npm - @mondaydotcomorg/atp-server - Versions diffs - 0.17.14 - Mend

@mondaydotcomorg/atp-server 0.17.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (307) hide show

package/README.md +489 -0
package/dist/aggregator/index.d.ts +59 -0
package/dist/aggregator/index.d.ts.map +1 -0
package/dist/aggregator/index.js +171 -0
package/dist/aggregator/index.js.map +1 -0
package/dist/callback/index.d.ts +98 -0
package/dist/callback/index.d.ts.map +1 -0
package/dist/callback/index.js +136 -0
package/dist/callback/index.js.map +1 -0
package/dist/client-sessions.d.ts +82 -0
package/dist/client-sessions.d.ts.map +1 -0
package/dist/client-sessions.js +174 -0
package/dist/client-sessions.js.map +1 -0
package/dist/controllers/definitions.controller.d.ts +4 -0
package/dist/controllers/definitions.controller.d.ts.map +1 -0
package/dist/controllers/definitions.controller.js +11 -0
package/dist/controllers/definitions.controller.js.map +1 -0
package/dist/controllers/execute.controller.d.ts +18 -0
package/dist/controllers/execute.controller.d.ts.map +1 -0
package/dist/controllers/execute.controller.js +122 -0
package/dist/controllers/execute.controller.js.map +1 -0
package/dist/controllers/info.controller.d.ts +3 -0
package/dist/controllers/info.controller.d.ts.map +1 -0
package/dist/controllers/info.controller.js +13 -0
package/dist/controllers/info.controller.js.map +1 -0
package/dist/controllers/resume.controller.d.ts +11 -0
package/dist/controllers/resume.controller.d.ts.map +1 -0
package/dist/controllers/resume.controller.js +61 -0
package/dist/controllers/resume.controller.js.map +1 -0
package/dist/controllers/search.controller.d.ts +4 -0
package/dist/controllers/search.controller.d.ts.map +1 -0
package/dist/controllers/search.controller.js +7 -0
package/dist/controllers/search.controller.js.map +1 -0
package/dist/controllers/stream.controller.d.ts +19 -0
package/dist/controllers/stream.controller.d.ts.map +1 -0
package/dist/controllers/stream.controller.js +141 -0
package/dist/controllers/stream.controller.js.map +1 -0
package/dist/core/config.d.ts +161 -0
package/dist/core/config.d.ts.map +1 -0
package/dist/core/config.js +7 -0
package/dist/core/config.js.map +1 -0
package/dist/core/http.d.ts +4 -0
package/dist/core/http.d.ts.map +1 -0
package/dist/core/http.js +17 -0
package/dist/core/http.js.map +1 -0
package/dist/create-server.d.ts +120 -0
package/dist/create-server.d.ts.map +1 -0
package/dist/create-server.js +423 -0
package/dist/create-server.js.map +1 -0
package/dist/execution-state/index.d.ts +95 -0
package/dist/execution-state/index.d.ts.map +1 -0
package/dist/execution-state/index.js +128 -0
package/dist/execution-state/index.js.map +1 -0
package/dist/executor/ast-provenance-bridge.d.ts +12 -0
package/dist/executor/ast-provenance-bridge.d.ts.map +1 -0
package/dist/executor/ast-provenance-bridge.js +66 -0
package/dist/executor/ast-provenance-bridge.js.map +1 -0
package/dist/executor/ast-tracking-runtime.d.ts +7 -0
package/dist/executor/ast-tracking-runtime.d.ts.map +1 -0
package/dist/executor/ast-tracking-runtime.js +559 -0
package/dist/executor/ast-tracking-runtime.js.map +1 -0
package/dist/executor/bootstrap-generated.d.ts +32 -0
package/dist/executor/bootstrap-generated.d.ts.map +1 -0
package/dist/executor/bootstrap-generated.js +90 -0
package/dist/executor/bootstrap-generated.js.map +1 -0
package/dist/executor/compiler-config.d.ts +32 -0
package/dist/executor/compiler-config.d.ts.map +1 -0
package/dist/executor/compiler-config.js +99 -0
package/dist/executor/compiler-config.js.map +1 -0
package/dist/executor/constants.d.ts +4 -0
package/dist/executor/constants.d.ts.map +1 -0
package/dist/executor/constants.js +4 -0
package/dist/executor/constants.js.map +1 -0
package/dist/executor/error-handler.d.ts +9 -0
package/dist/executor/error-handler.d.ts.map +1 -0
package/dist/executor/error-handler.js +95 -0
package/dist/executor/error-handler.js.map +1 -0
package/dist/executor/execution-error-handler.d.ts +7 -0
package/dist/executor/execution-error-handler.d.ts.map +1 -0
package/dist/executor/execution-error-handler.js +136 -0
package/dist/executor/execution-error-handler.js.map +1 -0
package/dist/executor/executor.d.ts +20 -0
package/dist/executor/executor.d.ts.map +1 -0
package/dist/executor/executor.js +452 -0
package/dist/executor/executor.js.map +1 -0
package/dist/executor/index.d.ts +4 -0
package/dist/executor/index.d.ts.map +1 -0
package/dist/executor/index.js +3 -0
package/dist/executor/index.js.map +1 -0
package/dist/executor/resume-handler.d.ts +9 -0
package/dist/executor/resume-handler.d.ts.map +1 -0
package/dist/executor/resume-handler.js +22 -0
package/dist/executor/resume-handler.js.map +1 -0
package/dist/executor/sandbox-builder.d.ts +29 -0
package/dist/executor/sandbox-builder.d.ts.map +1 -0
package/dist/executor/sandbox-builder.js +538 -0
package/dist/executor/sandbox-builder.js.map +1 -0
package/dist/executor/sandbox-injector.d.ts +7 -0
package/dist/executor/sandbox-injector.d.ts.map +1 -0
package/dist/executor/sandbox-injector.js +293 -0
package/dist/executor/sandbox-injector.js.map +1 -0
package/dist/executor/types.d.ts +21 -0
package/dist/executor/types.d.ts.map +1 -0
package/dist/executor/types.js +2 -0
package/dist/executor/types.js.map +1 -0
package/dist/explorer/index.d.ts +69 -0
package/dist/explorer/index.d.ts.map +1 -0
package/dist/explorer/index.js +228 -0
package/dist/explorer/index.js.map +1 -0
package/dist/handlers/definitions.handler.d.ts +3 -0
package/dist/handlers/definitions.handler.d.ts.map +1 -0
package/dist/handlers/definitions.handler.js +11 -0
package/dist/handlers/definitions.handler.js.map +1 -0
package/dist/handlers/execute.handler.d.ts +7 -0
package/dist/handlers/execute.handler.d.ts.map +1 -0
package/dist/handlers/execute.handler.js +225 -0
package/dist/handlers/execute.handler.js.map +1 -0
package/dist/handlers/explorer.handler.d.ts +4 -0
package/dist/handlers/explorer.handler.d.ts.map +1 -0
package/dist/handlers/explorer.handler.js +10 -0
package/dist/handlers/explorer.handler.js.map +1 -0
package/dist/handlers/init.handler.d.ts +5 -0
package/dist/handlers/init.handler.d.ts.map +1 -0
package/dist/handlers/init.handler.js +41 -0
package/dist/handlers/init.handler.js.map +1 -0
package/dist/handlers/resume.handler.d.ts +6 -0
package/dist/handlers/resume.handler.d.ts.map +1 -0
package/dist/handlers/resume.handler.js +256 -0
package/dist/handlers/resume.handler.js.map +1 -0
package/dist/handlers/search.handler.d.ts +5 -0
package/dist/handlers/search.handler.d.ts.map +1 -0
package/dist/handlers/search.handler.js +11 -0
package/dist/handlers/search.handler.js.map +1 -0
package/dist/http/request-handler.d.ts +15 -0
package/dist/http/request-handler.d.ts.map +1 -0
package/dist/http/request-handler.js +94 -0
package/dist/http/request-handler.js.map +1 -0
package/dist/http/router.d.ts +4 -0
package/dist/http/router.d.ts.map +1 -0
package/dist/http/router.js +32 -0
package/dist/http/router.js.map +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +8 -0
package/dist/index.js.map +1 -0
package/dist/instrumentation/index.d.ts +5 -0
package/dist/instrumentation/index.d.ts.map +1 -0
package/dist/instrumentation/index.js +5 -0
package/dist/instrumentation/index.js.map +1 -0
package/dist/instrumentation/serializer.d.ts +61 -0
package/dist/instrumentation/serializer.d.ts.map +1 -0
package/dist/instrumentation/serializer.js +334 -0
package/dist/instrumentation/serializer.js.map +1 -0
package/dist/instrumentation/state-manager.d.ts +61 -0
package/dist/instrumentation/state-manager.d.ts.map +1 -0
package/dist/instrumentation/state-manager.js +205 -0
package/dist/instrumentation/state-manager.js.map +1 -0
package/dist/instrumentation/transformer.d.ts +9 -0
package/dist/instrumentation/transformer.d.ts.map +1 -0
package/dist/instrumentation/transformer.js +70 -0
package/dist/instrumentation/transformer.js.map +1 -0
package/dist/instrumentation/types.d.ts +59 -0
package/dist/instrumentation/types.d.ts.map +1 -0
package/dist/instrumentation/types.js +5 -0
package/dist/instrumentation/types.js.map +1 -0
package/dist/middleware/audit.d.ts +18 -0
package/dist/middleware/audit.d.ts.map +1 -0
package/dist/middleware/audit.js +76 -0
package/dist/middleware/audit.js.map +1 -0
package/dist/openapi/index.d.ts +133 -0
package/dist/openapi/index.d.ts.map +1 -0
package/dist/openapi/index.js +235 -0
package/dist/openapi/index.js.map +1 -0
package/dist/openapi-loader.d.ts +87 -0
package/dist/openapi-loader.d.ts.map +1 -0
package/dist/openapi-loader.js +491 -0
package/dist/openapi-loader.js.map +1 -0
package/dist/routes/index.d.ts +21 -0
package/dist/routes/index.d.ts.map +1 -0
package/dist/routes/index.js +47 -0
package/dist/routes/index.js.map +1 -0
package/dist/search/index.d.ts +48 -0
package/dist/search/index.d.ts.map +1 -0
package/dist/search/index.js +156 -0
package/dist/search/index.js.map +1 -0
package/dist/security/index.d.ts +2 -0
package/dist/security/index.d.ts.map +1 -0
package/dist/security/index.js +2 -0
package/dist/security/index.js.map +1 -0
package/dist/shutdown.d.ts +19 -0
package/dist/shutdown.d.ts.map +1 -0
package/dist/shutdown.js +87 -0
package/dist/shutdown.js.map +1 -0
package/dist/utils/banner.d.ts +12 -0
package/dist/utils/banner.d.ts.map +1 -0
package/dist/utils/banner.js +18 -0
package/dist/utils/banner.js.map +1 -0
package/dist/utils/context.d.ts +16 -0
package/dist/utils/context.d.ts.map +1 -0
package/dist/utils/context.js +44 -0
package/dist/utils/context.js.map +1 -0
package/dist/utils/error.d.ts +8 -0
package/dist/utils/error.d.ts.map +1 -0
package/dist/utils/error.js +17 -0
package/dist/utils/error.js.map +1 -0
package/dist/utils/hint-based-instrumentation.d.ts +14 -0
package/dist/utils/hint-based-instrumentation.d.ts.map +1 -0
package/dist/utils/hint-based-instrumentation.js +84 -0
package/dist/utils/hint-based-instrumentation.js.map +1 -0
package/dist/utils/index.d.ts +8 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +8 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/info.d.ts +20 -0
package/dist/utils/info.d.ts.map +1 -0
package/dist/utils/info.js +15 -0
package/dist/utils/info.js.map +1 -0
package/dist/utils/provenance-reattachment.d.ts +32 -0
package/dist/utils/provenance-reattachment.d.ts.map +1 -0
package/dist/utils/provenance-reattachment.js +115 -0
package/dist/utils/provenance-reattachment.js.map +1 -0
package/dist/utils/request.d.ts +21 -0
package/dist/utils/request.d.ts.map +1 -0
package/dist/utils/request.js +44 -0
package/dist/utils/request.js.map +1 -0
package/dist/utils/response.d.ts +30 -0
package/dist/utils/response.d.ts.map +1 -0
package/dist/utils/response.js +53 -0
package/dist/utils/response.js.map +1 -0
package/dist/utils/runtime-types.d.ts +6 -0
package/dist/utils/runtime-types.d.ts.map +1 -0
package/dist/utils/runtime-types.js +14 -0
package/dist/utils/runtime-types.js.map +1 -0
package/dist/utils/schema.d.ts +9 -0
package/dist/utils/schema.d.ts.map +1 -0
package/dist/utils/schema.js +13 -0
package/dist/utils/schema.js.map +1 -0
package/dist/utils/token-emitter.d.ts +21 -0
package/dist/utils/token-emitter.d.ts.map +1 -0
package/dist/utils/token-emitter.js +129 -0
package/dist/utils/token-emitter.js.map +1 -0
package/dist/validator/index.d.ts +36 -0
package/dist/validator/index.d.ts.map +1 -0
package/dist/validator/index.js +224 -0
package/dist/validator/index.js.map +1 -0
package/package.json +68 -0
package/src/aggregator/index.ts +207 -0
package/src/callback/index.ts +191 -0
package/src/client-sessions.ts +234 -0
package/src/controllers/definitions.controller.ts +19 -0
package/src/controllers/execute.controller.ts +166 -0
package/src/controllers/info.controller.ts +14 -0
package/src/controllers/resume.controller.ts +92 -0
package/src/controllers/search.controller.ts +16 -0
package/src/controllers/stream.controller.ts +190 -0
package/src/core/config.ts +180 -0
package/src/core/http.ts +21 -0
package/src/create-server.ts +536 -0
package/src/execution-state/index.ts +204 -0
package/src/executor/ast-provenance-bridge.ts +80 -0
package/src/executor/ast-tracking-runtime.ts +558 -0
package/src/executor/bootstrap-generated.ts +90 -0
package/src/executor/compiler-config.ts +146 -0
package/src/executor/constants.ts +5 -0
package/src/executor/error-handler.ts +118 -0
package/src/executor/execution-error-handler.ts +178 -0
package/src/executor/executor.ts +631 -0
package/src/executor/index.ts +3 -0
package/src/executor/resume-handler.ts +39 -0
package/src/executor/sandbox-builder.ts +684 -0
package/src/executor/sandbox-injector.ts +345 -0
package/src/executor/types.ts +22 -0
package/src/explorer/index.ts +297 -0
package/src/handlers/definitions.handler.ts +13 -0
package/src/handlers/execute.handler.ts +286 -0
package/src/handlers/explorer.handler.ts +18 -0
package/src/handlers/init.handler.ts +53 -0
package/src/handlers/resume.handler.ts +316 -0
package/src/handlers/search.handler.ts +32 -0
package/src/http/request-handler.ts +117 -0
package/src/http/router.ts +29 -0
package/src/index.ts +60 -0
package/src/instrumentation/index.ts +4 -0
package/src/instrumentation/serializer.ts +421 -0
package/src/instrumentation/state-manager.ts +237 -0
package/src/instrumentation/transformer.ts +84 -0
package/src/instrumentation/types.ts +76 -0
package/src/middleware/audit.ts +101 -0
package/src/openapi/index.ts +378 -0
package/src/openapi-loader.ts +744 -0
package/src/routes/index.ts +93 -0
package/src/search/index.ts +216 -0
package/src/security/index.ts +1 -0
package/src/shutdown.ts +108 -0
package/src/utils/banner.ts +25 -0
package/src/utils/context.ts +58 -0
package/src/utils/error.ts +25 -0
package/src/utils/hint-based-instrumentation.ts +99 -0
package/src/utils/index.ts +15 -0
package/src/utils/info.ts +31 -0
package/src/utils/provenance-reattachment.ts +144 -0
package/src/utils/request.ts +53 -0
package/src/utils/response.ts +69 -0
package/src/utils/runtime-types.ts +14 -0
package/src/utils/schema.ts +18 -0
package/src/utils/token-emitter.ts +182 -0
package/src/validator/index.ts +253 -0

package/src/validator/index.ts ADDED Viewed

@@ -0,0 +1,253 @@
+import type { ValidationResult, ExecutionConfig } from '@mondaydotcomorg/atp-protocol';
+import { sanitizeInput, MAX_CODE_SIZE } from '@mondaydotcomorg/atp-protocol';
+import * as acorn from 'acorn';
+interface ValidationError {
+	line: number;
+	message: string;
+	severity: 'error' | 'warning';
+}
+interface SecurityIssue {
+	line: number;
+	issue: string;
+	risk: 'low' | 'medium' | 'high';
+}
+/**
+ * CodeValidator validates user code before execution using a whitelist approach.
+ * Only explicitly allowed operations and patterns are permitted.
+ */
+export class CodeValidator {
+	private readonly allowedGlobalObjects = new Set([
+		'Array',
+		'Object',
+		'String',
+		'Number',
+		'Boolean',
+		'Date',
+		'Math',
+		'JSON',
+		'Promise',
+		'Map',
+		'Set',
+		'WeakMap',
+		'WeakSet',
+		'Error',
+		'TypeError',
+		'RangeError',
+		'console',
+	]);
+	private readonly forbiddenPatterns = [
+		/\beval\s*\(/,
+		/\bnew\s+Function\s*\(/,
+		/\bnew\s+AsyncFunction\s*\(/,
+		/\bnew\s+GeneratorFunction\s*\(/,
+		/\brequire\s*\(/,
+		/\bprocess\b/,
+		/\bglobal\b/,
+		/\bglobalThis\.process\b/,
+		/\bglobalThis\.global\b/,
+		/\b__dirname\b/,
+		/\b__filename\b/,
+		/\bmodule\b/,
+		/\bexports\b/,
+		/\bBuffer\b/,
+		// Constructor chain exploits - CRITICAL security issue
+		/constructor\s*\[\s*['"`]constructor['"`]\s*\]/,
+		/constructor\.constructor/,
+		/\['constructor'\]\s*\[\s*['"`]constructor['"`]\s*\]/,
+		/\["constructor"\]\s*\[\s*['"`]constructor['"`]\s*\]/,
+		/\[`constructor`\]\s*\[\s*['"`]constructor['"`]\s*\]/,
+		// Prototype chain manipulation - sandbox escape vectors
+		/__proto__/,
+		/Object\.getPrototypeOf/,
+		/Object\.setPrototypeOf/,
+		/Reflect\.construct/,
+		/Reflect\.get/,
+		/Reflect\.set/,
+		// Indirect eval patterns
+		/\['eval'\]/,
+		/\["eval"\]/,
+		/\[`eval`\]/,
+		/window\['eval'\]/,
+		/this\['eval'\]/,
+	];
+	/**
+	 * Validates code for security and syntax issues.
+	 * @param code - The code to validate
+	 * @param config - Execution configuration
+	 * @returns Validation result with any errors or security issues
+	 */
+	async validate(code: string, config: ExecutionConfig): Promise<ValidationResult> {
+		const errors: ValidationError[] = [];
+		const warnings: ValidationError[] = [];
+		const securityIssues: SecurityIssue[] = [];
+		code = sanitizeInput(code, MAX_CODE_SIZE);
+		for (const pattern of this.forbiddenPatterns) {
+			if (pattern.test(code)) {
+				securityIssues.push({
+					line: 0,
+					issue: `Forbidden pattern detected: ${pattern.source}`,
+					risk: 'high',
+				});
+			}
+		}
+		this.checkGlobalAccess(code, securityIssues);
+		this.validateImports(code, securityIssues);
+		this.validateSyntax(code, errors);
+		const hasHighRiskIssues = securityIssues.some((issue) => issue.risk === 'high');
+		return {
+			valid: errors.length === 0 && !hasHighRiskIssues,
+			errors: errors.length > 0 ? errors : undefined,
+			warnings: warnings.length > 0 ? warnings : undefined,
+			securityIssues: securityIssues.length > 0 ? securityIssues : undefined,
+		};
+	}
+	/**
+	 * Validates JavaScript syntax using acorn parser.
+	 * @param code - Code to validate
+	 * @param errors - Array to append syntax errors to
+	 */
+	private validateSyntax(code: string, errors: ValidationError[]): void {
+		try {
+			acorn.parse(code, {
+				ecmaVersion: 2022,
+				sourceType: 'script',
+				allowAwaitOutsideFunction: true,
+				allowReturnOutsideFunction: true,
+			});
+		} catch (scriptError: any) {
+			try {
+				acorn.parse(code, {
+					ecmaVersion: 2022,
+					sourceType: 'module',
+					allowAwaitOutsideFunction: true,
+					allowReturnOutsideFunction: false,
+				});
+			} catch (moduleError: any) {
+				errors.push({
+					line: moduleError.loc?.line ?? 0,
+					message: `Syntax error: ${moduleError.message}`,
+					severity: 'error',
+				});
+			}
+		}
+	}
+	/**
+	 * Checks for unauthorized global object access.
+	 * @param code - Code to check
+	 * @param securityIssues - Array to append issues to
+	 */
+	private checkGlobalAccess(code: string, securityIssues: SecurityIssue[]): void {
+		const globalAccessPattern = /\b([A-Z][a-zA-Z0-9]*)\./g;
+		let match;
+		while ((match = globalAccessPattern.exec(code)) !== null) {
+			const globalName = match[1];
+			if (
+				globalName &&
+				!this.allowedGlobalObjects.has(globalName) &&
+				globalName !== 'atp' &&
+				globalName !== 'api'
+			) {
+				securityIssues.push({
+					line: 0,
+					issue: `Unauthorized global access: ${globalName}`,
+					risk: 'medium',
+				});
+			}
+		}
+	}
+	/**
+	 * Validates import statements to ensure NO imports are allowed.
+	 * ALL imports are blocked for security - use injected sandbox globals instead.
+	 * @param code - Code to validate
+	 * @param securityIssues - Array to append issues to
+	 */
+	private validateImports(code: string, securityIssues: SecurityIssue[]): void {
+		try {
+			const ast = acorn.parse(code, {
+				ecmaVersion: 2022,
+				sourceType: 'module',
+				allowAwaitOutsideFunction: true,
+				allowReturnOutsideFunction: true,
+			});
+			const walk = (node: any) => {
+				if (!node || typeof node !== 'object') return;
+				if (node.type === 'ImportDeclaration') {
+					const importSource = node.source?.value;
+					securityIssues.push({
+						line: node.loc?.start?.line ?? 0,
+						issue: `All imports are blocked for security. Import attempted: ${importSource}. Use injected sandbox globals (api, atp) instead.`,
+						risk: 'high',
+					});
+				}
+				if (node.type === 'ImportExpression') {
+					securityIssues.push({
+						line: node.loc?.start?.line ?? 0,
+						issue: `Dynamic import() is not allowed. All imports are blocked for security.`,
+						risk: 'high',
+					});
+				}
+				if (node.type === 'ExportNamedDeclaration' || node.type === 'ExportAllDeclaration') {
+					if (node.source?.value) {
+						const exportSource = node.source.value;
+						securityIssues.push({
+							line: node.loc?.start?.line ?? 0,
+							issue: `Re-exports are not allowed. Attempted re-export from: ${exportSource}.`,
+							risk: 'high',
+						});
+					}
+				}
+				for (const key in node) {
+					if (key === 'loc' || key === 'range' || key === 'start' || key === 'end') continue;
+					const child = node[key];
+					if (Array.isArray(child)) {
+						child.forEach(walk);
+					} else if (child && typeof child === 'object') {
+						walk(child);
+					}
+				}
+			};
+			walk(ast);
+		} catch (error) {
+			const importPattern = /^\s*import\s+.*?\s+from\s+['"](.+?)['"]/gm;
+			let match;
+			while ((match = importPattern.exec(code)) !== null) {
+				const importSource = match[1];
+				securityIssues.push({
+					line: 0,
+					issue: `All imports are blocked for security. Import detected: ${importSource}.`,
+					risk: 'high',
+				});
+			}
+			if (/import\s*\(/.test(code)) {
+				securityIssues.push({
+					line: 0,
+					issue: `Dynamic import() is not allowed. All imports are blocked for security.`,
+					risk: 'high',
+				});
+			}
+		}
+	}
+}