npm - @nocobase/plugin-workflow-javascript - Versions diffs - 2.1.0-alpha.12 → 2.1.0-alpha.14 - Mend

@nocobase/plugin-workflow-javascript 2.1.0-alpha.12 → 2.1.0-alpha.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (145) hide show

package/dist/server/ScriptInstruction.js CHANGED Viewed

@@ -43,13 +43,24 @@ var import_node_events = require("node:events");
 var import_node_path = __toESM(require("node:path"));
 var import_node_worker_threads = require("node:worker_threads");
 var import_winston = __toESM(require("winston"));
+var import_joi = __toESM(require("joi"));
 var import_plugin_workflow = require("@nocobase/plugin-workflow");
 var import_cache_logger = require("./cache-logger");
 class ScriptInstruction extends import_plugin_workflow.Instruction {
+  /**
+   * Returns the worker script path based on whether WORKFLOW_SCRIPT_MODULES is configured.
+   * - WORKFLOW_SCRIPT_MODULES set: uses Node.js vm with require support (module whitelist)
+   * - WORKFLOW_SCRIPT_MODULES unset: uses isolated-vm for maximum security (no require, no Node.js APIs)
+   */
+  static get workerScript() {
+    var _a;
+    const hasModules = ((_a = process.env.WORKFLOW_SCRIPT_MODULES) == null ? void 0 : _a.split(",").filter(Boolean).length) > 0;
+    return import_node_path.default.join(__dirname, hasModules ? "Vm.js" : "IsolatedVm.js");
+  }
   static async run(source, args, options) {
     const { logger, timeout } = options;
     let result;
-    const worker = new import_node_worker_threads.Worker(import_node_path.default.join(__dirname, "Vm.js"), {
+    const worker = new import_node_worker_threads.Worker(this.workerScript, {
       workerData: { source, args, options: timeout ? { timeout } : {} }
     });
     worker.on("message", (message) => {
@@ -92,6 +103,17 @@ class ScriptInstruction extends import_plugin_workflow.Instruction {
       result
     };
   }
+  configSchema = import_joi.default.object({
+    content: import_joi.default.string(),
+    timeout: import_joi.default.number(),
+    continue: import_joi.default.boolean(),
+    arguments: import_joi.default.array().items(
+      import_joi.default.object({
+        name: import_joi.default.string().required(),
+        value: import_joi.default.any()
+      })
+    ).optional()
+  });
   async run(node, prevJob, processor) {
     const { content = "", continue: cont, timeout } = node.config;
     const args = processor.getParsedValue(node.config.arguments ?? [], node.id);

package/dist/server/Vm.js CHANGED Viewed

@@ -28,43 +28,58 @@ function customRequire(m) {
   }
   throw new Error(`module "${m}" not supported`);
 }
-customRequire.constructor = null;
-function createSafeConsole(originalConsole) {
-  const safe = /* @__PURE__ */ Object.create(null);
-  Object.defineProperty(safe, "constructor", {
+function hardenFunction(fn) {
+  Object.setPrototypeOf(fn, null);
+  Object.defineProperty(fn, "constructor", {
     value: null,
     writable: false,
     enumerable: false,
     configurable: false
   });
-  const allKeys = Reflect.ownKeys(originalConsole);
-  for (const key of allKeys) {
-    const descriptor = Object.getOwnPropertyDescriptor(originalConsole, key);
-    if (!descriptor) {
-      continue;
-    }
-    const wrap = (fn) => {
-      const bound = fn.bind(originalConsole);
-      Object.defineProperty(bound, "constructor", {
-        value: null,
+  return fn;
+}
+hardenFunction(customRequire);
+function createSafeConsole(originalConsole) {
+  const safe = /* @__PURE__ */ Object.create(null);
+  const allowedMethods = [
+    "log",
+    "info",
+    "warn",
+    "error",
+    "debug",
+    "trace",
+    "dir",
+    "dirxml",
+    "table",
+    "time",
+    "timeEnd",
+    "timeLog",
+    "count",
+    "countReset",
+    "group",
+    "groupCollapsed",
+    "groupEnd",
+    "clear",
+    "assert"
+  ];
+  for (const key of allowedMethods) {
+    if (typeof originalConsole[key] === "function") {
+      const bound = originalConsole[key].bind(originalConsole);
+      hardenFunction(bound);
+      Object.defineProperty(safe, key, {
+        value: bound,
         writable: false,
-        enumerable: false,
+        enumerable: true,
         configurable: false
       });
-      return bound;
-    };
-    if (typeof descriptor.value === "function") {
-      descriptor.value = wrap(descriptor.value);
-    }
-    if (typeof descriptor.get === "function") {
-      descriptor.get = wrap(descriptor.get);
     }
-    if (typeof descriptor.set === "function") {
-      descriptor.set = wrap(descriptor.set);
-    }
-    descriptor.configurable = false;
-    Object.defineProperty(safe, key, descriptor);
   }
+  Object.defineProperty(safe, "constructor", {
+    value: null,
+    writable: false,
+    enumerable: false,
+    configurable: false
+  });
   return Object.freeze(safe);
 }
 async function main() {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/plugin-workflow-javascript",
-  "version": "2.1.0-alpha.12",
+  "version": "2.1.0-alpha.14",
   "displayName": "Workflow: JavaScript",
   "displayName.zh-CN": "工作流：JavaScript 节点",
   "description": "Execute a piece of JavaScript in an isolated Node.js environment.",
@@ -25,6 +25,8 @@
     "@codemirror/state": "^6.4.1",
     "@codemirror/view": "^6.37.2",
     "codemirror": "^6.0.2",
+    "isolated-vm": "^5.0.4",
+    "joi": "^17.13.3",
     "jshint": "^2.13.6",
     "node-gyp": "^10.2.0"
   },
@@ -36,5 +38,5 @@
     "Workflow"
   ],
   "license": "Apache-2.0",
-  "gitHead": "f12c4a75470590b1670ce54510b96ef94c2cd7a2"
+  "gitHead": "d8735b541de0ff9557bba704de49c799b4962672"
 }