@nocobase/flow-engine 2.0.0-beta.21 → 2.0.0-beta.23

package/src/utils/runjsValue.ts

@@ -0,0 +1,287 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+export type RunJSValue = {
+  code: string;
+  version?: string;
+};
+
+const RUNJS_ALLOWED_KEYS = new Set(['code', 'version']);
+
+/**
+ * Strictly detect RunJSValue to avoid conflicting with normal constant objects.
+ * - MUST be a plain object (not array)
+ * - MUST include string `code`
+ * - MAY include string `version`
+ * - MUST NOT include any other enumerable keys
+ */
+export function isRunJSValue(value: any): value is RunJSValue {
+  if (!value || typeof value !== 'object') return false;
+  if (Array.isArray(value)) return false;
+  const keys = Object.keys(value);
+  if (!keys.includes('code')) return false;
+  if (typeof (value as any).code !== 'string') return false;
+  if ('version' in value && (value as any).version != null && typeof (value as any).version !== 'string') return false;
+  for (const k of keys) {
+    if (!RUNJS_ALLOWED_KEYS.has(k)) return false;
+  }
+  return true;
+}
+
+export function normalizeRunJSValue(value: RunJSValue): Required<RunJSValue> {
+  return {
+    code: String(value?.code ?? ''),
+    version: String(value?.version ?? 'v1'),
+  };
+}
+
+function stripStringsAndComments(code: string): string {
+  // Keep template literals untouched (may include ${} expressions).
+  let out = '';
+  let state: 'code' | 'single' | 'double' | 'line' | 'block' = 'code';
+  for (let i = 0; i < code.length; i++) {
+    const ch = code[i];
+    const next = i + 1 < code.length ? code[i + 1] : '';
+
+    if (state === 'code') {
+      if (ch === '/' && next === '/') {
+        out += '  ';
+        i++;
+        state = 'line';
+        continue;
+      }
+      if (ch === '/' && next === '*') {
+        out += '  ';
+        i++;
+        state = 'block';
+        continue;
+      }
+      if (ch === "'") {
+        out += ' ';
+        state = 'single';
+        continue;
+      }
+      if (ch === '"') {
+        out += ' ';
+        state = 'double';
+        continue;
+      }
+      out += ch;
+      continue;
+    }
+
+    if (state === 'line') {
+      if (ch === '\n') {
+        out += '\n';
+        state = 'code';
+      } else {
+        out += ' ';
+      }
+      continue;
+    }
+
+    if (state === 'block') {
+      if (ch === '*' && next === '/') {
+        out += '  ';
+        i++;
+        state = 'code';
+      } else {
+        out += ch === '\n' ? '\n' : ' ';
+      }
+      continue;
+    }
+
+    if (state === 'single') {
+      if (ch === '\\') {
+        out += '  ';
+        i++;
+        continue;
+      }
+      if (ch === "'") {
+        out += ' ';
+        state = 'code';
+      } else {
+        out += ch === '\n' ? '\n' : ' ';
+      }
+      continue;
+    }
+
+    // state === 'double'
+    if (ch === '\\') {
+      out += '  ';
+      i++;
+      continue;
+    }
+    if (ch === '"') {
+      out += ' ';
+      state = 'code';
+    } else {
+      out += ch === '\n' ? '\n' : ' ';
+    }
+  }
+  return out;
+}
+
+function stripComments(code: string): string {
+  let out = '';
+  let state: 'code' | 'single' | 'double' | 'line' | 'block' = 'code';
+  for (let i = 0; i < code.length; i++) {
+    const ch = code[i];
+    const next = i + 1 < code.length ? code[i + 1] : '';
+
+    if (state === 'code') {
+      if (ch === '/' && next === '/') {
+        out += '  ';
+        i++;
+        state = 'line';
+        continue;
+      }
+      if (ch === '/' && next === '*') {
+        out += '  ';
+        i++;
+        state = 'block';
+        continue;
+      }
+      if (ch === "'") {
+        out += ch;
+        state = 'single';
+        continue;
+      }
+      if (ch === '"') {
+        out += ch;
+        state = 'double';
+        continue;
+      }
+      out += ch;
+      continue;
+    }
+
+    if (state === 'line') {
+      if (ch === '\n') {
+        out += '\n';
+        state = 'code';
+      } else {
+        out += ' ';
+      }
+      continue;
+    }
+
+    if (state === 'block') {
+      if (ch === '*' && next === '/') {
+        out += '  ';
+        i++;
+        state = 'code';
+      } else {
+        out += ch === '\n' ? '\n' : ' ';
+      }
+      continue;
+    }
+
+    if (state === 'single') {
+      out += ch;
+      if (ch === '\\') {
+        const nextCh = i + 1 < code.length ? code[i + 1] : '';
+        if (nextCh) {
+          out += nextCh;
+          i++;
+        }
+        continue;
+      }
+      if (ch === "'") {
+        state = 'code';
+      }
+      continue;
+    }
+
+    // state === 'double'
+    out += ch;
+    if (ch === '\\') {
+      const nextCh = i + 1 < code.length ? code[i + 1] : '';
+      if (nextCh) {
+        out += nextCh;
+        i++;
+      }
+      continue;
+    }
+    if (ch === '"') {
+      state = 'code';
+    }
+  }
+  return out;
+}
+
+function normalizeSubPath(raw: string): { subPath: string; wildcard: boolean } {
+  if (!raw) return { subPath: '', wildcard: false };
+  let s = raw;
+  // Convert simple string literal keys: ['a'] / ["a"] -> .a
+  s = s.replace(/\[['"]([a-zA-Z_$][a-zA-Z0-9_$]*)['"]\]/g, '.$1');
+
+  // Any remaining bracket access with non-numeric content is considered dynamic -> wildcard.
+  const bracketRe = /\[([^\]]+)\]/g;
+  let m: RegExpExecArray | null;
+  while ((m = bracketRe.exec(s))) {
+    const inner = String(m[1] ?? '').trim();
+    if (/^\d+$/.test(inner)) continue;
+    if (/^['"][a-zA-Z_$][a-zA-Z0-9_$]*['"]$/.test(inner)) continue;
+    return { subPath: s.startsWith('.') ? s.slice(1) : s, wildcard: true };
+  }
+
+  if (s.startsWith('.')) s = s.slice(1);
+  return { subPath: s, wildcard: false };
+}
+
+/**
+ * Heuristic extraction of ctx variable usage from RunJS code.
+ *
+ * Returns a map: varName -> string[] subPaths
+ * - subPath '' means the variable root is used (or dependency is dynamic), caller MAY treat it as wildcard.
+ * - Only best-effort parsing; correctness prefers over-approximation.
+ */
+export function extractUsedVariablePathsFromRunJS(code: string): Record<string, string[]> {
+  if (typeof code !== 'string' || !code.trim()) return {};
+  const src = stripStringsAndComments(code);
+  const srcWithStrings = stripComments(code);
+  const usage = new Map<string, Set<string>>();
+
+  const add = (varName: string, subPath: string) => {
+    if (!varName) return;
+    const set = usage.get(varName) || new Set<string>();
+    set.add(subPath || '');
+    usage.set(varName, set);
+  };
+
+  // dot form: ctx.foo.bar / ctx.foo[0].bar (excluding ctx.method(...))
+  const dotRe = /ctx\.([a-zA-Z_$][a-zA-Z0-9_$]*(?:(?:\.[a-zA-Z_$][a-zA-Z0-9_$]*)|(?:\[[^\]]+\]))*)(?!\s*\()/g;
+  let match: RegExpExecArray | null;
+  while ((match = dotRe.exec(src))) {
+    const pathAfterCtx = match[1] || '';
+    const firstKeyMatch = pathAfterCtx.match(/^([a-zA-Z_$][a-zA-Z0-9_$]*)/);
+    if (!firstKeyMatch) continue;
+    const firstKey = firstKeyMatch[1];
+    const rest = pathAfterCtx.slice(firstKey.length);
+    const { subPath, wildcard } = normalizeSubPath(rest);
+    add(firstKey, wildcard ? '' : subPath);
+  }
+
+  // bracket root: ctx['foo'].bar / ctx["foo"][0] (excluding ctx['method'](...))
+  const bracketRootRe =
+    /ctx\s*\[\s*(['"])([a-zA-Z_$][a-zA-Z0-9_$]*)\1\s*\]((?:(?:\.[a-zA-Z_$][a-zA-Z0-9_$]*)|(?:\[[^\]]+\]))*)(?!\s*\()/g;
+  while ((match = bracketRootRe.exec(srcWithStrings))) {
+    const varName = match[2] || '';
+    const rest = match[3] || '';
+    const { subPath, wildcard } = normalizeSubPath(rest);
+    add(varName, wildcard ? '' : subPath);
+  }
+
+  const out: Record<string, string[]> = {};
+  for (const [k, set] of usage.entries()) {
+    out[k] = Array.from(set);
+  }
+  return out;
+}

package/src/utils/safeGlobals.ts

@@ -9,7 +9,7 @@
 
 /**
  * 统一的安全全局对象代理：window/document/navigator
- * - window：仅允许常用的定时器、console、Math、Date、FormData、addEventListener、open（安全包装）、location（安全代理）
+ * - window：仅允许常用的定时器、console、Math、Date、FormData、Blob、URL、addEventListener、open（安全包装）、location（安全代理）
  * - document：仅允许 createElement/querySelector/querySelectorAll
  * - navigator：仅提供极少量低风险能力（clipboard.writeText、onLine、language、languages）
  * - 不允许随意访问未声明的属性，最小权限原则
@@ -211,6 +211,8 @@ export function createSafeWindow(extra?: Record<string, any>) {
     Math,
     Date,
     FormData,
+    ...(typeof Blob !== 'undefined' ? { Blob } : {}),
+    ...(typeof URL !== 'undefined' ? { URL } : {}),
     // 事件侦听仅绑定到真实 window，便于少量需要的全局监听
     addEventListener: addEventListener.bind(window),
     // 安全的 window.open 代理
@@ -350,3 +352,55 @@ export function createSafeNavigator(extra?: Record<string, any>) {
     },
   );
 }
+
+/**
+ * Create a safe globals object for RunJS execution.
+ *
+ * - Always tries to provide `navigator`
+ * - Best-effort provides `window` and `document` in browser environments
+ * - Never throws (so callers can decide how to handle missing globals)
+ */
+export function createSafeRunJSGlobals(extraGlobals?: Record<string, any>): Record<string, any> {
+  const globals: Record<string, any> = {};
+
+  try {
+    const navigator = createSafeNavigator();
+    globals.navigator = navigator;
+    try {
+      globals.window = createSafeWindow({ navigator });
+    } catch {
+      // ignore when window is not available (e.g. SSR/tests)
+    }
+  } catch {
+    // ignore
+  }
+
+  try {
+    globals.document = createSafeDocument();
+  } catch {
+    // ignore when document is not available (e.g. SSR/tests)
+  }
+
+  return extraGlobals ? { ...globals, ...extraGlobals } : globals;
+}
+
+/**
+ * Execute RunJS with safe globals (window/document/navigator).
+ *
+ * Keeps `this` binding by calling `ctx.runjs(...)` instead of passing bare function references.
+ */
+export async function runjsWithSafeGlobals(
+  ctx: unknown,
+  code: string,
+  options?: any,
+  extraGlobals?: Record<string, any>,
+): Promise<any> {
+  if (!ctx || (typeof ctx !== 'object' && typeof ctx !== 'function')) return undefined;
+  const runjs = (ctx as { runjs?: unknown }).runjs;
+  if (typeof runjs !== 'function') return undefined;
+  return (ctx as { runjs: (code: string, variables?: Record<string, any>, options?: any) => Promise<any> }).runjs(
+    code,
+    createSafeRunJSGlobals(extraGlobals),
+    options,
+  );
+}

package/src/utils/schema-utils.ts

@@ -277,3 +277,82 @@ export async function shouldHideStepInSettings<TModel extends FlowModel = FlowMo
 
   return !!hideInSettings;
 }
+
+/**
+ * 解析步骤在设置菜单中的禁用状态与提示文案。
+ * - 支持 StepDefinition.disabledInSettings 与 ActionDefinition.disabledInSettings（step 优先）。
+ * - 支持 StepDefinition.disabledReasonInSettings 与 ActionDefinition.disabledReasonInSettings（step 优先）。
+ * - 以上属性均支持静态值与函数（接收 FlowRuntimeContext）。
+ */
+export async function resolveStepDisabledInSettings<TModel extends FlowModel = FlowModel>(
+  model: TModel,
+  flow: any,
+  step: StepDefinition,
+): Promise<{ disabled: boolean; reason?: string }> {
+  if (!step) return { disabled: false };
+
+  let disabledInSettings = step.disabledInSettings;
+  let disabledReasonInSettings = step.disabledReasonInSettings;
+
+  if ((typeof disabledInSettings === 'undefined' || typeof disabledReasonInSettings === 'undefined') && step.use) {
+    try {
+      const action = model.getAction?.(step.use);
+      if (typeof disabledInSettings === 'undefined') {
+        disabledInSettings = action?.disabledInSettings;
+      }
+      if (typeof disabledReasonInSettings === 'undefined') {
+        disabledReasonInSettings = action?.disabledReasonInSettings;
+      }
+    } catch (error) {
+      console.warn(`Failed to get action ${step.use}:`, error);
+    }
+  }
+
+  let ctx: FlowRuntimeContext<TModel> | null = null;
+  const getContext = () => {
+    if (ctx) return ctx;
+    ctx = new FlowRuntimeContext(model, flow.key, 'settings');
+    setupRuntimeContextSteps(ctx, flow.steps, model, flow.key);
+    ctx.defineProperty('currentStep', { value: step });
+    return ctx;
+  };
+
+  let disabled = false;
+  if (typeof disabledInSettings === 'function') {
+    try {
+      disabled = !!(await disabledInSettings(getContext() as any));
+    } catch (error) {
+      console.warn(`Error evaluating disabledInSettings for step '${step.key || ''}' in flow '${flow.key}':`, error);
+      return { disabled: false };
+    }
+  } else {
+    disabled = !!disabledInSettings;
+  }
+
+  if (!disabled) {
+    return { disabled: false };
+  }
+
+  let reason: string | undefined;
+  if (typeof disabledReasonInSettings === 'function') {
+    try {
+      const resolved = await disabledReasonInSettings(getContext() as any);
+      if (typeof resolved !== 'undefined' && resolved !== null && resolved !== '') {
+        reason = String(resolved);
+      }
+    } catch (error) {
+      console.warn(
+        `Error evaluating disabledReasonInSettings for step '${step.key || ''}' in flow '${flow.key}':`,
+        error,
+      );
+    }
+  } else if (
+    typeof disabledReasonInSettings !== 'undefined' &&
+    disabledReasonInSettings !== null &&
+    disabledReasonInSettings !== ''
+  ) {
+    reason = String(disabledReasonInSettings);
+  }
+
+  return { disabled: true, reason };
+}