@nocobase/flow-engine 2.0.0-beta.8 → 2.0.0

package/src/utils/runjsValue.ts

@@ -0,0 +1,287 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+export type RunJSValue = {
+  code: string;
+  version?: string;
+};
+
+const RUNJS_ALLOWED_KEYS = new Set(['code', 'version']);
+
+/**
+ * Strictly detect RunJSValue to avoid conflicting with normal constant objects.
+ * - MUST be a plain object (not array)
+ * - MUST include string `code`
+ * - MAY include string `version`
+ * - MUST NOT include any other enumerable keys
+ */
+export function isRunJSValue(value: any): value is RunJSValue {
+  if (!value || typeof value !== 'object') return false;
+  if (Array.isArray(value)) return false;
+  const keys = Object.keys(value);
+  if (!keys.includes('code')) return false;
+  if (typeof (value as any).code !== 'string') return false;
+  if ('version' in value && (value as any).version != null && typeof (value as any).version !== 'string') return false;
+  for (const k of keys) {
+    if (!RUNJS_ALLOWED_KEYS.has(k)) return false;
+  }
+  return true;
+}
+
+export function normalizeRunJSValue(value: RunJSValue): Required<RunJSValue> {
+  return {
+    code: String(value?.code ?? ''),
+    version: String(value?.version ?? 'v1'),
+  };
+}
+
+function stripStringsAndComments(code: string): string {
+  // Keep template literals untouched (may include ${} expressions).
+  let out = '';
+  let state: 'code' | 'single' | 'double' | 'line' | 'block' = 'code';
+  for (let i = 0; i < code.length; i++) {
+    const ch = code[i];
+    const next = i + 1 < code.length ? code[i + 1] : '';
+
+    if (state === 'code') {
+      if (ch === '/' && next === '/') {
+        out += '  ';
+        i++;
+        state = 'line';
+        continue;
+      }
+      if (ch === '/' && next === '*') {
+        out += '  ';
+        i++;
+        state = 'block';
+        continue;
+      }
+      if (ch === "'") {
+        out += ' ';
+        state = 'single';
+        continue;
+      }
+      if (ch === '"') {
+        out += ' ';
+        state = 'double';
+        continue;
+      }
+      out += ch;
+      continue;
+    }
+
+    if (state === 'line') {
+      if (ch === '\n') {
+        out += '\n';
+        state = 'code';
+      } else {
+        out += ' ';
+      }
+      continue;
+    }
+
+    if (state === 'block') {
+      if (ch === '*' && next === '/') {
+        out += '  ';
+        i++;
+        state = 'code';
+      } else {
+        out += ch === '\n' ? '\n' : ' ';
+      }
+      continue;
+    }
+
+    if (state === 'single') {
+      if (ch === '\\') {
+        out += '  ';
+        i++;
+        continue;
+      }
+      if (ch === "'") {
+        out += ' ';
+        state = 'code';
+      } else {
+        out += ch === '\n' ? '\n' : ' ';
+      }
+      continue;
+    }
+
+    // state === 'double'
+    if (ch === '\\') {
+      out += '  ';
+      i++;
+      continue;
+    }
+    if (ch === '"') {
+      out += ' ';
+      state = 'code';
+    } else {
+      out += ch === '\n' ? '\n' : ' ';
+    }
+  }
+  return out;
+}
+
+function stripComments(code: string): string {
+  let out = '';
+  let state: 'code' | 'single' | 'double' | 'line' | 'block' = 'code';
+  for (let i = 0; i < code.length; i++) {
+    const ch = code[i];
+    const next = i + 1 < code.length ? code[i + 1] : '';
+
+    if (state === 'code') {
+      if (ch === '/' && next === '/') {
+        out += '  ';
+        i++;
+        state = 'line';
+        continue;
+      }
+      if (ch === '/' && next === '*') {
+        out += '  ';
+        i++;
+        state = 'block';
+        continue;
+      }
+      if (ch === "'") {
+        out += ch;
+        state = 'single';
+        continue;
+      }
+      if (ch === '"') {
+        out += ch;
+        state = 'double';
+        continue;
+      }
+      out += ch;
+      continue;
+    }
+
+    if (state === 'line') {
+      if (ch === '\n') {
+        out += '\n';
+        state = 'code';
+      } else {
+        out += ' ';
+      }
+      continue;
+    }
+
+    if (state === 'block') {
+      if (ch === '*' && next === '/') {
+        out += '  ';
+        i++;
+        state = 'code';
+      } else {
+        out += ch === '\n' ? '\n' : ' ';
+      }
+      continue;
+    }
+
+    if (state === 'single') {
+      out += ch;
+      if (ch === '\\') {
+        const nextCh = i + 1 < code.length ? code[i + 1] : '';
+        if (nextCh) {
+          out += nextCh;
+          i++;
+        }
+        continue;
+      }
+      if (ch === "'") {
+        state = 'code';
+      }
+      continue;
+    }
+
+    // state === 'double'
+    out += ch;
+    if (ch === '\\') {
+      const nextCh = i + 1 < code.length ? code[i + 1] : '';
+      if (nextCh) {
+        out += nextCh;
+        i++;
+      }
+      continue;
+    }
+    if (ch === '"') {
+      state = 'code';
+    }
+  }
+  return out;
+}
+
+function normalizeSubPath(raw: string): { subPath: string; wildcard: boolean } {
+  if (!raw) return { subPath: '', wildcard: false };
+  let s = raw;
+  // Convert simple string literal keys: ['a'] / ["a"] -> .a
+  s = s.replace(/\[['"]([a-zA-Z_$][a-zA-Z0-9_$]*)['"]\]/g, '.$1');
+
+  // Any remaining bracket access with non-numeric content is considered dynamic -> wildcard.
+  const bracketRe = /\[([^\]]+)\]/g;
+  let m: RegExpExecArray | null;
+  while ((m = bracketRe.exec(s))) {
+    const inner = String(m[1] ?? '').trim();
+    if (/^\d+$/.test(inner)) continue;
+    if (/^['"][a-zA-Z_$][a-zA-Z0-9_$]*['"]$/.test(inner)) continue;
+    return { subPath: s.startsWith('.') ? s.slice(1) : s, wildcard: true };
+  }
+
+  if (s.startsWith('.')) s = s.slice(1);
+  return { subPath: s, wildcard: false };
+}
+
+/**
+ * Heuristic extraction of ctx variable usage from RunJS code.
+ *
+ * Returns a map: varName -> string[] subPaths
+ * - subPath '' means the variable root is used (or dependency is dynamic), caller MAY treat it as wildcard.
+ * - Only best-effort parsing; correctness prefers over-approximation.
+ */
+export function extractUsedVariablePathsFromRunJS(code: string): Record<string, string[]> {
+  if (typeof code !== 'string' || !code.trim()) return {};
+  const src = stripStringsAndComments(code);
+  const srcWithStrings = stripComments(code);
+  const usage = new Map<string, Set<string>>();
+
+  const add = (varName: string, subPath: string) => {
+    if (!varName) return;
+    const set = usage.get(varName) || new Set<string>();
+    set.add(subPath || '');
+    usage.set(varName, set);
+  };
+
+  // dot form: ctx.foo.bar / ctx.foo[0].bar (excluding ctx.method(...))
+  const dotRe = /ctx\.([a-zA-Z_$][a-zA-Z0-9_$]*(?:(?:\.[a-zA-Z_$][a-zA-Z0-9_$]*)|(?:\[[^\]]+\]))*)(?!\s*\()/g;
+  let match: RegExpExecArray | null;
+  while ((match = dotRe.exec(src))) {
+    const pathAfterCtx = match[1] || '';
+    const firstKeyMatch = pathAfterCtx.match(/^([a-zA-Z_$][a-zA-Z0-9_$]*)/);
+    if (!firstKeyMatch) continue;
+    const firstKey = firstKeyMatch[1];
+    const rest = pathAfterCtx.slice(firstKey.length);
+    const { subPath, wildcard } = normalizeSubPath(rest);
+    add(firstKey, wildcard ? '' : subPath);
+  }
+
+  // bracket root: ctx['foo'].bar / ctx["foo"][0] (excluding ctx['method'](...))
+  const bracketRootRe =
+    /ctx\s*\[\s*(['"])([a-zA-Z_$][a-zA-Z0-9_$]*)\1\s*\]((?:(?:\.[a-zA-Z_$][a-zA-Z0-9_$]*)|(?:\[[^\]]+\]))*)(?!\s*\()/g;
+  while ((match = bracketRootRe.exec(srcWithStrings))) {
+    const varName = match[2] || '';
+    const rest = match[3] || '';
+    const { subPath, wildcard } = normalizeSubPath(rest);
+    add(varName, wildcard ? '' : subPath);
+  }
+
+  const out: Record<string, string[]> = {};
+  for (const [k, set] of usage.entries()) {
+    out[k] = Array.from(set);
+  }
+  return out;
+}

package/src/utils/safeGlobals.ts

@@ -9,12 +9,72 @@
 
 /**
  * 统一的安全全局对象代理：window/document/navigator
- * - window：仅允许常用的定时器、console、Math、Date、FormData、addEventListener、open（安全包装）、location（安全代理）
+ * - window：仅允许常用的定时器、console、Math、Date、FormData、Blob、URL、addEventListener、open（安全包装）、location（安全代理）
  * - document：仅允许 createElement/querySelector/querySelectorAll
  * - navigator：仅提供极少量低风险能力（clipboard.writeText、onLine、language、languages）
  * - 不允许随意访问未声明的属性，最小权限原则
  */
 
+type RunJSSafeGlobalsRegistry = {
+  windowAllow: Set<string>;
+  documentAllow: Set<string>;
+};
+
+function getRunJSSafeGlobalsRegistry(): RunJSSafeGlobalsRegistry {
+  const g: any = globalThis as any;
+  if (g.__nocobaseRunJSSafeGlobalsRegistry?.windowAllow && g.__nocobaseRunJSSafeGlobalsRegistry?.documentAllow) {
+    return g.__nocobaseRunJSSafeGlobalsRegistry as RunJSSafeGlobalsRegistry;
+  }
+  const reg: RunJSSafeGlobalsRegistry = {
+    windowAllow: new Set<string>(),
+    documentAllow: new Set<string>(),
+  };
+  g.__nocobaseRunJSSafeGlobalsRegistry = reg;
+  return reg;
+}
+
+export function registerRunJSSafeWindowGlobals(keys: Iterable<string> | null | undefined): void {
+  if (!keys) return;
+  const reg = getRunJSSafeGlobalsRegistry();
+  for (const k of keys) {
+    if (typeof k !== 'string') continue;
+    const key = k.trim();
+    if (!key) continue;
+    reg.windowAllow.add(key);
+  }
+}
+
+export function registerRunJSSafeDocumentGlobals(keys: Iterable<string> | null | undefined): void {
+  if (!keys) return;
+  const reg = getRunJSSafeGlobalsRegistry();
+  for (const k of keys) {
+    if (typeof k !== 'string') continue;
+    const key = k.trim();
+    if (!key) continue;
+    reg.documentAllow.add(key);
+  }
+}
+
+export function __resetRunJSSafeGlobalsRegistryForTests(): void {
+  const g: any = globalThis as any;
+  if (g.__nocobaseRunJSSafeGlobalsRegistry) {
+    try {
+      g.__nocobaseRunJSSafeGlobalsRegistry.windowAllow?.clear?.();
+      g.__nocobaseRunJSSafeGlobalsRegistry.documentAllow?.clear?.();
+    } catch {
+      // ignore
+    }
+  }
+}
+
+function isAllowedDynamicWindowKey(key: string): boolean {
+  return getRunJSSafeGlobalsRegistry().windowAllow.has(key);
+}
+
+function isAllowedDynamicDocumentKey(key: string): boolean {
+  return getRunJSSafeGlobalsRegistry().documentAllow.has(key);
+}
+
 export function createSafeWindow(extra?: Record<string, any>) {
   // 解析相对 URL 使用脱敏 base（不含 query/hash），避免在解析时泄露敏感信息
   const getSafeBaseHref = () => `${window.location.origin}${window.location.pathname}`;
@@ -151,6 +211,8 @@ export function createSafeWindow(extra?: Record<string, any>) {
     Math,
     Date,
     FormData,
+    ...(typeof Blob !== 'undefined' ? { Blob } : {}),
+    ...(typeof URL !== 'undefined' ? { URL } : {}),
     // 事件侦听仅绑定到真实 window，便于少量需要的全局监听
     addEventListener: addEventListener.bind(window),
     // 安全的 window.open 代理
@@ -160,15 +222,44 @@ export function createSafeWindow(extra?: Record<string, any>) {
     ...(extra || {}),
   };
 
-  return new Proxy(
-    {},
-    {
-      get(_target, prop: string) {
-        if (prop in allowedGlobals) return allowedGlobals[prop];
-        throw new Error(`Access to global property "${prop}" is not allowed.`);
-      },
+  const target: Record<string, any> = Object.create(null);
+
+  return new Proxy(target, {
+    get(t, prop: string | symbol) {
+      if (typeof prop !== 'string') {
+        return Reflect.get(t, prop);
+      }
+
+      if (prop in allowedGlobals) return allowedGlobals[prop];
+      if (Object.prototype.hasOwnProperty.call(t, prop)) return (t as any)[prop];
+      if (isAllowedDynamicWindowKey(prop)) {
+        const v = (window as any)[prop];
+        // Bind functions to the real window to avoid Illegal invocation
+        if (typeof v === 'function') return v.bind(window);
+        return v;
+      }
+
+      throw new Error(`Access to global property "${prop}" is not allowed.`);
     },
-  );
+    set(t, prop: string | symbol, value: any) {
+      if (typeof prop !== 'string') {
+        Reflect.set(t, prop, value);
+        return true;
+      }
+      if (prop in allowedGlobals) {
+        throw new Error(`Mutation of global property "${prop}" is not allowed.`);
+      }
+      (t as any)[prop] = value;
+      return true;
+    },
+    has(t, prop: string | symbol) {
+      if (typeof prop !== 'string') return Reflect.has(t, prop);
+      if (prop in allowedGlobals) return true;
+      if (Object.prototype.hasOwnProperty.call(t, prop)) return true;
+      if (isAllowedDynamicWindowKey(prop)) return true;
+      return false;
+    },
+  });
 }
 
 export function createSafeDocument(extra?: Record<string, any>) {
@@ -178,15 +269,43 @@ export function createSafeDocument(extra?: Record<string, any>) {
     querySelectorAll: document.querySelectorAll.bind(document),
     ...(extra || {}),
   };
-  return new Proxy(
-    {},
-    {
-      get(_target, prop: string) {
-        if (prop in allowed) return allowed[prop];
-        throw new Error(`Access to document property "${prop}" is not allowed.`);
-      },
+  const target: Record<string, any> = Object.create(null);
+  return new Proxy(target, {
+    get(t, prop: string | symbol) {
+      if (typeof prop !== 'string') {
+        return Reflect.get(t, prop);
+      }
+
+      if (prop in allowed) return allowed[prop];
+      if (Object.prototype.hasOwnProperty.call(t, prop)) return (t as any)[prop];
+      if (isAllowedDynamicDocumentKey(prop)) {
+        const v = (document as any)[prop];
+        // Bind functions to the real document to avoid Illegal invocation
+        if (typeof v === 'function') return v.bind(document);
+        return v;
+      }
+
+      throw new Error(`Access to document property "${prop}" is not allowed.`);
     },
-  );
+    set(t, prop: string | symbol, value: any) {
+      if (typeof prop !== 'string') {
+        Reflect.set(t, prop, value);
+        return true;
+      }
+      if (prop in allowed) {
+        throw new Error(`Mutation of document property "${prop}" is not allowed.`);
+      }
+      (t as any)[prop] = value;
+      return true;
+    },
+    has(t, prop: string | symbol) {
+      if (typeof prop !== 'string') return Reflect.has(t, prop);
+      if (prop in allowed) return true;
+      if (Object.prototype.hasOwnProperty.call(t, prop)) return true;
+      if (isAllowedDynamicDocumentKey(prop)) return true;
+      return false;
+    },
+  });
 }
 
 export function createSafeNavigator(extra?: Record<string, any>) {
@@ -233,3 +352,55 @@ export function createSafeNavigator(extra?: Record<string, any>) {
     },
   );
 }
+
+/**
+ * Create a safe globals object for RunJS execution.
+ *
+ * - Always tries to provide `navigator`
+ * - Best-effort provides `window` and `document` in browser environments
+ * - Never throws (so callers can decide how to handle missing globals)
+ */
+export function createSafeRunJSGlobals(extraGlobals?: Record<string, any>): Record<string, any> {
+  const globals: Record<string, any> = {};
+
+  try {
+    const navigator = createSafeNavigator();
+    globals.navigator = navigator;
+    try {
+      globals.window = createSafeWindow({ navigator });
+    } catch {
+      // ignore when window is not available (e.g. SSR/tests)
+    }
+  } catch {
+    // ignore
+  }
+
+  try {
+    globals.document = createSafeDocument();
+  } catch {
+    // ignore when document is not available (e.g. SSR/tests)
+  }
+
+  return extraGlobals ? { ...globals, ...extraGlobals } : globals;
+}
+
+/**
+ * Execute RunJS with safe globals (window/document/navigator).
+ *
+ * Keeps `this` binding by calling `ctx.runjs(...)` instead of passing bare function references.
+ */
+export async function runjsWithSafeGlobals(
+  ctx: unknown,
+  code: string,
+  options?: any,
+  extraGlobals?: Record<string, any>,
+): Promise<any> {
+  if (!ctx || (typeof ctx !== 'object' && typeof ctx !== 'function')) return undefined;
+  const runjs = (ctx as { runjs?: unknown }).runjs;
+  if (typeof runjs !== 'function') return undefined;
+  return (ctx as { runjs: (code: string, variables?: Record<string, any>, options?: any) => Promise<any> }).runjs(
+    code,
+    createSafeRunJSGlobals(extraGlobals),
+    options,
+  );
+}

package/src/utils/schema-utils.ts

@@ -277,3 +277,82 @@ export async function shouldHideStepInSettings<TModel extends FlowModel = FlowMo
 
   return !!hideInSettings;
 }
+
+/**
+ * 解析步骤在设置菜单中的禁用状态与提示文案。
+ * - 支持 StepDefinition.disabledInSettings 与 ActionDefinition.disabledInSettings（step 优先）。
+ * - 支持 StepDefinition.disabledReasonInSettings 与 ActionDefinition.disabledReasonInSettings（step 优先）。
+ * - 以上属性均支持静态值与函数（接收 FlowRuntimeContext）。
+ */
+export async function resolveStepDisabledInSettings<TModel extends FlowModel = FlowModel>(
+  model: TModel,
+  flow: any,
+  step: StepDefinition,
+): Promise<{ disabled: boolean; reason?: string }> {
+  if (!step) return { disabled: false };
+
+  let disabledInSettings = step.disabledInSettings;
+  let disabledReasonInSettings = step.disabledReasonInSettings;
+
+  if ((typeof disabledInSettings === 'undefined' || typeof disabledReasonInSettings === 'undefined') && step.use) {
+    try {
+      const action = model.getAction?.(step.use);
+      if (typeof disabledInSettings === 'undefined') {
+        disabledInSettings = action?.disabledInSettings;
+      }
+      if (typeof disabledReasonInSettings === 'undefined') {
+        disabledReasonInSettings = action?.disabledReasonInSettings;
+      }
+    } catch (error) {
+      console.warn(`Failed to get action ${step.use}:`, error);
+    }
+  }
+
+  let ctx: FlowRuntimeContext<TModel> | null = null;
+  const getContext = () => {
+    if (ctx) return ctx;
+    ctx = new FlowRuntimeContext(model, flow.key, 'settings');
+    setupRuntimeContextSteps(ctx, flow.steps, model, flow.key);
+    ctx.defineProperty('currentStep', { value: step });
+    return ctx;
+  };
+
+  let disabled = false;
+  if (typeof disabledInSettings === 'function') {
+    try {
+      disabled = !!(await disabledInSettings(getContext() as any));
+    } catch (error) {
+      console.warn(`Error evaluating disabledInSettings for step '${step.key || ''}' in flow '${flow.key}':`, error);
+      return { disabled: false };
+    }
+  } else {
+    disabled = !!disabledInSettings;
+  }
+
+  if (!disabled) {
+    return { disabled: false };
+  }
+
+  let reason: string | undefined;
+  if (typeof disabledReasonInSettings === 'function') {
+    try {
+      const resolved = await disabledReasonInSettings(getContext() as any);
+      if (typeof resolved !== 'undefined' && resolved !== null && resolved !== '') {
+        reason = String(resolved);
+      }
+    } catch (error) {
+      console.warn(
+        `Error evaluating disabledReasonInSettings for step '${step.key || ''}' in flow '${flow.key}':`,
+        error,
+      );
+    }
+  } else if (
+    typeof disabledReasonInSettings !== 'undefined' &&
+    disabledReasonInSettings !== null &&
+    disabledReasonInSettings !== ''
+  ) {
+    reason = String(disabledReasonInSettings);
+  }
+
+  return { disabled: true, reason };
+}

package/src/views/__tests__/FlowView.usePage.test.tsx

@@ -13,7 +13,7 @@ import { render, act, waitFor, screen } from '@testing-library/react';
 import { FlowEngine } from '../../flowEngine';
 import { FlowEngineProvider } from '../../provider';
 import { FlowViewer } from '../FlowView';
-import { usePage } from '../usePage';
+import { usePage, GLOBAL_EMBED_CONTAINER_ID } from '../usePage';
 import { App, ConfigProvider } from 'antd';
 
 describe('FlowViewer zIndex with usePage', () => {
@@ -130,4 +130,57 @@ describe('FlowViewer zIndex with usePage', () => {
 
     unmount();
   });
+
+  it('replaces previous embed view when using global #nocobase-embed-container target', async () => {
+    let api: { open: (config: any, flowContext: any) => any } | undefined;
+
+    function TestApp({ onReady }: { onReady: (page: any) => void }) {
+      const [page, pageHolder] = usePage() as [{ open: (config: any, flowContext: any) => any }, React.ReactNode];
+
+      React.useEffect(() => {
+        onReady(page);
+      }, [page, onReady]);
+
+      return <>{pageHolder}</>;
+    }
+
+    const Wrapper: React.FC<{ onReady: (page: any) => void }> = ({ onReady }) => (
+      <ConfigProvider>
+        <App>
+          <FlowEngineProvider engine={engine}>
+            <TestApp onReady={onReady} />
+          </FlowEngineProvider>
+        </App>
+      </ConfigProvider>
+    );
+
+    const target = document.createElement('div');
+    target.id = GLOBAL_EMBED_CONTAINER_ID;
+    document.body.appendChild(target);
+
+    const { unmount } = render(
+      <Wrapper
+        onReady={(page) => {
+          api = page;
+        }}
+      />,
+    );
+
+    await waitFor(() => expect(api).toBeDefined());
+
+    await act(async () => {
+      api!.open({ target, content: <div data-testid="page1">Page 1</div> }, engine.context);
+    });
+    await waitFor(() => expect(screen.getByTestId('page1')).toBeInTheDocument());
+
+    // Opening page2 into the global embed container should destroy page1 (replace behavior).
+    await act(async () => {
+      api!.open({ target, content: <div data-testid="page2">Page 2</div> }, engine.context);
+    });
+    await waitFor(() => expect(screen.getByTestId('page2')).toBeInTheDocument());
+    expect(screen.queryByTestId('page1')).not.toBeInTheDocument();
+
+    unmount();
+    document.body.removeChild(target);
+  });
 });