@ondc/automation-mock-runner 1.3.43 → 1.3.45

package/dist/test/GenerateFetchAndTimeout.test.js

@@ -0,0 +1,240 @@
+"use strict";
+/**
+ * Tests for generate-only fetch allowlist + 45s sandbox setTimeout cap.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const http = __importStar(require("http"));
+const MockRunner_1 = require("../lib/MockRunner");
+const function_registry_1 = require("../lib/constants/function-registry");
+function baseConfig() {
+    return {
+        meta: { domain: "ONDC:TRV14", version: "2.0.0", flowId: "fetch-test" },
+        transaction_data: {
+            transaction_id: "e9e0b5cb-3f15-48a1-9d86-d4d643f0909d",
+            latest_timestamp: "1970-01-01T00:00:00.000Z",
+        },
+        steps: [],
+        transaction_history: [],
+        validationLib: "",
+        helperLib: "",
+    };
+}
+function stepWithGenerate(runner, actionId, genSource) {
+    const step = runner.getDefaultStep("search", actionId);
+    step.mock.generate = MockRunner_1.MockRunner.encodeBase64(genSource);
+    step.mock.inputs = {};
+    return step;
+}
+async function resetSharedRunner() {
+    const sr = MockRunner_1.MockRunner.sharedRunner;
+    if (sr?.terminate) {
+        await sr.terminate();
+    }
+    MockRunner_1.MockRunner.sharedRunner = undefined;
+}
+describe("generate timeout = 45s", () => {
+    afterEach(resetSharedRunner);
+    it("schema advertises a 45s timeout for generate", () => {
+        expect(function_registry_1.FUNCTION_REGISTRY.generate.timeout).toBe(45 * 1000);
+        expect((0, function_registry_1.getFunctionSchema)("generate").timeout).toBe(45 * 1000);
+    });
+    it("other function kinds keep their tighter timeouts", () => {
+        expect(function_registry_1.FUNCTION_REGISTRY.validate.timeout).toBe(5000);
+        expect(function_registry_1.FUNCTION_REGISTRY.meetsRequirements.timeout).toBe(3000);
+    });
+    it("sandbox setTimeout accepts delays up to 45000ms (was capped at 35000)", async () => {
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "delayed", `async function generate(defaultPayload, sessionData) {
+					// Just exercise the clamp — schedule but don't await.
+					setTimeout(() => {}, 40000);
+					return { scheduled: true };
+				}`));
+        const res = await r.runGeneratePayload("delayed", {});
+        expect(res.success).toBe(true);
+        expect(res.result).toEqual({ scheduled: true });
+    });
+    it("sandbox setTimeout still rejects delays above 45000ms", async () => {
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "too-long", `async function generate(defaultPayload, sessionData) {
+					setTimeout(() => {}, 60000);
+					return {};
+				}`));
+        const res = await r.runGeneratePayload("too-long", {});
+        expect(res.success).toBe(false);
+        expect(res.error?.message || "").toMatch(/1-45000ms/);
+    });
+});
+describe("fetch allowlist (generate-only)", () => {
+    let server;
+    let baseUrl;
+    beforeAll(async () => {
+        server = http.createServer((req, res) => {
+            switch (req.url) {
+                case "/v1/ping":
+                    res.writeHead(200, { "content-type": "text/plain" });
+                    res.end("pong");
+                    return;
+                case "/v1/redir":
+                    res.writeHead(302, { location: "http://127.0.0.1:1/nope" });
+                    res.end();
+                    return;
+                case "/v10/foo":
+                    res.writeHead(200);
+                    res.end("v10");
+                    return;
+                case "/other":
+                    res.writeHead(200);
+                    res.end("other");
+                    return;
+                default:
+                    res.writeHead(404);
+                    res.end();
+            }
+        });
+        await new Promise((r) => server.listen(0, "127.0.0.1", () => r()));
+        const addr = server.address();
+        baseUrl = `http://127.0.0.1:${addr.port}`;
+    });
+    afterAll(async () => {
+        await new Promise((r) => server.close(() => r()));
+    });
+    afterEach(resetSharedRunner);
+    it("fetch is undefined when allowlist is empty/unset", async () => {
+        // No initSharedRunner → default runner has no allowlist.
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "fetch-undef", `async function generate(defaultPayload, sessionData) {
+					return { t: typeof fetch };
+				}`));
+        const res = await r.runGeneratePayload("fetch-undef", {});
+        expect(res.success).toBe(true);
+        expect(res.result).toEqual({ t: "undefined" });
+    });
+    it("allows fetch matching origin + path prefix", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "ok", `async function generate(defaultPayload, sessionData) {
+					const res = await fetch("${baseUrl}/v1/ping");
+					const body = await res.text();
+					return { body };
+				}`));
+        const res = await r.runGeneratePayload("ok", {});
+        expect(res.success).toBe(true);
+        expect(res.result).toEqual({ body: "pong" });
+    });
+    it("rejects URLs with non-allowlisted path prefix", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "bad-path", `async function generate(defaultPayload, sessionData) {
+					const res = await fetch("${baseUrl}/other");
+					return { body: await res.text() };
+				}`));
+        const res = await r.runGeneratePayload("bad-path", {});
+        expect(res.success).toBe(false);
+        expect(res.error?.message || "").toMatch(/fetch blocked/);
+    });
+    it("treats /v1 as a strict segment prefix (no /v10/* match)", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "prefix-strict", `async function generate(defaultPayload, sessionData) {
+					const res = await fetch("${baseUrl}/v10/foo");
+					return { body: await res.text() };
+				}`));
+        const res = await r.runGeneratePayload("prefix-strict", {});
+        expect(res.success).toBe(false);
+        expect(res.error?.message || "").toMatch(/fetch blocked/);
+    });
+    it("rejects different origin even with matching path", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "bad-origin", `async function generate(defaultPayload, sessionData) {
+					const res = await fetch("http://example.invalid/v1/ping");
+					return { body: await res.text() };
+				}`));
+        const res = await r.runGeneratePayload("bad-origin", {});
+        expect(res.success).toBe(false);
+        expect(res.error?.message || "").toMatch(/fetch blocked/);
+    });
+    it("blocks 3xx redirects (no allowlist bypass via Location header)", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "redir", `async function generate(defaultPayload, sessionData) {
+					await fetch("${baseUrl}/v1/redir");
+					return { ok: true };
+				}`));
+        const res = await r.runGeneratePayload("redir", {});
+        expect(res.success).toBe(false);
+        // undici surfaces a TypeError when redirect:'error' encounters a 3xx
+        expect((res.error?.message || "").toLowerCase()).toMatch(/redirect|fetch failed/);
+    });
+    it("fetch is not injected into validate even when allowlist is configured", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        const step = r.getDefaultStep("search", "validate-pure");
+        step.mock.inputs = {};
+        step.mock.validate = MockRunner_1.MockRunner.encodeBase64(`function validate(targetPayload, sessionData) {
+				return {
+					valid: typeof fetch === "undefined",
+					code: 200,
+					description: "fetch-absence probe",
+				};
+			}`);
+        r.getConfig().steps.push(step);
+        const res = await r.runValidatePayload("validate-pure", {});
+        expect(res.success).toBe(true);
+        expect(res.result?.valid).toBe(true);
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ondc/automation-mock-runner",
-	"version": "1.3.43",
+	"version": "1.3.45",
 	"description": "A TypeScript library for ONDC automation mock runner",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",
@@ -11,6 +11,8 @@
 		"public"
 	],
 	"scripts": {
+		"helpers:gen": "node scripts/generate-helpers-source.js",
+		"prebuild": "npm run helpers:gen",
 		"build": "npm run clean && tsc",
 		"build:watch": "tsc --watch",
 		"start": "node dist/index.js",
@@ -18,6 +20,7 @@
 		"clean": "rm -rf dist coverage browser-dist",
 		"prepare": "npm run clean && npm run build",
 		"prepublishOnly": "npm run test && npm run build",
+		"pretest": "npm run helpers:gen",
 		"test": "jest",
 		"test:watch": "jest --watch",
 		"test:coverage": "jest --coverage",
@@ -45,7 +48,7 @@
 	"author": "ONDC Development Team <dev@ondc.org>",
 	"license": "ISC",
 	"engines": {
-		"node": ">=16.0.0"
+		"node": ">=18.0.0"
 	},
 	"repository": {
 		"type": "git",

package/public/node-worker.js

@@ -1,8 +1,73 @@
-const { parentPort } = require("worker_threads");
+const { parentPort, workerData } = require("worker_threads");
 const vm = require("vm");
 
+const ALLOWED_FETCH_BASE_URLS = Array.isArray(workerData?.allowedFetchBaseUrls)
+	? workerData.allowedFetchBaseUrls
+	: [];
+
+// Parse + normalize allowlist entries once per worker.
+// Each entry contributes { origin, pathname } where pathname has no trailing
+// slash; matching requires request.origin === entry.origin AND the request
+// pathname is a strict segment-prefix of entry.pathname (so `/v1` matches
+// `/v1` and `/v1/foo` but NOT `/v10/foo`).
+const PARSED_ALLOWLIST = ALLOWED_FETCH_BASE_URLS.map((raw) => {
+	try {
+		const u = new URL(raw);
+		let pathname = u.pathname;
+		if (pathname.endsWith("/") && pathname !== "/") {
+			pathname = pathname.slice(0, -1);
+		}
+		return { origin: u.origin, pathname };
+	} catch {
+		return null;
+	}
+}).filter(Boolean);
+
+function isFetchAllowed(requestUrl) {
+	let parsed;
+	try {
+		parsed = new URL(requestUrl);
+	} catch {
+		return false;
+	}
+	let reqPath = parsed.pathname;
+	if (reqPath.endsWith("/") && reqPath !== "/") {
+		reqPath = reqPath.slice(0, -1);
+	}
+	for (const entry of PARSED_ALLOWLIST) {
+		if (parsed.origin !== entry.origin) continue;
+		if (entry.pathname === "" || entry.pathname === "/") return true;
+		if (reqPath === entry.pathname) return true;
+		if (reqPath.startsWith(entry.pathname + "/")) return true;
+	}
+	return false;
+}
+
+function makeScopedFetch() {
+	if (typeof globalThis.fetch !== "function") {
+		return undefined;
+	}
+	if (PARSED_ALLOWLIST.length === 0) {
+		return undefined;
+	}
+	return async function scopedFetch(input, init) {
+		const requestUrl =
+			typeof input === "string"
+				? input
+				: input && typeof input.url === "string"
+				? input.url
+				: String(input);
+		if (!isFetchAllowed(requestUrl)) {
+			throw new Error(
+				`fetch blocked: ${requestUrl} is not in the configured allowlist`,
+			);
+		}
+		return globalThis.fetch(input, { ...(init || {}), redirect: "error" });
+	};
+}
+
 // Create a secure sandbox context
-function createSandbox() {
+function createSandbox(functionName) {
 	const logs = [];
 
 	// Safe console implementation that captures logs
@@ -108,12 +173,17 @@ function createSandbox() {
 		decodeURIComponent,
 		// Utility functions for ONDC operations
 		setTimeout: (fn, delay) => {
-			if (delay < 1 || delay > 35 * 1000) {
-				throw new Error("Timeout must be between 1-35000ms");
+			if (delay < 1 || delay > 45 * 1000) {
+				throw new Error("Timeout must be between 1-45000ms");
 			}
 			return setTimeout(fn, delay);
 		},
 		clearTimeout,
+		// AbortController is a pure control-flow primitive with no I/O of its
+		// own — safe to expose unconditionally. Needed by helpers that pair
+		// `fetch` with a timeout (see generateConsentHandler).
+		AbortController,
+		AbortSignal,
 		// Blocked globals
 		require: undefined,
 		process: undefined,
@@ -128,6 +198,28 @@ function createSandbox() {
 		Function: undefined,
 	};
 
+	// Only `generate` gets outbound HTTP — validate/meetsRequirements/getSave
+	// stay pure. Fetch itself is still gated by the allowlist inside the wrapper.
+	if (functionName === "generate") {
+		const scopedFetch = makeScopedFetch();
+		if (scopedFetch) {
+			sandbox.fetch = scopedFetch;
+			if (typeof globalThis.URL === "function") sandbox.URL = globalThis.URL;
+			if (typeof globalThis.URLSearchParams === "function") {
+				sandbox.URLSearchParams = globalThis.URLSearchParams;
+			}
+			if (typeof globalThis.Headers === "function") {
+				sandbox.Headers = globalThis.Headers;
+			}
+			if (typeof globalThis.Request === "function") {
+				sandbox.Request = globalThis.Request;
+			}
+			if (typeof globalThis.Response === "function") {
+				sandbox.Response = globalThis.Response;
+			}
+		}
+	}
+
 	return { sandbox, logs };
 }
 
@@ -138,7 +230,7 @@ parentPort?.on("message", async (message) => {
 
 	try {
 		// Create fresh sandbox for each execution
-		const { sandbox, logs } = createSandbox();
+		const { sandbox, logs } = createSandbox(functionName);
 
 		// Create VM context with timeout
 		const context = vm.createContext(sandbox);
@@ -151,7 +243,7 @@ parentPort?.on("message", async (message) => {
 
 		// Execute the script
 		script.runInContext(context, {
-			timeout: timeout || 35000,
+			timeout: timeout || 45000,
 			breakOnSigint: true,
 		});