@scelar/nodepod 1.0.7 → 1.0.9

package/src/cross-origin.ts

@@ -1,26 +1,75 @@
-// optional CORS proxy for APIs that don't allow browser origins
-
-let activeProxy: string | null = null;
-
-export function setProxy(url: string | null): void {
-  activeProxy = url;
-}
-
-export function getProxy(): string | null {
-  return activeProxy;
-}
-
-export function isProxyActive(): boolean {
-  return activeProxy !== null;
-}
-
-export async function proxiedFetch(url: string, init?: RequestInit): Promise<Response> {
-  if (activeProxy) {
-    return fetch(activeProxy + encodeURIComponent(url), init);
-  }
-  return fetch(url, init);
-}
-
-export function resolveProxyUrl(url: string): string {
-  return activeProxy ? activeProxy + encodeURIComponent(url) : url;
-}
+// optional CORS proxy for APIs that don't allow browser origins
+
+let activeProxy: string | null = null;
+let allowedDomains: Set<string> | null = null;
+
+const DEFAULT_ALLOWED_DOMAINS = [
+  'registry.npmjs.org',
+  'github.com',
+  'raw.githubusercontent.com',
+  'api.github.com',
+  'objects.githubusercontent.com',
+  'esm.sh',
+  'unpkg.com',
+  'cdn.jsdelivr.net',
+  'localhost',
+  '127.0.0.1',
+];
+
+export function setProxy(url: string | null): void {
+  activeProxy = url;
+}
+
+export function getProxy(): string | null {
+  return activeProxy;
+}
+
+export function isProxyActive(): boolean {
+  return activeProxy !== null;
+}
+
+// set allowed domains for proxied fetches. extra domains get merged with defaults.
+// pass null to turn off the whitelist
+export function setAllowedDomains(domains: string[] | null): void {
+  if (domains === null) {
+    allowedDomains = null;
+    return;
+  }
+  allowedDomains = new Set([...DEFAULT_ALLOWED_DOMAINS, ...domains]);
+}
+
+export function getAllowedDomains(): string[] | null {
+  return allowedDomains ? [...allowedDomains] : null;
+}
+
+function isDomainAllowed(url: string): boolean {
+  if (!allowedDomains) return true;
+  try {
+    const hostname = new URL(url).hostname;
+    for (const allowed of allowedDomains) {
+      if (hostname === allowed || hostname.endsWith('.' + allowed)) {
+        return true;
+      }
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+
+export async function proxiedFetch(url: string, init?: RequestInit): Promise<Response> {
+  if (activeProxy) {
+    if (!isDomainAllowed(url)) {
+      throw new Error(`Fetch blocked: "${new URL(url).hostname}" is not in the allowedFetchDomains whitelist`);
+    }
+    return fetch(activeProxy + encodeURIComponent(url), init);
+  }
+  return fetch(url, init);
+}
+
+export function resolveProxyUrl(url: string): string {
+  if (activeProxy && !isDomainAllowed(url)) {
+    throw new Error(`Fetch blocked: "${new URL(url).hostname}" is not in the allowedFetchDomains whitelist`);
+  }
+  return activeProxy ? activeProxy + encodeURIComponent(url) : url;
+}

package/src/iframe-sandbox.ts

@@ -1,141 +1,145 @@
-// executes code in a cross-origin iframe for maximum browser isolation
-
-import type { MemoryVolume } from './memory-volume';
-import type { IScriptEngine, ExecutionOutcome, EngineConfig, VolumeSnapshot } from './engine-types';
-
-interface CrossOriginMessage {
-  type: 'init' | 'execute' | 'runFile' | 'clearCache' | 'syncFile' | 'ready' | 'result' | 'error' | 'console';
-  id?: string;
-  code?: string;
-  filename?: string;
-  snapshot?: VolumeSnapshot;
-  config?: EngineConfig;
-  result?: ExecutionOutcome;
-  error?: string;
-  path?: string;
-  content?: string | null;
-  consoleMethod?: string;
-  consoleArgs?: unknown[];
-}
-
-export class IframeSandbox implements IScriptEngine {
-  private frame: HTMLIFrameElement;
-  private targetOrigin: string;
-  private vol: MemoryVolume;
-  private cfg: EngineConfig;
-  private ready: Promise<void>;
-  private pendingCalls = new Map<string, { resolve: (r: ExecutionOutcome) => void; reject: (e: Error) => void }>();
-  private nextId = 0;
-  private onFileChange: ((p: string, c: string) => void) | null = null;
-  private onFileDelete: ((p: string) => void) | null = null;
-  private onMessage: ((e: MessageEvent) => void) | null = null;
-
-  constructor(sandboxUrl: string, vol: MemoryVolume, cfg: EngineConfig = {}) {
-    this.targetOrigin = new URL(sandboxUrl).origin;
-    this.vol = vol;
-    this.cfg = cfg;
-
-    this.frame = document.createElement('iframe');
-    this.frame.src = sandboxUrl;
-    this.frame.style.display = 'none';
-    // @ts-expect-error - credentialless attribute may not exist in types
-    this.frame.credentialless = true;
-    this.frame.setAttribute('credentialless', '');
-    document.body.appendChild(this.frame);
-
-    this.bindMessageHandler();
-    this.ready = this.awaitReady().then(() => this.sendInit());
-    this.attachVolumeSync();
-  }
-
-  private bindMessageHandler(): void {
-    this.onMessage = (event: MessageEvent) => {
-      if (event.origin !== this.targetOrigin) return;
-      const msg = event.data as CrossOriginMessage;
-
-      if (msg.type === 'result' && msg.id) {
-        const pending = this.pendingCalls.get(msg.id);
-        if (pending && msg.result) { pending.resolve(msg.result); this.pendingCalls.delete(msg.id); }
-      } else if (msg.type === 'error' && msg.id) {
-        const pending = this.pendingCalls.get(msg.id);
-        if (pending) { pending.reject(new Error(msg.error || 'Sandbox error')); this.pendingCalls.delete(msg.id); }
-      } else if (msg.type === 'console' && this.cfg.onConsole) {
-        this.cfg.onConsole(msg.consoleMethod || 'log', msg.consoleArgs || []);
-      }
-    };
-    window.addEventListener('message', this.onMessage);
-  }
-
-  private awaitReady(): Promise<void> {
-    return new Promise(resolve => {
-      const handler = (event: MessageEvent) => {
-        if (event.origin !== this.targetOrigin) return;
-        if ((event.data as CrossOriginMessage).type === 'ready') {
-          window.removeEventListener('message', handler);
-          resolve();
-        }
-      };
-      window.addEventListener('message', handler);
-    });
-  }
-
-  private async sendInit(): Promise<void> {
-    const msg: CrossOriginMessage = {
-      type: 'init',
-      snapshot: this.vol.toSnapshot(),
-      config: { cwd: this.cfg.cwd, env: this.cfg.env },
-    };
-    this.frame.contentWindow?.postMessage(msg, this.targetOrigin);
-  }
-
-  private attachVolumeSync(): void {
-    this.onFileChange = (path, content) => {
-      this.frame.contentWindow?.postMessage({ type: 'syncFile', path, content } as CrossOriginMessage, this.targetOrigin);
-    };
-    this.vol.on('change', this.onFileChange);
-
-    this.onFileDelete = (path) => {
-      this.frame.contentWindow?.postMessage({ type: 'syncFile', path, content: null } as CrossOriginMessage, this.targetOrigin);
-    };
-    this.vol.on('delete', this.onFileDelete);
-  }
-
-  private dispatch(msg: CrossOriginMessage): Promise<ExecutionOutcome> {
-    return new Promise((resolve, reject) => {
-      const id = String(this.nextId++);
-      this.pendingCalls.set(id, { resolve, reject });
-      this.frame.contentWindow?.postMessage({ ...msg, id }, this.targetOrigin);
-      setTimeout(() => {
-        if (this.pendingCalls.has(id)) {
-          this.pendingCalls.delete(id);
-          reject(new Error('Sandbox execution timeout'));
-        }
-      }, 60000);
-    });
-  }
-
-  async execute(code: string, filename?: string): Promise<ExecutionOutcome> {
-    await this.ready;
-    return this.dispatch({ type: 'execute', code, filename });
-  }
-
-  async runFile(filename: string): Promise<ExecutionOutcome> {
-    await this.ready;
-    return this.dispatch({ type: 'runFile', filename });
-  }
-
-  clearCache(): void {
-    this.frame.contentWindow?.postMessage({ type: 'clearCache' } as CrossOriginMessage, this.targetOrigin);
-  }
-
-  getVolume(): MemoryVolume { return this.vol; }
-
-  terminate(): void {
-    if (this.onFileChange) this.vol.off('change', this.onFileChange);
-    if (this.onFileDelete) this.vol.off('delete', this.onFileDelete);
-    if (this.onMessage) window.removeEventListener('message', this.onMessage);
-    this.frame.remove();
-    for (const [, { reject }] of this.pendingCalls) reject(new Error('Sandbox terminated'));
-    this.pendingCalls.clear();
-  }
-}
+// executes code in a cross-origin iframe for maximum browser isolation
+
+import type { MemoryVolume } from './memory-volume';
+import type { IScriptEngine, ExecutionOutcome, EngineConfig, VolumeSnapshot } from './engine-types';
+
+interface CrossOriginMessage {
+  type: 'init' | 'execute' | 'runFile' | 'clearCache' | 'syncFile' | 'ready' | 'result' | 'error' | 'console';
+  id?: string;
+  code?: string;
+  filename?: string;
+  snapshot?: VolumeSnapshot;
+  config?: EngineConfig;
+  result?: ExecutionOutcome;
+  error?: string;
+  path?: string;
+  content?: string | null;
+  consoleMethod?: string;
+  consoleArgs?: unknown[];
+}
+
+export class IframeSandbox implements IScriptEngine {
+  private frame: HTMLIFrameElement;
+  private targetOrigin: string;
+  private vol: MemoryVolume;
+  private cfg: EngineConfig;
+  private ready: Promise<void>;
+  private pendingCalls = new Map<string, { resolve: (r: ExecutionOutcome) => void; reject: (e: Error) => void }>();
+  private nextId = 0;
+  private onFileChange: ((p: string, c: string) => void) | null = null;
+  private onFileDelete: ((p: string) => void) | null = null;
+  private onMessage: ((e: MessageEvent) => void) | null = null;
+
+  constructor(sandboxUrl: string, vol: MemoryVolume, cfg: EngineConfig = {}) {
+    this.targetOrigin = new URL(sandboxUrl).origin;
+    this.vol = vol;
+    this.cfg = cfg;
+
+    this.frame = document.createElement('iframe');
+    this.frame.src = sandboxUrl;
+    this.frame.style.display = 'none';
+    // @ts-expect-error - credentialless attribute may not exist in types
+    this.frame.credentialless = true;
+    this.frame.setAttribute('credentialless', '');
+    this.frame.setAttribute('sandbox', 'allow-scripts');
+    document.body.appendChild(this.frame);
+
+    this.bindMessageHandler();
+    this.ready = this.awaitReady().then(() => this.sendInit());
+    this.attachVolumeSync();
+  }
+
+  private bindMessageHandler(): void {
+    this.onMessage = (event: MessageEvent) => {
+      // sandbox="allow-scripts" without allow-same-origin makes the origin "null"
+      if (event.origin !== 'null' && event.origin !== this.targetOrigin) return;
+      const msg = event.data as CrossOriginMessage;
+
+      if (msg.type === 'result' && msg.id) {
+        const pending = this.pendingCalls.get(msg.id);
+        if (pending && msg.result) { pending.resolve(msg.result); this.pendingCalls.delete(msg.id); }
+      } else if (msg.type === 'error' && msg.id) {
+        const pending = this.pendingCalls.get(msg.id);
+        if (pending) { pending.reject(new Error(msg.error || 'Sandbox error')); this.pendingCalls.delete(msg.id); }
+      } else if (msg.type === 'console' && this.cfg.onConsole) {
+        this.cfg.onConsole(msg.consoleMethod || 'log', msg.consoleArgs || []);
+      }
+    };
+    window.addEventListener('message', this.onMessage);
+  }
+
+  private awaitReady(): Promise<void> {
+    return new Promise(resolve => {
+      const handler = (event: MessageEvent) => {
+        if (event.origin !== 'null' && event.origin !== this.targetOrigin) return;
+        if ((event.data as CrossOriginMessage).type === 'ready') {
+          window.removeEventListener('message', handler);
+          resolve();
+        }
+      };
+      window.addEventListener('message', handler);
+    });
+  }
+
+  private async sendInit(): Promise<void> {
+    const msg: CrossOriginMessage = {
+      type: 'init',
+      snapshot: this.vol.toSnapshot(),
+      config: { cwd: this.cfg.cwd, env: this.cfg.env },
+    };
+    // '*' is fine here — we're posting to this.frame.contentWindow directly,
+    // and sandboxed iframes have a "null" origin so we cant target them specifically
+    this.frame.contentWindow?.postMessage(msg, '*');
+  }
+
+  private attachVolumeSync(): void {
+    this.onFileChange = (path, content) => {
+      this.frame.contentWindow?.postMessage({ type: 'syncFile', path, content } as CrossOriginMessage, '*');
+    };
+    this.vol.on('change', this.onFileChange);
+
+    this.onFileDelete = (path) => {
+      this.frame.contentWindow?.postMessage({ type: 'syncFile', path, content: null } as CrossOriginMessage, '*');
+    };
+    this.vol.on('delete', this.onFileDelete);
+  }
+
+  private dispatch(msg: CrossOriginMessage): Promise<ExecutionOutcome> {
+    return new Promise((resolve, reject) => {
+      const id = String(this.nextId++);
+      this.pendingCalls.set(id, { resolve, reject });
+      this.frame.contentWindow?.postMessage({ ...msg, id }, '*');
+      setTimeout(() => {
+        if (this.pendingCalls.has(id)) {
+          this.pendingCalls.delete(id);
+          reject(new Error('Sandbox execution timeout'));
+        }
+      }, 60000);
+    });
+  }
+
+  async execute(code: string, filename?: string): Promise<ExecutionOutcome> {
+    await this.ready;
+    return this.dispatch({ type: 'execute', code, filename });
+  }
+
+  async runFile(filename: string): Promise<ExecutionOutcome> {
+    await this.ready;
+    return this.dispatch({ type: 'runFile', filename });
+  }
+
+  clearCache(): void {
+    this.frame.contentWindow?.postMessage({ type: 'clearCache' } as CrossOriginMessage, '*');
+  }
+
+  getVolume(): MemoryVolume { return this.vol; }
+
+  terminate(): void {
+    if (this.onFileChange) this.vol.off('change', this.onFileChange);
+    if (this.onFileDelete) this.vol.off('delete', this.onFileDelete);
+    if (this.onMessage) window.removeEventListener('message', this.onMessage);
+    this.frame.remove();
+    for (const [, { reject }] of this.pendingCalls) reject(new Error('Sandbox terminated'));
+    this.pendingCalls.clear();
+  }
+}