@nocobase/plugin-flow-engine 2.0.0-alpha.2

package/dist/node_modules/ses/src/tame-domains.js

@@ -0,0 +1,41 @@
+// @ts-check
+
+import {
+  TypeError,
+  globalThis,
+  getOwnPropertyDescriptor,
+  defineProperty,
+} from './commons.js';
+
+export function tameDomains(domainTaming = 'safe') {
+  if (domainTaming === 'unsafe') {
+    return;
+  }
+
+  // Protect against the hazard presented by Node.js domains.
+  const globalProcess = globalThis.process || undefined;
+  if (typeof globalProcess === 'object') {
+    // Check whether domains were initialized.
+    const domainDescriptor = getOwnPropertyDescriptor(globalProcess, 'domain');
+    if (domainDescriptor !== undefined && domainDescriptor.get !== undefined) {
+      // The domain descriptor on Node.js initially has value: null, which
+      // becomes a get, set pair after domains initialize.
+      // See https://github.com/endojs/endo/blob/master/packages/ses/error-codes/SES_NO_DOMAINS.md
+      throw TypeError(
+        `SES failed to lockdown, Node.js domains have been initialized (SES_NO_DOMAINS)`,
+      );
+    }
+    // Prevent domains from initializing.
+    // This is clunky because the exception thrown from the domains package does
+    // not direct the user's gaze toward a knowledge base about the problem.
+    // The domain module merely throws an exception when it attempts to define
+    // the domain property of the process global during its initialization.
+    // We have no better recourse because Node.js uses defineProperty too.
+    defineProperty(globalProcess, 'domain', {
+      value: null,
+      configurable: false,
+      writable: false,
+      enumerable: false,
+    });
+  }
+}

package/dist/node_modules/ses/src/tame-faux-data-properties.js

@@ -0,0 +1,210 @@
+import {
+  getOwnPropertyDescriptor,
+  apply,
+  defineProperty,
+  toStringTagSymbol,
+} from './commons.js';
+
+const throws = thunk => {
+  try {
+    thunk();
+    return false;
+  } catch (er) {
+    return true;
+  }
+};
+
+/**
+ * Exported for convenience of unit testing. Harmless, but not expected
+ * to be useful by itself.
+ *
+ * @param {any} obj
+ * @param {string|symbol} prop
+ * @param {any} expectedValue
+ * @returns {boolean}
+ * Returns whether `tameFauxDataProperty` turned the property in question
+ * from an apparent faux data property into the actual data property it
+ * seemed to emulate.
+ * If this function returns `false`, then we hope no effects happened.
+ * However, sniffing out if an accessor property seems to be a faux data
+ * property requires invoking the getter and setter functions that might
+ * possibly have side effects.
+ * `tameFauxDataProperty` is not in a position to tell.
+ */
+export const tameFauxDataProperty = (obj, prop, expectedValue) => {
+  if (obj === undefined) {
+    // The object does not exist in this version of the platform
+    return false;
+  }
+  const desc = getOwnPropertyDescriptor(obj, prop);
+  if (!desc || 'value' in desc) {
+    // The property either doesn't exist, or is already an actual data property.
+    return false;
+  }
+  const { get, set } = desc;
+  if (typeof get !== 'function' || typeof set !== 'function') {
+    // A faux data property has both a getter and a setter
+    return false;
+  }
+  if (get() !== expectedValue) {
+    // The getter called by itself should produce the expectedValue
+    return false;
+  }
+  if (apply(get, obj, []) !== expectedValue) {
+    // The getter called with `this === obj` should also return the
+    // expectedValue.
+    return false;
+  }
+  const testValue = 'Seems to be a setter';
+  const subject1 = { __proto__: null };
+  apply(set, subject1, [testValue]);
+  if (subject1[prop] !== testValue) {
+    // The setter called with an unrelated object as `this` should
+    // set the property on the object.
+    return false;
+  }
+  const subject2 = { __proto__: obj };
+  apply(set, subject2, [testValue]);
+  if (subject2[prop] !== testValue) {
+    // The setter called on an object that inherits from `obj` should
+    // override the property from `obj` as if by assignment.
+    return false;
+  }
+  if (!throws(() => apply(set, obj, [expectedValue]))) {
+    // The setter called with `this === obj` should throw without having
+    // caused any effect.
+    // This is the test that has the greatest danger of leaving behind some
+    // persistent side effect. The most obvious one is to emulate a
+    // successful assignment to the property. That's why this test
+    // uses `expectedValue`, so that case is likely not to actually
+    // change anything.
+    return false;
+  }
+  if ('originalValue' in get) {
+    // The ses-shim uniquely, as far as we know, puts an `originalValue`
+    // property on the getter, so that reflect property tranversal algorithms,
+    // like `harden`, will traverse into the enulated value without
+    // calling the getter. That does not happen until `permits-intrinsics.js`
+    // which is much later. So if we see one this early, we should
+    // not assume we understand what's going on.
+    return false;
+  }
+
+  // We assume that this code runs before any untrusted code runs, so
+  // we do not need to worry about the above conditions passing because of
+  // malicious intent. In fact, it runs even before vetted shims are supposed
+  // to run, between repair and hardening. Given that, after all these tests
+  // pass, we have adequately validated that the property in question is
+  // an accessor function whose purpose is suppressing the override mistake,
+  // i.e., enabling a non-writable property to be overridden by assignment.
+  // In that case, here we *temporarily* turn it into the data property
+  // it seems to emulate, but writable so that it does not trigger the
+  // override mistake while in this temporary state.
+
+  // For those properties that are also listed in `enablements.js`,
+  // that phase will re-enable override for these properties, but
+  // via accessor functions that SES controls, so we know what they are
+  // doing. In addition, the getter functions installed by
+  // `enable-property-overrides.js` have an `originalValue` field
+  // enabling meta-traversal code like harden to visit the original value
+  // without calling the getter.
+
+  if (desc.configurable === false) {
+    // Even though it seems to be a faux data property, we're unable to fix it.
+    return false;
+  }
+
+  // Many of the `return false;` cases above plausibly should be turned into
+  // errors, or an least generate warnings. However, for those, the checks
+  // following this phase are likely to signal an error anyway.
+
+  // At this point, we have passed all our sniff checks for validating that
+  // it seems to be a faux data property with the expected value. Turn
+  // it into the actual data property it emulates, but writable so there is
+  // not yet an override mistake problem.
+
+  defineProperty(obj, prop, {
+    value: expectedValue,
+    writable: true,
+    enumerable: desc.enumerable,
+    configurable: true,
+  });
+
+  return true;
+};
+
+/**
+ * In JavaScript, the so-called "override mistake" is the inability to
+ * override an inherited non-writable data property by assignment. A common
+ * workaround is to instead define an accessor property that acts like
+ * a non-writable data property, except that it allows an object that
+ * inherits this property to override it by assignment. Let's call
+ * an access property that acts this way a "faux data property". In this
+ * ses-shim, `enable-property-overrides.js` makes the properties listed in
+ * `enablements.js` into faux data properties.
+ *
+ * But the ses-shim is not alone in use of this trick. Starting with the
+ * [Iterator Helpers proposal](https://github.com/tc39/proposal-iterator-helpers),
+ * some properties are defined as (what we call) faux data properties.
+ * Some of these are new properties (`Interator.prototype.constructor`) and
+ * some are old data properties converted to accessor properties
+ * (`Iterator.prototype[String.toStringTag]`). So the ses-shim needs to be
+ * prepared for some enumerated set of properties to already be faux data
+ * properties in the platform prior to our initialization.
+ *
+ * For these possible faux data properties, it is important that
+ * `permits.js` describe each as a data property, so that it can further
+ * constrain the apparent value (that allegedly would be returned by the
+ * getter) according to its own permits.
+ *
+ * However, at the time of this writing, the precise behavior specified
+ * by the iterator-helpers proposal for these faux data properties is
+ * novel. We should not be too confident that all further such platform
+ * additions do what we would now expect. So, for each of these possible
+ * faux data properties, we do some sniffing to see if it behaves as we
+ * currently expect a faux data property to act. If not, then
+ * `tameFauxDataProperties` tries not to modify it, leaving it to later
+ * checks, especially `permits-intrinsics.js`, to error when it sees an
+ * unexpected accessor.
+ *
+ * If one of these enumerated accessor properties does seem to be
+ * a faithful faux data property, then `tameFauxDataProperties` itself
+ * *tempoarily* turns it into the actual data property that it seems to emulate.
+ * This data property starts as writable, so that in this state it will
+ * not trigger the override mistake, i.e., assignment to an object inheriting
+ * this property is allowed to succeed at overriding this property.
+ *
+ * For those properties that should be a faux data property rather than an
+ * actual one, such as those from the iterator-helpers proposal,
+ * they should be listed as such in `enablements.js`, so
+ * `enable-property-overrides.js` will turn it back into a faux data property.
+ * But one controlled by the ses-shim, whose behavior we understand.
+ *
+ * `tameFauxDataProperties`, which turns these into actual data properties,
+ * happens during the `repairIntrinsics` phase
+ * of `lockdown`, before even vetted shim are supposed to run.
+ * `enable-property-overrides.js` runs after vetted shims, turning the
+ * appropriate ones back into faux data properties. Thus vetted shims
+ * can observe the possibly non-conforming state where these are temporarily
+ * actual data properties, rather than faux data properties.
+ *
+ * Coordinate the property enumeration here
+ * with `enablements.js`, so the appropriate properties are
+ * turned back to faux data properties.
+ *
+ * @param {Record<any,any>} intrinsics
+ */
+export const tameFauxDataProperties = intrinsics => {
+  // https://github.com/tc39/proposal-iterator-helpers
+  tameFauxDataProperty(
+    intrinsics['%IteratorPrototype%'],
+    'constructor',
+    intrinsics.Iterator,
+  );
+  // https://github.com/tc39/proposal-iterator-helpers
+  tameFauxDataProperty(
+    intrinsics['%IteratorPrototype%'],
+    toStringTagSymbol,
+    'Iterator',
+  );
+};

package/dist/node_modules/ses/src/tame-function-constructors.js

@@ -0,0 +1,140 @@
+import {
+  FERAL_FUNCTION,
+  SyntaxError,
+  TypeError,
+  defineProperties,
+  getPrototypeOf,
+  setPrototypeOf,
+  freeze,
+  AsyncGeneratorFunctionInstance,
+} from './commons.js';
+
+// This module replaces the original `Function` constructor, and the original
+// `%GeneratorFunction%`, `%AsyncFunction%` and `%AsyncGeneratorFunction%`,
+// with safe replacements that throw if invoked.
+//
+// These are all reachable via syntax, so it isn't sufficient to just
+// replace global properties with safe versions. Our main goal is to prevent
+// access to the `Function` constructor through these starting points.
+//
+// After modules block is done, the originals must no longer be reachable,
+// unless a copy has been made, and functions can only be created by syntax
+// (using eval) or by invoking a previously saved reference to the originals.
+//
+// Typically, this module will not be used directly, but via the
+// [lockdown - shim] which handles all necessary repairs and taming in SES.
+//
+// Relation to ECMA specifications
+//
+// The taming of constructors really wants to be part of the standard, because
+// new constructors may be added in the future, reachable from syntax, and this
+// list must be updated to match.
+//
+// In addition, the standard needs to define four new intrinsics for the safe
+// replacement functions. See [./permits-intrinsics.js].
+//
+// Adapted from SES/Caja
+// Copyright (C) 2011 Google Inc.
+// https://github.com/google/caja/blob/master/src/com/google/caja/ses/startSES.js
+// https://github.com/google/caja/blob/master/src/com/google/caja/ses/repairES5.js
+
+/**
+ * tameFunctionConstructors()
+ * This block replaces the original Function constructor, and the original
+ * %GeneratorFunction% %AsyncFunction% and %AsyncGeneratorFunction%, with
+ * safe replacements that throw if invoked.
+ */
+export default function tameFunctionConstructors() {
+  try {
+    // Verify that the method is not callable.
+    // eslint-disable-next-line @endo/no-polymorphic-call
+    FERAL_FUNCTION.prototype.constructor('return 1');
+  } catch (ignore) {
+    // Throws, no need to patch.
+    return freeze({});
+  }
+
+  const newIntrinsics = {};
+
+  /*
+   * The process to repair constructors:
+   * 1. Create an instance of the function by evaluating syntax
+   * 2. Obtain the prototype from the instance
+   * 3. Create a substitute tamed constructor
+   * 4. Replace the original constructor with the tamed constructor
+   * 5. Replace tamed constructor prototype property with the original one
+   * 6. Replace its [[Prototype]] slot with the tamed constructor of Function
+   */
+  function repairFunction(name, intrinsicName, declaration) {
+    let FunctionInstance;
+    try {
+      // eslint-disable-next-line no-eval, no-restricted-globals
+      FunctionInstance = (0, eval)(declaration);
+    } catch (e) {
+      if (e instanceof SyntaxError) {
+        // Prevent failure on platforms where async and/or generators
+        // are not supported.
+        return;
+      }
+      // Re-throw
+      throw e;
+    }
+    const FunctionPrototype = getPrototypeOf(FunctionInstance);
+
+    // Prevents the evaluation of source when calling constructor on the
+    // prototype of functions.
+    // eslint-disable-next-line func-names
+    const InertConstructor = function () {
+      throw TypeError(
+        'Function.prototype.constructor is not a valid constructor.',
+      );
+    };
+    defineProperties(InertConstructor, {
+      prototype: { value: FunctionPrototype },
+      name: {
+        value: name,
+        writable: false,
+        enumerable: false,
+        configurable: true,
+      },
+    });
+
+    defineProperties(FunctionPrototype, {
+      constructor: { value: InertConstructor },
+    });
+
+    // Reconstructs the inheritance among the new tamed constructors
+    // to mirror the original specified in normal JS.
+    if (InertConstructor !== FERAL_FUNCTION.prototype.constructor) {
+      setPrototypeOf(InertConstructor, FERAL_FUNCTION.prototype.constructor);
+    }
+
+    newIntrinsics[intrinsicName] = InertConstructor;
+  }
+
+  // Here, the order of operation is important: Function needs to be repaired
+  // first since the other repaired constructors need to inherit from the
+  // tamed Function function constructor.
+
+  repairFunction('Function', '%InertFunction%', '(function(){})');
+  repairFunction(
+    'GeneratorFunction',
+    '%InertGeneratorFunction%',
+    '(function*(){})',
+  );
+  repairFunction(
+    'AsyncFunction',
+    '%InertAsyncFunction%',
+    '(async function(){})',
+  );
+
+  if (AsyncGeneratorFunctionInstance !== undefined) {
+    repairFunction(
+      'AsyncGeneratorFunction',
+      '%InertAsyncGeneratorFunction%',
+      '(async function*(){})',
+    );
+  }
+
+  return newIntrinsics;
+}

package/dist/node_modules/ses/src/tame-function-tostring.js

@@ -0,0 +1,50 @@
+import {
+  WeakSet,
+  defineProperty,
+  freeze,
+  functionPrototype,
+  functionToString,
+  stringEndsWith,
+  weaksetAdd,
+  weaksetHas,
+} from './commons.js';
+
+const nativeSuffix = ') { [native code] }';
+
+// Note: Top level mutable state. Does not make anything worse, since the
+// patching of `Function.prototype.toString` is also globally stateful. We
+// use this top level state so that multiple calls to `tameFunctionToString` are
+// idempotent, rather than creating redundant indirections.
+let markVirtualizedNativeFunction;
+
+/**
+ * Replace `Function.prototype.toString` with one that recognizes
+ * shimmed functions as honorary native functions.
+ */
+export const tameFunctionToString = () => {
+  if (markVirtualizedNativeFunction === undefined) {
+    const virtualizedNativeFunctions = new WeakSet();
+
+    const tamingMethods = {
+      toString() {
+        const str = functionToString(this);
+        if (
+          stringEndsWith(str, nativeSuffix) ||
+          !weaksetHas(virtualizedNativeFunctions, this)
+        ) {
+          return str;
+        }
+        return `function ${this.name}() { [native code] }`;
+      },
+    };
+
+    defineProperty(functionPrototype, 'toString', {
+      value: tamingMethods.toString,
+    });
+
+    markVirtualizedNativeFunction = freeze(func =>
+      weaksetAdd(virtualizedNativeFunctions, func),
+    );
+  }
+  return markVirtualizedNativeFunction;
+};

package/dist/node_modules/ses/src/tame-harden.js

@@ -0,0 +1,29 @@
+/* eslint-disable no-restricted-globals */
+import { freeze } from './commons.js';
+
+/** @import {Harden} from '../types.js'; */
+
+/** @type {(safeHarden: Harden, hardenTaming: 'safe' | 'unsafe') => Harden} */
+export const tameHarden = (safeHarden, hardenTaming) => {
+  if (hardenTaming === 'safe') {
+    return safeHarden;
+  }
+
+  // In on the joke
+  Object.isExtensible = () => false;
+  Object.isFrozen = () => true;
+  Object.isSealed = () => true;
+  Reflect.isExtensible = () => false;
+
+  // @ts-expect-error secret property
+  if (safeHarden.isFake) {
+    // The "safe" hardener is already a fake hardener.
+    // Just use it.
+    return safeHarden;
+  }
+
+  const fakeHarden = arg => arg;
+  fakeHarden.isFake = true;
+  return freeze(fakeHarden);
+};
+freeze(tameHarden);

package/dist/node_modules/ses/src/tame-locale-methods.js

@@ -0,0 +1,78 @@
+import {
+  Number,
+  String,
+  TypeError,
+  defineProperty,
+  getOwnPropertyNames,
+  isPrimitive,
+  regexpExec,
+} from './commons.js';
+import { assert } from './error/assert.js';
+
+const { Fail, quote: q } = assert;
+
+const localePattern = /^(\w*[a-z])Locale([A-Z]\w*)$/;
+
+// Use concise methods to obtain named functions without constructor
+// behavior or `.prototype` property.
+const tamedMethods = {
+  // See https://tc39.es/ecma262/#sec-string.prototype.localecompare
+  localeCompare(arg) {
+    if (this === null || this === undefined) {
+      throw TypeError(
+        'Cannot localeCompare with null or undefined "this" value',
+      );
+    }
+    const s = `${this}`;
+    const that = `${arg}`;
+    if (s < that) {
+      return -1;
+    }
+    if (s > that) {
+      return 1;
+    }
+    s === that || Fail`expected ${q(s)} and ${q(that)} to compare`;
+    return 0;
+  },
+
+  toString() {
+    return `${this}`;
+  },
+};
+
+const nonLocaleCompare = tamedMethods.localeCompare;
+const numberToString = tamedMethods.toString;
+
+export default function tameLocaleMethods(intrinsics, localeTaming = 'safe') {
+  if (localeTaming === 'unsafe') {
+    return;
+  }
+
+  defineProperty(String.prototype, 'localeCompare', {
+    value: nonLocaleCompare,
+  });
+
+  for (const intrinsicName of getOwnPropertyNames(intrinsics)) {
+    const intrinsic = intrinsics[intrinsicName];
+    if (!isPrimitive(intrinsic)) {
+      for (const methodName of getOwnPropertyNames(intrinsic)) {
+        const match = regexpExec(localePattern, methodName);
+        if (match) {
+          typeof intrinsic[methodName] === 'function' ||
+            Fail`expected ${q(methodName)} to be a function`;
+          const nonLocaleMethodName = `${match[1]}${match[2]}`;
+          const method = intrinsic[nonLocaleMethodName];
+          typeof method === 'function' ||
+            Fail`function ${q(nonLocaleMethodName)} not found`;
+          defineProperty(intrinsic, methodName, { value: method });
+        }
+      }
+    }
+  }
+
+  // Numbers are special because toString accepts a radix instead of ignoring
+  // all of the arguments that we would otherwise forward.
+  defineProperty(Number.prototype, 'toLocaleString', {
+    value: numberToString,
+  });
+}

package/dist/node_modules/ses/src/tame-math-object.js

@@ -0,0 +1,41 @@
+import {
+  Math,
+  TypeError,
+  create,
+  getOwnPropertyDescriptors,
+  objectPrototype,
+} from './commons.js';
+
+export default function tameMathObject() {
+  const originalMath = Math;
+  const initialMath = originalMath; // to follow the naming pattern
+
+  const { random: _, ...otherDescriptors } =
+    getOwnPropertyDescriptors(originalMath);
+
+  // Use concise methods to obtain named functions without constructors.
+  const tamedMethods = {
+    /**
+     * `%SharedMath%.random()` throws a TypeError starting with "secure mode".
+     * See https://github.com/endojs/endo/issues/910#issuecomment-1581855420
+     */
+    random() {
+      throw TypeError('secure mode %SharedMath%.random() throws');
+    },
+  };
+
+  const sharedMath = create(objectPrototype, {
+    ...otherDescriptors,
+    random: {
+      value: tamedMethods.random,
+      writable: true,
+      enumerable: false,
+      configurable: true,
+    },
+  });
+
+  return {
+    '%InitialMath%': initialMath,
+    '%SharedMath%': sharedMath,
+  };
+}

package/dist/node_modules/ses/src/tame-module-source.js

@@ -0,0 +1,51 @@
+import {
+  functionPrototype,
+  getPrototypeOf,
+  globalThis,
+  objectPrototype,
+  setPrototypeOf,
+} from './commons.js';
+
+export const tameModuleSource = () => {
+  const newIntrinsics = {};
+
+  const ModuleSource = globalThis.ModuleSource;
+  if (ModuleSource !== undefined) {
+    newIntrinsics.ModuleSource = ModuleSource;
+
+    // We introduce ModuleSource.[[Proto]] === AbstractModuleSource
+    // and ModuleSource.prototype.[[Proto]] === AbstractModuleSource.prototype
+    // if that layer is absent because the permitting system can more
+    // gracefully tolerate the absence of an expected prototype than the
+    // presence of an unexpected prototype,.
+    function AbstractModuleSource() {
+      // no-op safe to super()
+    }
+
+    const ModuleSourceProto = getPrototypeOf(ModuleSource);
+    if (ModuleSourceProto === functionPrototype) {
+      setPrototypeOf(ModuleSource, AbstractModuleSource);
+      newIntrinsics['%AbstractModuleSource%'] = AbstractModuleSource;
+      newIntrinsics['%AbstractModuleSourcePrototype%'] =
+        AbstractModuleSource.prototype;
+    } else {
+      newIntrinsics['%AbstractModuleSource%'] = ModuleSourceProto;
+      newIntrinsics['%AbstractModuleSourcePrototype%'] =
+        ModuleSourceProto.prototype;
+    }
+
+    const ModuleSourcePrototype = ModuleSource.prototype;
+    if (ModuleSourcePrototype !== undefined) {
+      newIntrinsics['%ModuleSourcePrototype%'] = ModuleSourcePrototype;
+
+      // ModuleSource.prototype.__proto__ should be the
+      // AbstractModuleSource.prototype.
+      const ModuleSourcePrototypeProto = getPrototypeOf(ModuleSourcePrototype);
+      if (ModuleSourcePrototypeProto === objectPrototype) {
+        setPrototypeOf(ModuleSource.prototype, AbstractModuleSource.prototype);
+      }
+    }
+  }
+
+  return newIntrinsics;
+};

package/dist/node_modules/ses/src/tame-regenerator-runtime.js

@@ -0,0 +1,29 @@
+import {
+  defineProperty,
+  iteratorPrototype,
+  iteratorSymbol,
+  hasOwn,
+} from './commons.js';
+
+export const tameRegeneratorRuntime = () => {
+  const iter = iteratorPrototype[iteratorSymbol];
+  defineProperty(iteratorPrototype, iteratorSymbol, {
+    configurable: true,
+    get() {
+      return iter;
+    },
+    set(value) {
+      // ignore the assignment on IteratorPrototype
+      if (this === iteratorPrototype) return;
+      if (hasOwn(this, iteratorSymbol)) {
+        this[iteratorSymbol] = value;
+      }
+      defineProperty(this, iteratorSymbol, {
+        value,
+        writable: true,
+        enumerable: true,
+        configurable: true,
+      });
+    },
+  });
+};