npm - @scelar/nodepod - Versions diffs - 1.0.6 → 1.0.8 - Mend

@scelar/nodepod 1.0.6 → 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/README.md +12 -0
package/dist/__sw__.js +31 -5
package/dist/{child_process-Cao4lyrb.cjs → child_process-BD0fAFc1.cjs} +7431 -7435
package/dist/child_process-BD0fAFc1.cjs.map +1 -0
package/dist/{child_process-4ZrgCVFu.js → child_process-DV4uXIWL.js} +8231 -8234
package/dist/child_process-DV4uXIWL.js.map +1 -0
package/dist/cross-origin.d.ts +2 -0
package/dist/{index-DuYo2yDs.cjs → index-DVbLKdL5.cjs} +38909 -38842
package/dist/index-DVbLKdL5.cjs.map +1 -0
package/dist/{index-HkVqijtm.js → index-DpqCP69G.js} +36969 -36923
package/dist/index-DpqCP69G.js.map +1 -0
package/dist/index.cjs +67 -67
package/dist/index.mjs +61 -61
package/dist/isolation-helpers.d.ts +3 -0
package/dist/packages/archive-extractor.d.ts +2 -0
package/dist/packages/version-resolver.d.ts +1 -0
package/dist/polyfills/readline.d.ts +108 -108
package/dist/request-proxy.d.ts +3 -0
package/dist/sdk/nodepod.d.ts +2 -3
package/dist/sdk/types.d.ts +3 -0
package/dist/threading/offload-types.d.ts +1 -0
package/package.json +1 -1
package/src/cross-origin.ts +49 -0
package/src/iframe-sandbox.ts +11 -7
package/src/isolation-helpers.ts +13 -7
package/src/packages/archive-extractor.ts +3 -0
package/src/packages/installer.ts +1 -0
package/src/packages/version-resolver.ts +2 -0
package/src/request-proxy.ts +43 -9
package/src/sdk/nodepod.ts +134 -80
package/src/sdk/types.ts +3 -0
package/src/threading/offload-types.ts +1 -0
package/src/threading/offload-worker.ts +15 -0
package/dist/child_process-4ZrgCVFu.js.map +0 -1
package/dist/child_process-Cao4lyrb.cjs.map +0 -1
package/dist/index-DuYo2yDs.cjs.map +0 -1
package/dist/index-HkVqijtm.js.map +0 -1

package/README.md CHANGED Viewed

@@ -119,6 +119,7 @@ Creates a fully wired nodepod instance.
 | `swUrl` | `string` | — | Service Worker URL (enables preview iframes) |
 | `watermark` | `boolean` | `true` | Show a small "nodepod" badge in preview iframes |
 | `onServerReady` | `(port, url) => void` | — | Callback when a virtual server starts listening |
+| `allowedFetchDomains` | `string[] \| null` | npm/github defaults | Extra domains allowed through the CORS proxy. Pass `null` to allow all |
 ### Instance Methods
@@ -151,6 +152,17 @@ Returned by `spawn()`. An EventEmitter with:
 Property: `completion` — a `Promise<void>` that resolves when the process exits.
+## Security
+nodepod includes several security measures for running untrusted code:
+- **CORS proxy domain whitelist** — Proxied fetch requests only go through to whitelisted domains (npm registry, GitHub, esm.sh, etc by default). Extend via the `allowedFetchDomains` boot option or pass `null` to disable
+- **Service Worker auth** — Control messages to the SW require a random token generated at boot, so other scripts on the same origin can't inject preview content
+- **WebSocket bridge auth** — The BroadcastChannel used for WS bridging between preview iframes and the main thread is token-authenticated
+- **Package integrity** — Downloaded npm tarballs are checked against the registry's `shasum` before extraction
+- **Iframe sandbox** — The cross-origin iframe mode uses `sandbox="allow-scripts"` to prevent top-frame navigation, popups, and form submissions
+- **Origin-checked messaging** — The sandbox page validates `event.origin` on incoming messages and only responds to the configured parent origin
 ## Architecture
 ```

package/dist/__sw__.js CHANGED Viewed

@@ -29,6 +29,12 @@ let previewScript = null;
 // Watermark badge shown in preview iframes. On by default.
 let watermarkEnabled = true;
+// auth token from init, checked on control messages
+let authToken = null;
+// ws bridge token, gets baked into the shim script
+let wsToken = null;
 // Standard MIME types by file extension — used as a safety net when
 // the virtual server returns text/html (SPA fallback) or omits Content-Type
 // for paths that are clearly not HTML.
@@ -110,10 +116,20 @@ self.addEventListener("activate", (event) => {
 self.addEventListener("message", (event) => {
   const data = event.data;
+  // init sets up the port + grabs the auth token
   if (data?.type === "init" && data.port) {
     port = data.port;
     port.onmessage = onPortMessage;
+    if (data.token) {
+      authToken = data.token;
+    }
+    return;
   }
+  // everything else needs the right token
+  if (authToken && data?.token !== authToken) return;
   // Allow main thread to register/unregister preview clients
   if (data?.type === "register-preview") {
     previewClients.set(data.clientId, data.serverPort);
@@ -127,6 +143,9 @@ self.addEventListener("message", (event) => {
   if (data?.type === "set-watermark") {
     watermarkEnabled = !!data.enabled;
   }
+  if (data?.type === "set-ws-token") {
+    wsToken = data.wsToken ?? null;
+  }
 });
 function onPortMessage(event) {
@@ -245,12 +264,15 @@ self.addEventListener("fetch", (event) => {
 // to the main thread's request-proxy, which dispatches upgrade events on the
 // virtual HTTP server. Works with any framework/library, not specific to Vite.
-const WS_SHIM_SCRIPT = `<script>
+function getWsShimScript() {
+  const tokenStr = wsToken ? JSON.stringify(wsToken) : "null";
+  return `<script>
 (function() {
   if (window.__nodepodWsShim) return;
   window.__nodepodWsShim = true;
   var NativeWS = window.WebSocket;
   var bc = new BroadcastChannel("nodepod-ws");
+  var _wsToken = ${tokenStr};
   var nextId = 0;
   var active = {};
@@ -300,7 +322,8 @@ const WS_SHIM_SCRIPT = `<script>
       uid: uid,
       port: port,
       path: path,
-      protocols: Array.isArray(protocols) ? protocols.join(",") : (protocols || "")
+      protocols: Array.isArray(protocols) ? protocols.join(",") : (protocols || ""),
+      token: _wsToken
     });
     // Timeout: if no ws-open within 5s, fire error
@@ -347,12 +370,12 @@ const WS_SHIM_SCRIPT = `<script>
       type = "binary";
       payload = Array.from(data);
     }
-    bc.postMessage({ kind: "ws-send", uid: this._uid, data: payload, type: type });
+    bc.postMessage({ kind: "ws-send", uid: this._uid, data: payload, type: type, token: _wsToken });
   };
   NodepodWS.prototype.close = function(code, reason) {
     if (this.readyState >= 2) return;
     this.readyState = 2;
-    bc.postMessage({ kind: "ws-close", uid: this._uid, code: code || 1000, reason: reason || "" });
+    bc.postMessage({ kind: "ws-close", uid: this._uid, code: code || 1000, reason: reason || "", token: _wsToken });
     var self = this;
     setTimeout(function() {
       self.readyState = 3;
@@ -375,6 +398,8 @@ const WS_SHIM_SCRIPT = `<script>
   bc.onmessage = function(ev) {
     var d = ev.data;
     if (!d || !d.uid) return;
+    // check bridge token
+    if (_wsToken && d.token !== _wsToken) return;
     var ws = active[d.uid];
     if (!ws) return;
@@ -414,6 +439,7 @@ const WS_SHIM_SCRIPT = `<script>
   window.WebSocket = NodepodWS;
 })();
 </script>`;
+}
 // Small "nodepod" badge in the bottom-right corner of preview iframes.
 const WATERMARK_SCRIPT = `<script>
@@ -571,7 +597,7 @@ async function proxyToVirtualServer(request, serverPort, path, originalRequest)
     let finalBody = responseBody;
     const ct = respHeaders["content-type"] || respHeaders["Content-Type"] || "";
     if (ct.includes("text/html") && responseBody) {
-      let injection = WS_SHIM_SCRIPT;
+      let injection = getWsShimScript();
       if (previewScript) {
         injection += `<script>${previewScript}<` + `/script>`;
       }