npm - @nocobase/evaluators - Versions diffs - 2.1.0-alpha.1 → 2.1.0-beta.1 - Mend

@nocobase/evaluators 2.1.0-alpha.1 → 2.1.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/lib/client/engines/formulajs.js +18 -12
package/lib/server/index.js +34 -6
package/lib/utils/formulajs.d.ts +5 -0
package/lib/utils/formulajs.js +44 -11
package/package.json +5 -4

package/lib/client/engines/formulajs.js CHANGED Viewed

@@ -7,11 +7,9 @@
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -25,24 +23,32 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var formulajs_exports = {};
 __export(formulajs_exports, {
   default: () => formulajs_default
 });
 module.exports = __toCommonJS(formulajs_exports);
-var import_formulajs = __toESM(require("../../utils/formulajs"));
+var import_client = require("@nocobase/utils/client");
+var import_formulajs = require("../../utils/formulajs");
+const blockedIdentifiers = [
+  ...import_client.BASE_BLOCKED_IDENTIFIERS,
+  "window",
+  "document",
+  "parent",
+  "top",
+  "frames",
+  "navigator",
+  "location",
+  "localStorage",
+  "sessionStorage"
+];
+const formulajs = (0, import_formulajs.createFormulaEvaluator)({
+  blockedIdentifiers
+});
 var formulajs_default = {
   label: "Formula.js",
   tooltip: '{{t("Formula.js supports most Microsoft Excel formula functions.")}}',
   link: "FORMULAJS_DOC_URL",
-  evaluate: import_formulajs.default
+  evaluate: formulajs
 };

package/lib/server/index.js CHANGED Viewed

@@ -13,6 +13,7 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -36,21 +37,48 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var server_exports = {};
 __export(server_exports, {
-  Evaluator: () => import_utils3.Evaluator,
-  appendArrayColumn: () => import_utils3.appendArrayColumn,
+  Evaluator: () => import_utils4.Evaluator,
+  appendArrayColumn: () => import_utils4.appendArrayColumn,
   default: () => server_default,
-  evaluate: () => import_utils3.evaluate,
+  evaluate: () => import_utils4.evaluate,
   evaluators: () => evaluators
 });
 module.exports = __toCommonJS(server_exports);
 var import_utils = require("@nocobase/utils");
+var import_utils2 = require("@nocobase/utils");
 var import_mathjs = __toESM(require("../utils/mathjs"));
-var import_formulajs = __toESM(require("../utils/formulajs"));
+var import_formulajs = require("../utils/formulajs");
 var import_string = __toESM(require("../utils/string"));
-var import_utils3 = require("../utils");
+var import_utils4 = require("../utils");
 const evaluators = new import_utils.Registry();
+const baseFormulajs = (0, import_formulajs.createFormulaEvaluator)({
+  blockedIdentifiers: [
+    ...import_utils.BASE_BLOCKED_IDENTIFIERS,
+    "process",
+    "require",
+    "module",
+    "exports",
+    "__filename",
+    "__dirname",
+    "Buffer"
+  ]
+});
+let formulaLockdownReady = false;
+function formulajs(expression, scope) {
+  if (!formulaLockdownReady) {
+    (0, import_utils2.lockdownSes)({
+      consoleTaming: "unsafe",
+      errorTaming: "unsafe",
+      overrideTaming: "moderate",
+      stackFiltering: "verbose"
+    });
+    formulaLockdownReady = true;
+  }
+  return baseFormulajs(expression, scope);
+}
+__name(formulajs, "formulajs");
 evaluators.register("math.js", import_mathjs.default);
-evaluators.register("formula.js", import_formulajs.default);
+evaluators.register("formula.js", formulajs);
 evaluators.register("string", import_string.default);
 var server_default = evaluators;
 // Annotate the CommonJS export names for ESM import in node:

package/lib/utils/formulajs.d.ts CHANGED Viewed

@@ -6,5 +6,10 @@
  * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
+import 'ses';
+export interface FormulaEvaluatorOptions {
+    blockedIdentifiers?: string[];
+}
+export declare function createFormulaEvaluator(options?: FormulaEvaluatorOptions): any;
 declare const _default: any;
 export default _default;

package/lib/utils/formulajs.js CHANGED Viewed

@@ -13,6 +13,7 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -36,22 +37,54 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var formulajs_exports = {};
 __export(formulajs_exports, {
+  createFormulaEvaluator: () => createFormulaEvaluator,
   default: () => formulajs_default
 });
 module.exports = __toCommonJS(formulajs_exports);
 var functions = __toESM(require("@formulajs/formulajs"));
 var import_mathjs = require("mathjs");
+var import_ses = require("ses");
 var import__ = require(".");
-const fnNames = Object.keys(functions).filter((key) => key !== "default");
-const fns = fnNames.map((key) => functions[key]);
-var formulajs_default = import__.evaluate.bind(function(expression, scope = {}) {
-  const fn = new Function(...fnNames, ...Object.keys(scope), `return ${expression}`);
-  const result = fn(...fns, ...Object.values(scope));
-  if (typeof result === "number") {
-    if (Number.isNaN(result) || !Number.isFinite(result)) {
-      return null;
+const FUNCTION_NAMES = Object.keys(functions).filter((key) => key !== "default");
+function buildEndowments(scope, blockedIdentifiers = []) {
+  const endowments = /* @__PURE__ */ Object.create(null);
+  for (const key of FUNCTION_NAMES) {
+    endowments[key] = functions[key];
+  }
+  if (scope && typeof scope === "object") {
+    for (const [key, value] of Object.entries(scope)) {
+      endowments[key] = value;
     }
-    return (0, import_mathjs.round)(result, 9);
   }
-  return result;
-}, {});
+  for (const key of blockedIdentifiers) {
+    endowments[key] = void 0;
+  }
+  return endowments;
+}
+__name(buildEndowments, "buildEndowments");
+function runInSandbox(expression, scope, options) {
+  const compartment = new Compartment(buildEndowments(scope, options.blockedIdentifiers));
+  return compartment.evaluate(expression);
+}
+__name(runInSandbox, "runInSandbox");
+function createFormulaEvaluator(options = {}) {
+  const mergedOptions = {
+    blockedIdentifiers: options.blockedIdentifiers
+  };
+  return import__.evaluate.bind(function(expression, scope = {}) {
+    const result = runInSandbox(expression, scope, mergedOptions);
+    if (typeof result === "number") {
+      if (Number.isNaN(result) || !Number.isFinite(result)) {
+        return null;
+      }
+      return (0, import_mathjs.round)(result, 9);
+    }
+    return result;
+  }, {});
+}
+__name(createFormulaEvaluator, "createFormulaEvaluator");
+var formulajs_default = createFormulaEvaluator();
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createFormulaEvaluator
+});

package/package.json CHANGED Viewed

@@ -1,19 +1,20 @@
 {
   "name": "@nocobase/evaluators",
-  "version": "2.1.0-alpha.1",
+  "version": "2.1.0-beta.1",
   "description": "",
   "main": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "license": "AGPL-3.0",
   "dependencies": {
     "@formulajs/formulajs": "4.4.9",
-    "@nocobase/utils": "2.1.0-alpha.1",
-    "mathjs": "^10.6.0"
+    "@nocobase/utils": "2.1.0-beta.1",
+    "mathjs": "^15.1.0",
+    "ses": "^1.14.0"
   },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/evaluators"
   },
-  "gitHead": "d27baf21569643d6fa83f882233f4e90eb5b89f1"
+  "gitHead": "de3efeb357b6a98b813f1c14831afa832aed1780"
 }