@jsreport/jsreport-core 4.2.2 → 4.3.1

package/README.md

@@ -256,7 +256,7 @@ jsreport currently support these main listeners
 - `closeListeners()` called when jsreport is about to be closed, you will usually put here some code that clean up some resource
 
 ## Studio
-jsreport includes also visual html studio and rest API. This is provided through two extensions, [@jsreport/jsreport-express](https://github.com/jsreport/jsreport/tree/master/packages/jsreport-express) extension to have a web server available and [@jsreport/jsreport-studio](https://github.com/jsreport/jsreport/tree/master/packages/jsreport-studio) for the web UI, both extensions should be installed in order to have the studio ready. See the documentation of each extension for the details.
+jsreport includes also visual html studio and rest API. This is provided through two extensions, [@jsreport/jsreport-express](https://github.com/jsreport/jsreport/tree/master/packages/jsreport-express) extension to have a web server available and [@jsreport/jsreport-studio](https://github.com/jsreport/jsreport/tree/master/packages/jsreport-studio) for the web UI, both extensions should be installed in order to have the studio ready. See the documentation of each extension for the details
 
 ## Template store
 `jsreport-core` includes API for persisting and accessing report templates. This API is then used by extensions mainly in combination with jsreport [studio](#studio). `jsreport-core` implements just in-memory persistence, but you can add other persistence methods through extensions, see the [template stores](https://jsreport.net/learn/template-stores) docummentation
@@ -282,11 +282,21 @@ jsreport.documentStore.collection('templates')
 
 ## Changelog
 
+### 4.3.1
+
+- fix `waitForAsyncHelper`, `waitForAsyncHelpers` not working with trustUserCode: true
+
+### 4.3.0
+
+- expose safe properties of `req.context.user` in sandbox
+- fix component execution when wrapped with async helper
+- fix jsdom require in sandbox
+
 ### 4.2.2
 
 - fix recursive component rendering
 
-### 4.2.1
+### 4.2.1
 
 - response.output.update now accepts Web ReadableStream (which is what new version of puppeteer returns)
 

package/lib/worker/render/executeEngine.js

@@ -14,7 +14,7 @@ module.exports = (reporter) => {
 
   reporter.templatingEngines = { cache: templatesCache }
 
-  const contextExecutionChainMap = new WeakMap()
+  const contextExecutionChainMap = new Map()
   const executionFnParsedParamsMap = new Map()
   const executionAsyncResultsMap = new Map()
   const executionAsyncCallChainMap = new Map()
@@ -69,7 +69,7 @@ module.exports = (reporter) => {
         return templatingEnginesEvaluate(false, executionInfo, entityInfo, req)
       },
       waitForAsyncHelper: async (maybeAsyncContent) => {
-        const executionChain = contextExecutionChainMap.get(context) || []
+        const executionChain = contextExecutionChainMap.get(context.__sandboxId) || []
         const executionId = executionChain[executionChain.length - 1]
 
         if (
@@ -99,7 +99,7 @@ module.exports = (reporter) => {
         return content
       },
       waitForAsyncHelpers: async () => {
-        const executionChain = contextExecutionChainMap.get(context) || []
+        const executionChain = contextExecutionChainMap.get(context.__sandboxId) || []
         const executionId = executionChain[executionChain.length - 1]
 
         if (executionId != null && executionAsyncResultsMap.has(executionId)) {
@@ -115,7 +115,7 @@ module.exports = (reporter) => {
         }
       },
       addFinishListener: (fn) => {
-        const executionChain = contextExecutionChainMap.get(context) || []
+        const executionChain = contextExecutionChainMap.get(context.__sandboxId) || []
         const executionId = executionChain[executionChain.length - 1]
 
         if (executionId && executionFinishListenersMap.has(executionId)) {
@@ -123,7 +123,7 @@ module.exports = (reporter) => {
         }
       },
       createAsyncHelperResult: (v) => {
-        const executionChain = contextExecutionChainMap.get(context) || []
+        const executionChain = contextExecutionChainMap.get(context.__sandboxId) || []
         const executionId = executionChain[executionChain.length - 1]
 
         const asyncResultMap = executionAsyncResultsMap.get(executionId)
@@ -170,6 +170,7 @@ module.exports = (reporter) => {
 
     const normalizedHelpers = `${helpers || ''}`
     const executionFnParsedParamsKey = `entity:${entity.shortid || 'anonymous'}:helpers:${normalizedHelpers}`
+    let sandboxId
 
     const initFn = async (getTopLevelFunctions, compileScript) => {
       if (systemHelpersCache != null) {
@@ -213,14 +214,15 @@ module.exports = (reporter) => {
     }
 
     const executionFn = async ({ require, console, topLevelFunctions, context }) => {
+      sandboxId = context.__sandboxId
       const asyncResultMap = new Map()
       const asyncCallChainSet = new Set()
 
-      if (!contextExecutionChainMap.has(context)) {
-        contextExecutionChainMap.set(context, [])
+      if (!contextExecutionChainMap.has(sandboxId)) {
+        contextExecutionChainMap.set(sandboxId, [])
       }
 
-      contextExecutionChainMap.get(context).push(executionId)
+      contextExecutionChainMap.get(sandboxId).push(executionId)
 
       executionAsyncResultsMap.set(executionId, asyncResultMap)
       executionAsyncCallChainMap.set(executionId, asyncCallChainSet)
@@ -259,16 +261,29 @@ module.exports = (reporter) => {
       const resolvedResultsMap = new Map()
 
       // we need to use the cloned map, because there can be a waitForAsyncHelper pending that needs the asyncResultMap values
-      const clonedMap = new Map(asyncResultMap)
+      let clonedMap = new Map(asyncResultMap)
+
       while (clonedMap.size > 0) {
-        await Promise.all([...clonedMap.keys()].map(async (k) => {
+        const keysEvaluated = [...clonedMap.keys()]
+
+        await Promise.all(keysEvaluated.map(async (k) => {
           const result = await clonedMap.get(k)
           asyncCallChainSet.delete(k)
           resolvedResultsMap.set(k, `${result}`)
           clonedMap.delete(k)
         }))
+
+        // we need to remove the keys processed from the original map at this point
+        // (after the await) because during the async work the asyncResultMap will be read
+        for (const k of keysEvaluated) {
+          asyncResultMap.delete(k)
+        }
+
+        // we want to process the new generated pending async results
+        if (asyncResultMap.size > 0) {
+          clonedMap = new Map(asyncResultMap)
+        }
       }
-      asyncResultMap.clear()
 
       while (contentResult.includes('{#asyncHelperResult')) {
         contentResult = contentResult.replace(/{#asyncHelperResult ([^{}]+)}/g, (str, p1) => {
@@ -284,11 +299,12 @@ module.exports = (reporter) => {
           return `${resolvedResultsMap.get(asyncResultId)}`
         })
       }
+
       contentResult = contentResult.replace(/asyncUnresolvedHelperResult/g, 'asyncHelperResult')
 
       await executionFinishListenersMap.get(executionId).fire()
 
-      contextExecutionChainMap.set(context, contextExecutionChainMap.get(context).filter((id) => id !== executionId))
+      contextExecutionChainMap.set(sandboxId, contextExecutionChainMap.get(sandboxId).filter((id) => id !== executionId))
 
       return {
         // handlebars escapes single brackets before execution to prevent errors on {#asset}
@@ -373,6 +389,10 @@ module.exports = (reporter) => {
       }
 
       throw newError
+    } finally {
+      if (sandboxId != null) {
+        contextExecutionChainMap.delete(sandboxId)
+      }
     }
   }
 

package/lib/worker/sandbox/propertiesSandbox.js

@@ -253,6 +253,23 @@ function applyPropertiesConfig (context, hierarchyPropertiesConfig, {
     shouldStoreOriginal = false
   }
 
+  // allow configuring parent as hidden, but child props as readonly so we expose
+  // just part of the parent
+  // const ignoreParentHidden = false
+  const ignoreParentHidden = (
+    isHidden &&
+    isGrouped &&
+    (hierarchyPropertiesConfig.inner != null || hierarchyPropertiesConfig.standalone != null)
+  )
+
+  if (parentOpts?.originalSandboxHidden !== true && ignoreParentHidden) {
+    // we store the original value for the top parent with hidden value
+    shouldStoreOriginal = true
+  } else if (parentOpts && parentOpts.originalSandboxHidden === true) {
+    // we don't store original value when parent was configured as hidden
+    shouldStoreOriginal = false
+  }
+
   // saving original value
   if (shouldStoreOriginal) {
     let exists = true
@@ -284,6 +301,19 @@ function applyPropertiesConfig (context, hierarchyPropertiesConfig, {
     Object.keys(c.standalone).forEach((standaloneKey) => {
       const standaloneConfig = c.standalone[standaloneKey]
 
+      const newParentOpts = {
+        sandboxHidden: ignoreParentHidden ? false : isHidden,
+        sandboxReadOnly: isReadOnly
+      }
+
+      // set and inherit originalSandboxHidden if needed
+      if (
+        parentOpts?.originalSandboxHidden === true ||
+        (ignoreParentHidden && isHidden)
+      ) {
+        newParentOpts.originalSandboxHidden = true
+      }
+
       applyPropertiesConfig(context, standaloneConfig, {
         original,
         customProxies,
@@ -291,7 +321,7 @@ function applyPropertiesConfig (context, hierarchyPropertiesConfig, {
         isRoot: false,
         isGrouped: false,
         onlyReadOnlyTopLevel,
-        parentOpts: { sandboxHidden: isHidden, sandboxReadOnly: isReadOnly }
+        parentOpts: newParentOpts
       }, readOnlyConfigured)
     })
   }
@@ -300,19 +330,65 @@ function applyPropertiesConfig (context, hierarchyPropertiesConfig, {
     Object.keys(c.inner).forEach((innerKey) => {
       const innerConfig = c.inner[innerKey]
 
+      const newParentOpts = {
+        sandboxHidden: ignoreParentHidden ? false : isHidden,
+        sandboxReadOnly: isReadOnly
+      }
+
+      // set and inherit originalSandboxHidden if needed
+      if (
+        parentOpts?.originalSandboxHidden === true ||
+        (ignoreParentHidden && isHidden)
+      ) {
+        newParentOpts.originalSandboxHidden = true
+      }
+
       applyPropertiesConfig(context, innerConfig, {
         original,
         customProxies,
         prop: innerKey,
         isRoot: false,
         isGrouped: true,
-        parentOpts: { sandboxHidden: isHidden, sandboxReadOnly: isReadOnly }
+        parentOpts: newParentOpts
       }, readOnlyConfigured)
     })
   }
 
   if (isHidden) {
-    omitProp(context, prop)
+    if (ignoreParentHidden) {
+      // when parent is hidden but there are configuration for child properties we just copy
+      // the properties listed there, we do this because we want to work with just the configured
+      // properties, the other properties should not be exposed
+      const currentValue = get(context, prop)
+
+      if (currentValue != null && typeof currentValue === 'object') {
+        let newValue
+
+        if (Array.isArray(currentValue)) {
+          newValue = []
+        } else {
+          newValue = {}
+        }
+
+        for (const config of [hierarchyPropertiesConfig.standalone, hierarchyPropertiesConfig.inner]) {
+          if (config == null) {
+            continue
+          }
+
+          for (const childProp of Object.keys(config)) {
+            if (hasOwn(context, childProp)) {
+              const childValue = get(context, childProp)
+              const targetProp = childProp.replace(`${prop}.`, '')
+              set(newValue, targetProp, childValue)
+            }
+          }
+        }
+
+        set(context, prop, newValue)
+      }
+    } else {
+      omitProp(context, prop)
+    }
   } else if (isReadOnly) {
     readOnlyProp(context, prop, readOnlyConfigured, customProxies, {
       onlyTopLevel: false,

package/lib/worker/sandbox/requireSandbox.js

@@ -38,7 +38,7 @@ module.exports = function createSandboxRequire (safeExecution, isolateModules, m
 
   if (isolateModules) {
     const requireExtensions = Object.create(null)
-    isolatedRequire.setDefaultRequireExtensions(requireExtensions, modulesCache, compileScript)
+    isolatedRequire.setDefaultRequireExtensions(requireExtensions, requireFromRootDirectory, compileScript)
     modulesMeta.requireExtensions = requireExtensions
   }
 

package/lib/worker/sandbox/runInSandbox.js

@@ -25,6 +25,9 @@ module.exports = function createRunInSandbox (reporter) {
     // it may turn out it is a bad approach in assets so we gonna delete it here
     const executionFnName = `${nanoid()}_executionFn`
 
+    // creating new id different than execution to ensure user code can not get access to
+    // internal functions by using the __sandboxId
+    context.__sandboxId = nanoid()
     context[executionFnName] = executionFn
     context.__appDirectory = reporter.options.appDirectory
     context.__rootDirectory = reporter.options.rootDirectory

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsreport/jsreport-core",
-  "version": "4.2.2",
+  "version": "4.3.1",
   "description": "javascript based business reporting",
   "keywords": [
     "report",
@@ -78,6 +78,7 @@
   },
   "devDependencies": {
     "@node-rs/jsonwebtoken": "0.2.0",
+    "jsdom": "17.0.0",
     "mocha": "10.1.0",
     "should": "13.2.3",
     "standard": "16.0.4",