214,16 @@ module.exports = (reporter) => {
 
     const executionFn = async ({ require, console, topLevelFunctions, context }) => {
       const asyncResultMap = new Map()
+      const asyncCallChainSet = new Set()
 
-      context.__executionId = executionId
+      if (!contextExecutionChainMap.has(context)) {
+        contextExecutionChainMap.set(context, [])
+      }
+
+      contextExecutionChainMap.get(context).push(executionId)
 
       executionAsyncResultsMap.set(executionId, asyncResultMap)
+      executionAsyncCallChainMap.set(executionId, asyncCallChainSet)
       executionFinishListenersMap.set(executionId, reporter.createListenerCollection())
       executionFnParsedParamsMap.get(req.context.id).get(executionFnParsedParamsKey).resolve({ require, console, topLevelFunctions, context })
 
@@ -223,7 +250,7 @@ module.exports = (reporter) => {
         if (engine.getWrappingHelpersEnabled && engine.getWrappingHelpersEnabled(req) === false) {
           wrappedTopLevelFunctions[h] = engine.wrapHelper(wrappedTopLevelFunctions[h], { context })
         } else {
-          wrappedTopLevelFunctions[h] = wrapHelperForAsyncSupport(wrappedTopLevelFunctions[h], asyncResultMap)
+          wrappedTopLevelFunctions[h] = wrapHelperForAsyncSupport(wrappedTopLevelFunctions[h], asyncResultMap, asyncCallChainSet)
         }
       }
 
@@ -231,21 +258,36 @@ module.exports = (reporter) => {
 
       const resolvedResultsMap = new Map()
 
-      // we need to use the cloned map, becuase there can be a waitForAsyncHelper pending that needs the asyncResultMap values
-      const clonedMap = new Map(asyncResultMap)
+      // we need to use the cloned map, because there can be a waitForAsyncHelper pending that needs the asyncResultMap values
+      let clonedMap = new Map(asyncResultMap)
+
       while (clonedMap.size > 0) {
-        await Promise.all([...clonedMap.keys()].map(async (k) => {
-          resolvedResultsMap.set(k, `${await clonedMap.get(k)}`)
+        const keysEvaluated = [...clonedMap.keys()]
+
+        await Promise.all(keysEvaluated.map(async (k) => {
+          const result = await clonedMap.get(k)
+          asyncCallChainSet.delete(k)
+          resolvedResultsMap.set(k, `${result}`)
           clonedMap.delete(k)
         }))
+
+        // we need to remove the keys processed from the original map at this point
+        // (after the await) because during the async work the asyncResultMap will be read
+        for (const k of keysEvaluated) {
+          asyncResultMap.delete(k)
+        }
+
+        // we want to process the new generated pending async results
+        if (asyncResultMap.size > 0) {
+          clonedMap = new Map(asyncResultMap)
+        }
       }
-      asyncResultMap.clear()
 
       while (contentResult.includes('{#asyncHelperResult')) {
         contentResult = contentResult.replace(/{#asyncHelperResult ([^{}]+)}/g, (str, p1) => {
           const asyncResultId = p1
           // this can happen if a child jsreport.templatingEngines.evaluate receives an async value from outer scope
-          // because every evaluate uses a unique map of async resuts
+          // because every evaluate uses a unique map of async results
           // example is the case when component receives as a value async thing
           // instead of returning "undefined" we let the outer eval to do the replace
           if (!resolvedResultsMap.has(asyncResultId)) {
@@ -255,9 +297,12 @@ module.exports = (reporter) => {
           return `${resolvedResultsMap.get(asyncResultId)}`
         })
       }
+
       contentResult = contentResult.replace(/asyncUnresolvedHelperResult/g, 'asyncHelperResult')
 
-      await executionFinishListenersMap.get(context.__executionId).fire()
+      await executionFinishListenersMap.get(executionId).fire()
+
+      contextExecutionChainMap.set(context, contextExecutionChainMap.get(context).filter((id) => id !== executionId))
 
       return {
         // handlebars escapes single brackets before execution to prevent errors on {#asset}
@@ -287,30 +332,12 @@ module.exports = (reporter) => {
       templatesCache.reset()
     }
 
-    let helpersStr = normalizedHelpers
-    if (reporter.options.trustUserCode === false) {
-      const registerResults = await reporter.registerHelpersListeners.fire()
-      const systemHelpers = []
-
-      for (const result of registerResults) {
-        if (result == null) {
-          continue
-        }
-
-        if (typeof result === 'string') {
-          systemHelpers.push(result)
-        }
-      }
-      const systemHelpersStr = systemHelpers.join('\n')
-      helpersStr = normalizedHelpers + '\n' + systemHelpersStr
-    }
-
     try {
       return await reporter.runInSandbox({
         context: {
           ...(engine.createContext ? engine.createContext(req) : {})
         },
-        userCode: helpersStr,
+        userCode: normalizedHelpers,
         initFn,
         executionFn,
         currentPath: entityPath,
@@ -363,7 +390,7 @@ module.exports = (reporter) => {
     }
   }
 
-  function wrapHelperForAsyncSupport (fn, asyncResultMap) {
+  function wrapHelperForAsyncSupport (fn, asyncResultMap, asyncCallChainSet) {
     return function (...args) {
       // important to call the helper with the current this to preserve the same behavior
       const fnResult = fn.call(this, ...args)
@@ -374,6 +401,7 @@ module.exports = (reporter) => {
 
       const asyncResultId = nanoid(7)
       asyncResultMap.set(asyncResultId, fnResult)
+      asyncCallChainSet.add(asyncResultId)
 
       return `{#asyncHelperResult ${asyncResultId}}`
     }

package/lib/worker/sandbox/propertiesSandbox.js

@@ -253,6 +253,23 @@ function applyPropertiesConfig (context, hierarchyPropertiesConfig, {
     shouldStoreOriginal = false
   }
 
+  // allow configuring parent as hidden, but child props as readonly so we expose
+  // just part of the parent
+  // const ignoreParentHidden = false
+  const ignoreParentHidden = (
+    isHidden &&
+    isGrouped &&
+    (hierarchyPropertiesConfig.inner != null || hierarchyPropertiesConfig.standalone != null)
+  )
+
+  if (parentOpts?.originalSandboxHidden !== true && ignoreParentHidden) {
+    // we store the original value for the top parent with hidden value
+    shouldStoreOriginal = true
+  } else if (parentOpts && parentOpts.originalSandboxHidden === true) {
+    // we don't store original value when parent was configured as hidden
+    shouldStoreOriginal = false
+  }
+
   // saving original value
   if (shouldStoreOriginal) {
     let exists = true
@@ -284,6 +301,19 @@ function applyPropertiesConfig (context, hierarchyPropertiesConfig, {
     Object.keys(c.standalone).forEach((standaloneKey) => {
       const standaloneConfig = c.standalone[standaloneKey]
 
+      const newParentOpts = {
+        sandboxHidden: ignoreParentHidden ? false : isHidden,
+        sandboxReadOnly: isReadOnly
+      }
+
+      // set and inherit originalSandboxHidden if needed
+      if (
+        parentOpts?.originalSandboxHidden === true ||
+        (ignoreParentHidden && isHidden)
+      ) {
+        newParentOpts.originalSandboxHidden = true
+      }
+
       applyPropertiesConfig(context, standaloneConfig, {
         original,
         customProxies,
@@ -291,7 +321,7 @@ function applyPropertiesConfig (context, hierarchyPropertiesConfig, {
         isRoot: false,
         isGrouped: false,
         onlyReadOnlyTopLevel,
-        parentOpts: { sandboxHidden: isHidden, sandboxReadOnly: isReadOnly }
+        parentOpts: newParentOpts
       }, readOnlyConfigured)
     })
   }
@@ -300,19 +330,65 @@ function applyPropertiesConfig (context, hierarchyPropertiesConfig, {
     Object.keys(c.inner).forEach((innerKey) => {
       const innerConfig = c.inner[innerKey]
 
+      const newParentOpts = {
+        sandboxHidden: ignoreParentHidden ? false : isHidden,
+        sandboxReadOnly: isReadOnly
+      }
+
+      // set and inherit originalSandboxHidden if needed
+      if (
+        parentOpts?.originalSandboxHidden === true ||
+        (ignoreParentHidden && isHidden)
+      ) {
+        newParentOpts.originalSandboxHidden = true
+      }
+
       applyPropertiesConfig(context, innerConfig, {
         original,
         customProxies,
         prop: innerKey,
         isRoot: false,
         isGrouped: true,
-        parentOpts: { sandboxHidden: isHidden, sandboxReadOnly: isReadOnly }
+        parentOpts: newParentOpts
       }, readOnlyConfigured)
     })
   }
 
   if (isHidden) {
-    omitProp(context, prop)
+    if (ignoreParentHidden) {
+      // when parent is hidden but there are configuration for child properties we just copy
+      // the properties listed there, we do this because we want to work with just the configured
+      // properties, the other properties should not be exposed
+      const currentValue = get(context, prop)
+
+      if (currentValue != null && typeof currentValue === 'object') {
+        let newValue
+
+        if (Array.isArray(currentValue)) {
+          newValue = []
+        } else {
+          newValue = {}
+        }
+
+        for (const config of [hierarchyPropertiesConfig.standalone, hierarchyPropertiesConfig.inner]) {
+          if (config == null) {
+            continue
+          }
+
+          for (const childProp of Object.keys(config)) {
+            if (hasOwn(context, childProp)) {
+              const childValue = get(context, childProp)
+              const targetProp = childProp.replace(`${prop}.`, '')
+              set(newValue, targetProp, childValue)
+            }
+          }
+        }
+
+        set(context, prop, newValue)
+      }
+    } else {
+      omitProp(context, prop)
+    }
   } else if (isReadOnly) {
     readOnlyProp(context, prop, readOnlyConfigured, customProxies, {
       onlyTopLevel: false,

package/lib/worker/sandbox/requireSandbox.js

@@ -38,7 +38,7 @@ module.exports = function createSandboxRequire (safeExecution, isolateModules, m
 
   if (isolateModules) {
     const requireExtensions = Object.create(null)
-    isolatedRequire.setDefaultRequireExtensions(requireExtensions, modulesCache, compileScript)
+    isolatedRequire.setDefaultRequireExtensions(requireExtensions, requireFromRootDirectory, compileScript)
     modulesMeta.requireExtensions = requireExtensions
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsreport/jsreport-core",
-  "version": "4.2.1",
+  "version": "4.3.0",
   "description": "javascript based business reporting",
   "keywords": [
     "report",
@@ -78,6 +78,7 @@
   },
   "devDependencies": {
     "@node-rs/jsonwebtoken": "0.2.0",
+    "jsdom": "17.0.0",
     "mocha": "10.1.0",
     "should": "13.2.3",
     "standard": "16.0.4",