@metamask/snaps-utils 0.24.0

package/dist/notification.d.ts

@@ -0,0 +1,66 @@
+import { Infer } from 'superstruct';
+export declare const EventStruct: import("superstruct").Struct<{
+    name: string;
+    data: unknown;
+}, {
+    name: import("superstruct").Struct<string, null>;
+    data: import("superstruct").Struct<unknown, null>;
+}>;
+export declare type Event = Infer<typeof EventStruct>;
+/**
+ * Check if a value is a SIP-2 event.
+ *
+ * @param value - The value to check.
+ * @returns Whether the value is a SIP-2 event.
+ */
+export declare function isEvent(value: unknown): value is Event;
+/**
+ * Assert that a value is a SIP-2 event.
+ *
+ * @param value - The value to check.
+ * @throws If the value is not a SIP-2 event.
+ */
+export declare function assertIsEvent(value: unknown): asserts value is Event;
+export declare const MetaMaskNotificationStruct: import("superstruct").Struct<{
+    params: {
+        chainId: string;
+        event: {
+            name: string;
+            data: unknown;
+        };
+    };
+    method: "multichainHack_metamask_event";
+}, {
+    method: import("superstruct").Struct<"multichainHack_metamask_event", "multichainHack_metamask_event">;
+    params: import("superstruct").Struct<{
+        chainId: string;
+        event: {
+            name: string;
+            data: unknown;
+        };
+    }, {
+        chainId: import("superstruct").Struct<string, null>;
+        event: import("superstruct").Struct<{
+            name: string;
+            data: unknown;
+        }, {
+            name: import("superstruct").Struct<string, null>;
+            data: import("superstruct").Struct<unknown, null>;
+        }>;
+    }>;
+}>;
+export declare type MetaMaskNotification = Infer<typeof MetaMaskNotificationStruct>;
+/**
+ * Check if a value is a SIP-2 notification.
+ *
+ * @param value - The value to check.
+ * @returns Whether the value is a SIP-2 notification.
+ */
+export declare function isMetaMaskNotification(value: unknown): value is MetaMaskNotification;
+/**
+ * Assert that a value is a SIP-2 notification.
+ *
+ * @param value - The value to check.
+ * @throws If the value is not a SIP-2 notification.
+ */
+export declare function assertIsMetaMaskNotification(value: unknown): asserts value is MetaMaskNotification;

package/dist/notification.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertIsMetaMaskNotification = exports.isMetaMaskNotification = exports.MetaMaskNotificationStruct = exports.assertIsEvent = exports.isEvent = exports.EventStruct = void 0;
+const superstruct_1 = require("superstruct");
+const utils_1 = require("@metamask/utils");
+const namespace_1 = require("./namespace");
+exports.EventStruct = (0, superstruct_1.object)({
+    name: (0, superstruct_1.string)(),
+    data: (0, superstruct_1.unknown)(),
+});
+/**
+ * Check if a value is a SIP-2 event.
+ *
+ * @param value - The value to check.
+ * @returns Whether the value is a SIP-2 event.
+ */
+function isEvent(value) {
+    return (0, superstruct_1.is)(value, exports.EventStruct);
+}
+exports.isEvent = isEvent;
+/**
+ * Assert that a value is a SIP-2 event.
+ *
+ * @param value - The value to check.
+ * @throws If the value is not a SIP-2 event.
+ */
+function assertIsEvent(value) {
+    (0, utils_1.assertStruct)(value, exports.EventStruct, 'Invalid event');
+}
+exports.assertIsEvent = assertIsEvent;
+exports.MetaMaskNotificationStruct = (0, superstruct_1.object)({
+    method: (0, superstruct_1.literal)('multichainHack_metamask_event'),
+    params: (0, superstruct_1.object)({
+        chainId: namespace_1.ChainIdStruct,
+        event: exports.EventStruct,
+    }),
+});
+/**
+ * Check if a value is a SIP-2 notification.
+ *
+ * @param value - The value to check.
+ * @returns Whether the value is a SIP-2 notification.
+ */
+function isMetaMaskNotification(value) {
+    return (0, superstruct_1.is)(value, exports.MetaMaskNotificationStruct);
+}
+exports.isMetaMaskNotification = isMetaMaskNotification;
+/**
+ * Assert that a value is a SIP-2 notification.
+ *
+ * @param value - The value to check.
+ * @throws If the value is not a SIP-2 notification.
+ */
+function assertIsMetaMaskNotification(value) {
+    (0, utils_1.assertStruct)(value, exports.MetaMaskNotificationStruct, 'Invalid notification');
+}
+exports.assertIsMetaMaskNotification = assertIsMetaMaskNotification;
+//# sourceMappingURL=notification.js.map

package/dist/notification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"notification.js","sourceRoot":"","sources":["../src/notification.ts"],"names":[],"mappings":";;;AAAA,6CAA0E;AAC1E,2CAA+C;AAC/C,2CAA4C;AAE/B,QAAA,WAAW,GAAG,IAAA,oBAAM,EAAC;IAChC,IAAI,EAAE,IAAA,oBAAM,GAAE;IACd,IAAI,EAAE,IAAA,qBAAO,GAAE;CAChB,CAAC,CAAC;AAIH;;;;;GAKG;AACH,SAAgB,OAAO,CAAC,KAAc;IACpC,OAAO,IAAA,gBAAE,EAAC,KAAK,EAAE,mBAAW,CAAC,CAAC;AAChC,CAAC;AAFD,0BAEC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,KAAc;IAC1C,IAAA,oBAAY,EAAC,KAAK,EAAE,mBAAW,EAAE,eAAe,CAAC,CAAC;AACpD,CAAC;AAFD,sCAEC;AAEY,QAAA,0BAA0B,GAAG,IAAA,oBAAM,EAAC;IAC/C,MAAM,EAAE,IAAA,qBAAO,EAAC,+BAA+B,CAAC;IAChD,MAAM,EAAE,IAAA,oBAAM,EAAC;QACb,OAAO,EAAE,yBAAa;QACtB,KAAK,EAAE,mBAAW;KACnB,CAAC;CACH,CAAC,CAAC;AAIH;;;;;GAKG;AACH,SAAgB,sBAAsB,CACpC,KAAc;IAEd,OAAO,IAAA,gBAAE,EAAC,KAAK,EAAE,kCAA0B,CAAC,CAAC;AAC/C,CAAC;AAJD,wDAIC;AAED;;;;;GAKG;AACH,SAAgB,4BAA4B,CAC1C,KAAc;IAEd,IAAA,oBAAY,EAAC,KAAK,EAAE,kCAA0B,EAAE,sBAAsB,CAAC,CAAC;AAC1E,CAAC;AAJD,oEAIC","sourcesContent":["import { Infer, is, literal, object, string, unknown } from 'superstruct';\nimport { assertStruct } from '@metamask/utils';\nimport { ChainIdStruct } from './namespace';\n\nexport const EventStruct = object({\n  name: string(),\n  data: unknown(),\n});\n\nexport type Event = Infer<typeof EventStruct>;\n\n/**\n * Check if a value is a SIP-2 event.\n *\n * @param value - The value to check.\n * @returns Whether the value is a SIP-2 event.\n */\nexport function isEvent(value: unknown): value is Event {\n  return is(value, EventStruct);\n}\n\n/**\n * Assert that a value is a SIP-2 event.\n *\n * @param value - The value to check.\n * @throws If the value is not a SIP-2 event.\n */\nexport function assertIsEvent(value: unknown): asserts value is Event {\n  assertStruct(value, EventStruct, 'Invalid event');\n}\n\nexport const MetaMaskNotificationStruct = object({\n  method: literal('multichainHack_metamask_event'),\n  params: object({\n    chainId: ChainIdStruct,\n    event: EventStruct,\n  }),\n});\n\nexport type MetaMaskNotification = Infer<typeof MetaMaskNotificationStruct>;\n\n/**\n * Check if a value is a SIP-2 notification.\n *\n * @param value - The value to check.\n * @returns Whether the value is a SIP-2 notification.\n */\nexport function isMetaMaskNotification(\n  value: unknown,\n): value is MetaMaskNotification {\n  return is(value, MetaMaskNotificationStruct);\n}\n\n/**\n * Assert that a value is a SIP-2 notification.\n *\n * @param value - The value to check.\n * @throws If the value is not a SIP-2 notification.\n */\nexport function assertIsMetaMaskNotification(\n  value: unknown,\n): asserts value is MetaMaskNotification {\n  assertStruct(value, MetaMaskNotificationStruct, 'Invalid notification');\n}\n"]}

package/dist/npm.d.ts

@@ -0,0 +1,20 @@
+import { NpmSnapFileNames, SnapFiles, UnvalidatedSnapFiles } from './types';
+export declare const SVG_MAX_BYTE_SIZE = 100000;
+export declare const SVG_MAX_BYTE_SIZE_TEXT: string;
+export declare const EXPECTED_SNAP_FILES: readonly ["manifest", "packageJson", "sourceCode"];
+export declare const SnapFileNameFromKey: {
+    readonly manifest: NpmSnapFileNames.Manifest;
+    readonly packageJson: NpmSnapFileNames.PackageJson;
+    readonly sourceCode: "source code bundle";
+};
+/**
+ * Validates the files extracted from an npm Snap package tarball by ensuring
+ * that they're non-empty and that the Json files match their respective schemas
+ * and the Snaps publishing specification.
+ *
+ * @param snapFiles - The object containing the expected Snap file contents,
+ * if any.
+ * @param errorPrefix - The prefix of the error message.
+ * @returns A tuple of the Snap manifest object and the Snap source code.
+ */
+export declare function validateNpmSnap(snapFiles: UnvalidatedSnapFiles, errorPrefix?: `${string}: `): SnapFiles;

package/dist/npm.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateNpmSnap = exports.SnapFileNameFromKey = exports.EXPECTED_SNAP_FILES = exports.SVG_MAX_BYTE_SIZE_TEXT = exports.SVG_MAX_BYTE_SIZE = void 0;
+const manifest_1 = require("./manifest/manifest");
+const validation_1 = require("./manifest/validation");
+const types_1 = require("./types");
+exports.SVG_MAX_BYTE_SIZE = 100000;
+exports.SVG_MAX_BYTE_SIZE_TEXT = `${Math.floor(exports.SVG_MAX_BYTE_SIZE / 1000)}kb`;
+exports.EXPECTED_SNAP_FILES = [
+    'manifest',
+    'packageJson',
+    'sourceCode',
+];
+exports.SnapFileNameFromKey = {
+    manifest: types_1.NpmSnapFileNames.Manifest,
+    packageJson: types_1.NpmSnapFileNames.PackageJson,
+    sourceCode: 'source code bundle',
+};
+/**
+ * Validates the files extracted from an npm Snap package tarball by ensuring
+ * that they're non-empty and that the Json files match their respective schemas
+ * and the Snaps publishing specification.
+ *
+ * @param snapFiles - The object containing the expected Snap file contents,
+ * if any.
+ * @param errorPrefix - The prefix of the error message.
+ * @returns A tuple of the Snap manifest object and the Snap source code.
+ */
+function validateNpmSnap(snapFiles, errorPrefix) {
+    exports.EXPECTED_SNAP_FILES.forEach((key) => {
+        if (!snapFiles[key]) {
+            throw new Error(`${errorPrefix !== null && errorPrefix !== void 0 ? errorPrefix : ''}Missing file "${exports.SnapFileNameFromKey[key]}".`);
+        }
+    });
+    // Typecast: We are assured that the required files exist if we get here.
+    const { manifest, packageJson, sourceCode, svgIcon } = snapFiles;
+    try {
+        (0, validation_1.assertIsSnapManifest)(manifest);
+    }
+    catch (error) {
+        throw new Error(`${errorPrefix !== null && errorPrefix !== void 0 ? errorPrefix : ''}${error.message}`);
+    }
+    const validatedManifest = manifest;
+    const { iconPath } = validatedManifest.source.location.npm;
+    if (iconPath && !svgIcon) {
+        throw new Error(`Missing file "${iconPath}".`);
+    }
+    try {
+        (0, types_1.assertIsNpmSnapPackageJson)(packageJson);
+    }
+    catch (error) {
+        throw new Error(`${errorPrefix !== null && errorPrefix !== void 0 ? errorPrefix : ''}${error.message}`);
+    }
+    const validatedPackageJson = packageJson;
+    (0, manifest_1.validateNpmSnapManifest)({
+        manifest: validatedManifest,
+        packageJson: validatedPackageJson,
+        sourceCode,
+    });
+    if (svgIcon) {
+        if (Buffer.byteLength(svgIcon, 'utf8') > exports.SVG_MAX_BYTE_SIZE) {
+            throw new Error(`${errorPrefix !== null && errorPrefix !== void 0 ? errorPrefix : ''}The specified SVG icon exceeds the maximum size of ${exports.SVG_MAX_BYTE_SIZE_TEXT}.`);
+        }
+    }
+    return {
+        manifest: validatedManifest,
+        packageJson: validatedPackageJson,
+        sourceCode,
+        svgIcon,
+    };
+}
+exports.validateNpmSnap = validateNpmSnap;
+//# sourceMappingURL=npm.js.map

package/dist/npm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm.js","sourceRoot":"","sources":["../src/npm.ts"],"names":[],"mappings":";;;AAAA,kDAA8D;AAC9D,sDAA2E;AAC3E,mCAMiB;AAEJ,QAAA,iBAAiB,GAAG,MAAO,CAAC;AAC5B,QAAA,sBAAsB,GAAG,GAAG,IAAI,CAAC,KAAK,CACjD,yBAAiB,GAAG,IAAI,CACzB,IAAI,CAAC;AAEO,QAAA,mBAAmB,GAAG;IACjC,UAAU;IACV,aAAa;IACb,YAAY;CACJ,CAAC;AAEE,QAAA,mBAAmB,GAAG;IACjC,QAAQ,EAAE,wBAAgB,CAAC,QAAQ;IACnC,WAAW,EAAE,wBAAgB,CAAC,WAAW;IACzC,UAAU,EAAE,oBAAoB;CACxB,CAAC;AAEX;;;;;;;;;GASG;AACH,SAAgB,eAAe,CAC7B,SAA+B,EAC/B,WAA2B;IAE3B,2BAAmB,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QAClC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;YACnB,MAAM,IAAI,KAAK,CACb,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,EAAE,iBAAiB,2BAAmB,CAAC,GAAG,CAAC,IAAI,CAClE,CAAC;SACH;IACH,CAAC,CAAC,CAAC;IAEH,yEAAyE;IACzE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,SAAsB,CAAC;IAC9E,IAAI;QACF,IAAA,iCAAoB,EAAC,QAAQ,CAAC,CAAC;KAChC;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,EAAE,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;KACzD;IACD,MAAM,iBAAiB,GAAG,QAAwB,CAAC;IAEnD,MAAM,EAAE,QAAQ,EAAE,GAAG,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;IAC3D,IAAI,QAAQ,IAAI,CAAC,OAAO,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,iBAAiB,QAAQ,IAAI,CAAC,CAAC;KAChD;IAED,IAAI;QACF,IAAA,kCAA0B,EAAC,WAAW,CAAC,CAAC;KACzC;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,EAAE,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;KACzD;IACD,MAAM,oBAAoB,GAAG,WAAiC,CAAC;IAE/D,IAAA,kCAAuB,EAAC;QACtB,QAAQ,EAAE,iBAAiB;QAC3B,WAAW,EAAE,oBAAoB;QACjC,UAAU;KACX,CAAC,CAAC;IAEH,IAAI,OAAO,EAAE;QACX,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,yBAAiB,EAAE;YAC1D,MAAM,IAAI,KAAK,CACb,GACE,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,EACjB,sDAAsD,8BAAsB,GAAG,CAChF,CAAC;SACH;KACF;IAED,OAAO;QACL,QAAQ,EAAE,iBAAiB;QAC3B,WAAW,EAAE,oBAAoB;QACjC,UAAU;QACV,OAAO;KACR,CAAC;AACJ,CAAC;AAvDD,0CAuDC","sourcesContent":["import { validateNpmSnapManifest } from './manifest/manifest';\nimport { assertIsSnapManifest, SnapManifest } from './manifest/validation';\nimport {\n  assertIsNpmSnapPackageJson,\n  NpmSnapFileNames,\n  NpmSnapPackageJson,\n  SnapFiles,\n  UnvalidatedSnapFiles,\n} from './types';\n\nexport const SVG_MAX_BYTE_SIZE = 100_000;\nexport const SVG_MAX_BYTE_SIZE_TEXT = `${Math.floor(\n  SVG_MAX_BYTE_SIZE / 1000,\n)}kb`;\n\nexport const EXPECTED_SNAP_FILES = [\n  'manifest',\n  'packageJson',\n  'sourceCode',\n] as const;\n\nexport const SnapFileNameFromKey = {\n  manifest: NpmSnapFileNames.Manifest,\n  packageJson: NpmSnapFileNames.PackageJson,\n  sourceCode: 'source code bundle',\n} as const;\n\n/**\n * Validates the files extracted from an npm Snap package tarball by ensuring\n * that they're non-empty and that the Json files match their respective schemas\n * and the Snaps publishing specification.\n *\n * @param snapFiles - The object containing the expected Snap file contents,\n * if any.\n * @param errorPrefix - The prefix of the error message.\n * @returns A tuple of the Snap manifest object and the Snap source code.\n */\nexport function validateNpmSnap(\n  snapFiles: UnvalidatedSnapFiles,\n  errorPrefix?: `${string}: `,\n): SnapFiles {\n  EXPECTED_SNAP_FILES.forEach((key) => {\n    if (!snapFiles[key]) {\n      throw new Error(\n        `${errorPrefix ?? ''}Missing file \"${SnapFileNameFromKey[key]}\".`,\n      );\n    }\n  });\n\n  // Typecast: We are assured that the required files exist if we get here.\n  const { manifest, packageJson, sourceCode, svgIcon } = snapFiles as SnapFiles;\n  try {\n    assertIsSnapManifest(manifest);\n  } catch (error) {\n    throw new Error(`${errorPrefix ?? ''}${error.message}`);\n  }\n  const validatedManifest = manifest as SnapManifest;\n\n  const { iconPath } = validatedManifest.source.location.npm;\n  if (iconPath && !svgIcon) {\n    throw new Error(`Missing file \"${iconPath}\".`);\n  }\n\n  try {\n    assertIsNpmSnapPackageJson(packageJson);\n  } catch (error) {\n    throw new Error(`${errorPrefix ?? ''}${error.message}`);\n  }\n  const validatedPackageJson = packageJson as NpmSnapPackageJson;\n\n  validateNpmSnapManifest({\n    manifest: validatedManifest,\n    packageJson: validatedPackageJson,\n    sourceCode,\n  });\n\n  if (svgIcon) {\n    if (Buffer.byteLength(svgIcon, 'utf8') > SVG_MAX_BYTE_SIZE) {\n      throw new Error(\n        `${\n          errorPrefix ?? ''\n        }The specified SVG icon exceeds the maximum size of ${SVG_MAX_BYTE_SIZE_TEXT}.`,\n      );\n    }\n  }\n\n  return {\n    manifest: validatedManifest,\n    packageJson: validatedPackageJson,\n    sourceCode,\n    svgIcon,\n  };\n}\n"]}

package/dist/object.d.ts

@@ -0,0 +1,8 @@
+/**
+ * An alternative implementation of `Object.fromEntries`, which works in older
+ * browsers.
+ *
+ * @param entries - The entries to convert to an object.
+ * @returns The object.
+ */
+export declare const fromEntries: <Key extends string, Value>(entries: readonly (readonly [Key, Value])[]) => Record<Key, Value>;

package/dist/object.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fromEntries = void 0;
+/**
+ * An alternative implementation of `Object.fromEntries`, which works in older
+ * browsers.
+ *
+ * @param entries - The entries to convert to an object.
+ * @returns The object.
+ */
+const fromEntries = (entries) => {
+    return entries.reduce((acc, [key, value]) => (Object.assign(Object.assign({}, acc), { [key]: value })), {});
+};
+exports.fromEntries = fromEntries;
+//# sourceMappingURL=object.js.map

package/dist/object.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"object.js","sourceRoot":"","sources":["../src/object.ts"],"names":[],"mappings":";;;AAAA;;;;;;GAMG;AACI,MAAM,WAAW,GAAG,CACzB,OAA2C,EACvB,EAAE;IACtB,OAAO,OAAO,CAAC,MAAM,CACnB,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,iCAAM,GAAG,KAAE,CAAC,GAAG,CAAC,EAAE,KAAK,IAAG,EACjD,EAAwB,CACzB,CAAC;AACJ,CAAC,CAAC;AAPW,QAAA,WAAW,eAOtB","sourcesContent":["/**\n * An alternative implementation of `Object.fromEntries`, which works in older\n * browsers.\n *\n * @param entries - The entries to convert to an object.\n * @returns The object.\n */\nexport const fromEntries = <Key extends string, Value>(\n  entries: readonly (readonly [Key, Value])[],\n): Record<Key, Value> => {\n  return entries.reduce<Record<Key, Value>>(\n    (acc, [key, value]) => ({ ...acc, [key]: value }),\n    {} as Record<Key, Value>,\n  );\n};\n"]}

package/dist/post-process.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Source map declaration taken from `@babel/core`. Babel doesn't export the
+ * type for this, so it's copied from the source code instead here.
+ */
+export declare type SourceMap = {
+    version: number;
+    sources: string[];
+    names: string[];
+    sourceRoot?: string | undefined;
+    sourcesContent?: string[] | undefined;
+    mappings: string;
+    file: string;
+};
+/**
+ * The post process options.
+ *
+ * @property stripComments - Whether to strip comments. Defaults to `true`.
+ * @property sourceMap - Whether to generate a source map for the modified code.
+ * See also `inputSourceMap`.
+ * @property inputSourceMap - The source map for the input code. When provided,
+ * the source map will be used to generate a source map for the modified code.
+ * This ensures that the source map is correct for the modified code, and still
+ * points to the original source. If not provided, a new source map will be
+ * generated instead.
+ */
+export declare type PostProcessOptions = {
+    stripComments?: boolean;
+    sourceMap?: boolean | 'inline';
+    inputSourceMap?: SourceMap;
+};
+/**
+ * The post processed bundle output.
+ *
+ * @property code - The modified code.
+ * @property sourceMap - The source map for the modified code, if the source map
+ * option was enabled.
+ * @property warnings - Any warnings that occurred during the post-processing.
+ */
+export declare type PostProcessedBundle = {
+    code: string;
+    sourceMap?: SourceMap | null;
+    warnings: PostProcessWarning[];
+};
+export declare enum PostProcessWarning {
+    UnsafeMathRandom = "`Math.random` was detected in the bundle. This is not a secure source of randomness."
+}
+/**
+ * Post process code with AST such that it can be evaluated in SES.
+ *
+ * Currently:
+ * - Makes all direct calls to eval indirect.
+ * - Handles certain Babel-related edge cases.
+ * - Removes the `Buffer` provided by Browserify.
+ * - Optionally removes comments.
+ * - Breaks up tokens that would otherwise result in SES errors, such as HTML
+ * comment tags `<!--` and `-->` and `import(n)` statements.
+ *
+ * @param code - The code to post process.
+ * @param options - The post-process options.
+ * @param options.stripComments - Whether to strip comments. Defaults to `true`.
+ * @param options.sourceMap - Whether to generate a source map for the modified
+ * code. See also `inputSourceMap`.
+ * @param options.inputSourceMap - The source map for the input code. When
+ * provided, the source map will be used to generate a source map for the
+ * modified code. This ensures that the source map is correct for the modified
+ * code, and still points to the original source. If not provided, a new source
+ * map will be generated instead.
+ * @returns An object containing the modified code, and source map, or null if
+ * the provided code is null.
+ */
+export declare function postProcessBundle(code: string, { stripComments, sourceMap: sourceMaps, inputSourceMap, }?: Partial<PostProcessOptions>): PostProcessedBundle;

package/dist/post-process.js

@@ -0,0 +1,321 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.postProcessBundle = exports.PostProcessWarning = void 0;
+const types_1 = require("@babel/types");
+const core_1 = require("@babel/core");
+var PostProcessWarning;
+(function (PostProcessWarning) {
+    PostProcessWarning["UnsafeMathRandom"] = "`Math.random` was detected in the bundle. This is not a secure source of randomness.";
+})(PostProcessWarning = exports.PostProcessWarning || (exports.PostProcessWarning = {}));
+// The RegEx below consists of multiple groups joined by a boolean OR.
+// Each part consists of two groups which capture a part of each string
+// which needs to be split up, e.g., `<!--` is split into `<!` and `--`.
+const TOKEN_REGEX = /(<!)(--)|(--)(>)|(import)(\(.*?\))/gu;
+// An empty template element, i.e., a part of a template literal without any
+// value ("").
+const EMPTY_TEMPLATE_ELEMENT = (0, types_1.templateElement)({ raw: '', cooked: '' });
+const evalWrapper = core_1.template.statement(`
+  (1, REF)(ARGS)
+`);
+const objectEvalWrapper = core_1.template.statement(`
+  (1, OBJECT.REF)
+`);
+const regeneratorRuntimeWrapper = core_1.template.statement(`
+  var regeneratorRuntime;
+`);
+/**
+ * Breaks up tokens that would otherwise result in SES errors. The tokens are
+ * broken up in a non-destructive way where possible. Currently works with:
+ * - HTML comment tags `<!--` and `-->`, broken up into `<!`, `--`, and `--`,
+ * `>`.
+ * - `import(n)` statements, broken up into `import`, `(n)`.
+ *
+ * @param value - The string value to break up.
+ * @returns The string split into an array, in a way that it can be joined
+ * together to form the same string, but with the tokens separated into single
+ * array elements.
+ */
+function breakTokens(value) {
+    const tokens = value.split(TOKEN_REGEX);
+    return (tokens
+        // TODO: The `split` above results in some values being `undefined`.
+        // There may be a better solution to avoid having to filter those out.
+        .filter((token) => token !== '' && token !== undefined));
+}
+/**
+ * Breaks up tokens that would otherwise result in SES errors. The tokens are
+ * broken up in a non-destructive way where possible. Currently works with:
+ * - HTML comment tags `<!--` and `-->`, broken up into `<!`, `--`, and `--`,
+ * `>`.
+ * - `import(n)` statements, broken up into `import`, `(n)`.
+ *
+ * @param value - The string value to break up.
+ * @returns The string split into a tuple consisting of the new template
+ * elements and string literal expressions.
+ */
+function breakTokensTemplateLiteral(value) {
+    // @ts-expect-error `matchAll` is not available in ES2017, but this code
+    // should only be used in environments where the function is supported.
+    const matches = Array.from(value.matchAll(TOKEN_REGEX));
+    if (matches.length > 0) {
+        const output = matches.reduce(([elements, expressions], rawMatch, index, values) => {
+            const [, first, last] = rawMatch.filter((raw) => raw !== undefined);
+            // Slice the text in front of the match, which does not need to be
+            // broken up.
+            const prefix = value.slice(index === 0
+                ? 0
+                : values[index - 1].index + values[index - 1][0].length, rawMatch.index);
+            return [
+                [
+                    ...elements,
+                    (0, types_1.templateElement)({
+                        raw: getRawTemplateValue(prefix),
+                        cooked: prefix,
+                    }),
+                    EMPTY_TEMPLATE_ELEMENT,
+                ],
+                [...expressions, (0, types_1.stringLiteral)(first), (0, types_1.stringLiteral)(last)],
+            ];
+        }, [[], []]);
+        // Add the text after the last match to the output.
+        const lastMatch = matches[matches.length - 1];
+        const suffix = value.slice(lastMatch.index + lastMatch[0].length);
+        return [
+            [
+                ...output[0],
+                (0, types_1.templateElement)({ raw: getRawTemplateValue(suffix), cooked: suffix }),
+            ],
+            output[1],
+        ];
+    }
+    // If there are no matches, simply return the original value.
+    return [
+        [(0, types_1.templateElement)({ raw: getRawTemplateValue(value), cooked: value })],
+        [],
+    ];
+}
+/**
+ * Get a raw template literal value from a cooked value. This adds a backslash
+ * before every '`', '\' and '${' characters.
+ *
+ * @see https://github.com/babel/babel/issues/9242#issuecomment-532529613
+ * @param value - The cooked string to get the raw string for.
+ * @returns The value as raw value.
+ */
+function getRawTemplateValue(value) {
+    return value.replace(/\\|`|\$\{/gu, '\\$&');
+}
+/**
+ * Post process code with AST such that it can be evaluated in SES.
+ *
+ * Currently:
+ * - Makes all direct calls to eval indirect.
+ * - Handles certain Babel-related edge cases.
+ * - Removes the `Buffer` provided by Browserify.
+ * - Optionally removes comments.
+ * - Breaks up tokens that would otherwise result in SES errors, such as HTML
+ * comment tags `<!--` and `-->` and `import(n)` statements.
+ *
+ * @param code - The code to post process.
+ * @param options - The post-process options.
+ * @param options.stripComments - Whether to strip comments. Defaults to `true`.
+ * @param options.sourceMap - Whether to generate a source map for the modified
+ * code. See also `inputSourceMap`.
+ * @param options.inputSourceMap - The source map for the input code. When
+ * provided, the source map will be used to generate a source map for the
+ * modified code. This ensures that the source map is correct for the modified
+ * code, and still points to the original source. If not provided, a new source
+ * map will be generated instead.
+ * @returns An object containing the modified code, and source map, or null if
+ * the provided code is null.
+ */
+function postProcessBundle(code, { stripComments = true, sourceMap: sourceMaps, inputSourceMap, } = {}) {
+    const warnings = new Set();
+    const pre = ({ ast }) => {
+        var _a;
+        (_a = ast.comments) === null || _a === void 0 ? void 0 : _a.forEach((comment) => {
+            // Break up tokens that could be parsed as HTML comment terminators. The
+            // regular expressions below are written strangely so as to avoid the
+            // appearance of such tokens in our source code. For reference:
+            // https://github.com/endojs/endo/blob/70cc86eb400655e922413b99c38818d7b2e79da0/packages/ses/error-codes/SES_HTML_COMMENT_REJECTED.md
+            comment.value = comment.value
+                .replace(new RegExp(`<!${'--'}`, 'gu'), '< !--')
+                .replace(new RegExp(`${'--'}>`, 'gu'), '-- >')
+                .replace(/import(\(.*\))/gu, 'import\\$1');
+        });
+    };
+    const visitor = {
+        FunctionExpression(path) {
+            var _a;
+            const { node } = path;
+            // Browserify provides the `Buffer` global as an argument to modules that
+            // use it, but this does not work in SES. Since we pass in `Buffer` as an
+            // endowment, we can simply remove the argument.
+            //
+            // Note that this only removes `Buffer` from a wrapped function
+            // expression, e.g., `(function (Buffer) { ... })`. Regular functions
+            // are not affected.
+            //
+            // TODO: Since we're working on the AST level, we could check the scope
+            // of the function expression, and possibly prevent false positives?
+            if (node.type === 'FunctionExpression' && ((_a = node.extra) === null || _a === void 0 ? void 0 : _a.parenthesized)) {
+                node.params = node.params.filter((param) => !(param.type === 'Identifier' && param.name === 'Buffer'));
+            }
+        },
+        CallExpression(path) {
+            const { node } = path;
+            // Replace `eval(foo)` with `(1, eval)(foo)`.
+            if (node.callee.type === 'Identifier' && node.callee.name === 'eval') {
+                path.replaceWith(evalWrapper({
+                    REF: node.callee,
+                    ARGS: node.arguments,
+                }));
+            }
+            // Detect the use of `Math.random()` and add a warning.
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.object.type === 'Identifier' &&
+                node.callee.object.name === 'Math' &&
+                node.callee.property.type === 'Identifier' &&
+                node.callee.property.name === 'random') {
+                warnings.add(PostProcessWarning.UnsafeMathRandom);
+            }
+        },
+        MemberExpression(path) {
+            const { node } = path;
+            // Replace `object.eval(foo)` with `(1, object.eval)(foo)`.
+            if (node.property.type === 'Identifier' &&
+                node.property.name === 'eval' &&
+                // If the expression is already wrapped we can ignore it
+                path.parent.type !== 'SequenceExpression') {
+                path.replaceWith(objectEvalWrapper({
+                    OBJECT: node.object,
+                    REF: node.property,
+                }));
+            }
+        },
+        Identifier(path) {
+            const { node } = path;
+            // Insert `regeneratorRuntime` global if it's used in the code.
+            if (node.name === 'regeneratorRuntime') {
+                const program = path.findParent((parent) => parent.node.type === 'Program');
+                // We know that `program` is a Program node here, but this keeps
+                // TypeScript happy.
+                if ((program === null || program === void 0 ? void 0 : program.node.type) === 'Program') {
+                    const body = program.node.body[0];
+                    // This stops it from inserting `regeneratorRuntime` multiple times.
+                    if (body.type === 'VariableDeclaration' &&
+                        body.declarations[0].id.name ===
+                            'regeneratorRuntime') {
+                        return;
+                    }
+                    program === null || program === void 0 ? void 0 : program.node.body.unshift(regeneratorRuntimeWrapper());
+                }
+            }
+        },
+        TemplateLiteral(path) {
+            const { node } = path;
+            // This checks if the template literal was visited before. Without this,
+            // it would cause an infinite loop resulting in a stack overflow. We can't
+            // skip the path here, because we need to visit the children of the node.
+            if (path.getData('visited')) {
+                return;
+            }
+            // Break up tokens that could be parsed as HTML comment terminators, or
+            // `import()` statements.
+            // For reference:
+            // - https://github.com/endojs/endo/blob/70cc86eb400655e922413b99c38818d7b2e79da0/packages/ses/error-codes/SES_HTML_COMMENT_REJECTED.md
+            // - https://github.com/MetaMask/snaps-monorepo/issues/505
+            const [replacementQuasis, replacementExpressions] = node.quasis.reduce(([elements, expressions], quasi, index) => {
+                // Note: Template literals have two variants, "cooked" and "raw". Here
+                // we use the cooked version.
+                // https://exploringjs.com/impatient-js/ch_template-literals.html#template-strings-cooked-vs-raw
+                const tokens = breakTokensTemplateLiteral(quasi.value.cooked);
+                // Only update the node if something changed.
+                if (tokens[0].length <= 1) {
+                    return [
+                        [...elements, quasi],
+                        [...expressions, node.expressions[index]],
+                    ];
+                }
+                return [
+                    [...elements, ...tokens[0]],
+                    [
+                        ...expressions,
+                        ...tokens[1],
+                        node.expressions[index],
+                    ],
+                ];
+            }, [[], []]);
+            path.replaceWith((0, types_1.templateLiteral)(replacementQuasis, replacementExpressions.filter((e) => e !== undefined)));
+            path.setData('visited', true);
+        },
+        StringLiteral(path) {
+            const { node } = path;
+            // Break up tokens that could be parsed as HTML comment terminators, or
+            // `import()` statements.
+            // For reference:
+            // - https://github.com/endojs/endo/blob/70cc86eb400655e922413b99c38818d7b2e79da0/packages/ses/error-codes/SES_HTML_COMMENT_REJECTED.md
+            // - https://github.com/MetaMask/snaps-monorepo/issues/505
+            const tokens = breakTokens(node.value);
+            // Only update the node if the string literal was broken up.
+            if (tokens.length <= 1) {
+                return;
+            }
+            const replacement = tokens
+                .slice(1)
+                .reduce((acc, value) => (0, types_1.binaryExpression)('+', acc, (0, types_1.stringLiteral)(value)), (0, types_1.stringLiteral)(tokens[0]));
+            path.replaceWith(replacement);
+            path.skip();
+        },
+        BinaryExpression(path) {
+            const source = path.getSource();
+            // Throw an error if HTML comments are used as a binary expression.
+            if (source.includes('<!--') || source.includes('-->')) {
+                throw new Error('Using HTML comments (`<!--` and `-->`) as operators is not allowed. The behaviour of ' +
+                    'these comments is ambiguous, and differs per browser and environment. If you want ' +
+                    'to use them as operators, break them up into separate characters, i.e., `a-- > b` ' +
+                    'and `a < ! --b`.');
+            }
+        },
+    };
+    try {
+        const file = (0, core_1.transformSync)(code, {
+            // Prevent Babel from searching for a config file.
+            configFile: false,
+            parserOpts: {
+                // Strict mode isn't enabled by default, so we need to enable it here.
+                strictMode: true,
+                // If this is disabled, the AST does not include any comments. This is
+                // useful for performance reasons, and we use it for stripping comments.
+                attachComment: !stripComments,
+            },
+            // By default, Babel optimises bundles that exceed 500 KB, but that
+            // results in characters which look like HTML comments, which breaks SES.
+            compact: false,
+            // This configures Babel to generate a new source map from the existing
+            // source map if specified. If `sourceMap` is `true` but an input source
+            // map is not provided, a new source map will be generated instead.
+            inputSourceMap,
+            sourceMaps,
+            plugins: [
+                () => ({
+                    pre,
+                    visitor,
+                }),
+            ],
+        });
+        if (!(file === null || file === void 0 ? void 0 : file.code)) {
+            throw new Error('Bundled code is empty.');
+        }
+        return {
+            code: file.code,
+            sourceMap: file.map,
+            warnings: Array.from(warnings),
+        };
+    }
+    catch (error) {
+        throw new Error(`Failed to post process code:\n${error.message}`);
+    }
+}
+exports.postProcessBundle = postProcessBundle;
+//# sourceMappingURL=post-process.js.map