@secure-exec/browser 0.1.0 → 0.1.1-rc.1

package/dist/permission-validation.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Validate permission callback source strings before revival via new Function().
+ *
+ * Permission callbacks are serialized with fn.toString() on the host and revived
+ * in the Web Worker. Because revival uses new Function(), the source must be
+ * validated to prevent code injection.
+ */
+/**
+ * Validate that a permission callback source string is safe to revive.
+ *
+ * Returns true if the source appears to be a safe function expression.
+ * Returns false if the source contains blocked patterns that could indicate
+ * code injection.
+ */
+export declare function validatePermissionSource(source: string): boolean;

package/dist/permission-validation.js

@@ -0,0 +1,62 @@
+/**
+ * Validate permission callback source strings before revival via new Function().
+ *
+ * Permission callbacks are serialized with fn.toString() on the host and revived
+ * in the Web Worker. Because revival uses new Function(), the source must be
+ * validated to prevent code injection.
+ */
+/**
+ * Dangerous patterns that should never appear in a permission callback.
+ * These could be used to escape the sandbox or access host resources.
+ */
+const BLOCKED_PATTERNS = [
+    // Code execution / eval
+    /\beval\s*\(/,
+    /\bFunction\s*\(/,
+    /\bnew\s+Function\b/,
+    // Module loading
+    /\bimport\s*\(/,
+    /\bimportScripts\s*\(/,
+    /\brequire\s*\(/,
+    // Global object access
+    /\bglobalThis\b/,
+    /\bself\b/,
+    /\bwindow\b/,
+    // Process/system access
+    /\bprocess\s*\.\s*(?:exit|kill|binding|_linkedBinding|env)\b/,
+    // Network / IO escape
+    /\bXMLHttpRequest\b/,
+    /\bWebSocket\b/,
+    /\bfetch\s*\(/,
+    // Prototype pollution / constructor abuse
+    /\bconstructor\s*\[/,
+    /\b__proto__\b/,
+    /Object\s*\.\s*(?:defineProperty|setPrototypeOf|assign)\b/,
+    // Dynamic property access on dangerous objects
+    /\bpostMessage\b/,
+];
+/**
+ * Validate that a permission callback source string is safe to revive.
+ *
+ * Returns true if the source appears to be a safe function expression.
+ * Returns false if the source contains blocked patterns that could indicate
+ * code injection.
+ */
+export function validatePermissionSource(source) {
+    if (!source || typeof source !== "string")
+        return false;
+    const trimmed = source.trim();
+    // Must look like a function expression (arrow function or function keyword)
+    const startsLikeFunction = trimmed.startsWith("function") ||
+        trimmed.startsWith("(") ||
+        // Single-param arrow functions: x => ...
+        /^[a-zA-Z_$][a-zA-Z0-9_$]*\s*=>/.test(trimmed);
+    if (!startsLikeFunction)
+        return false;
+    // Check for blocked patterns
+    for (const pattern of BLOCKED_PATTERNS) {
+        if (pattern.test(source))
+            return false;
+    }
+    return true;
+}

package/dist/runtime-driver.js

@@ -13,14 +13,6 @@ const BROWSER_OPTION_VALIDATORS = [
         label: "timingMitigation",
         hasValue: (options) => options.timingMitigation !== undefined,
     },
-    {
-        label: "payloadLimits.base64TransferBytes",
-        hasValue: (options) => options.payloadLimits?.base64TransferBytes !== undefined,
-    },
-    {
-        label: "payloadLimits.jsonPayloadBytes",
-        hasValue: (options) => options.payloadLimits?.jsonPayloadBytes !== undefined,
-    },
 ];
 function serializePermissions(permissions) {
     if (!permissions) {
@@ -104,6 +96,7 @@ export class BrowserRuntimeDriver {
             permissions: serializePermissions(options.system.permissions),
             filesystem: browserSystemOptions.filesystem,
             networkEnabled: browserSystemOptions.networkEnabled,
+            payloadLimits: options.payloadLimits,
         };
         this.ready = this.callWorker("init", initPayload).then(() => undefined);
         this.ready.catch(() => undefined);

package/dist/worker-protocol.d.ts

@@ -17,6 +17,10 @@ export type BrowserWorkerInitPayload = {
     permissions?: SerializedPermissions;
     filesystem?: "opfs" | "memory";
     networkEnabled?: boolean;
+    payloadLimits?: {
+        base64TransferBytes?: number;
+        jsonPayloadBytes?: number;
+    };
 };
 export type BrowserWorkerRequestMessage = {
     id: number;

package/dist/worker.js

@@ -1,6 +1,7 @@
 import { transform } from "sucrase";
 import { getRequireSetupCode, createCommandExecutorStub, createFsStub, createNetworkStub, filterEnv, wrapFileSystem, wrapNetworkAdapter, createInMemoryFileSystem, isESM, transformDynamicImport, getIsolateRuntimeSource, POLYFILL_CODE_MAP, loadFile, resolveModule, mkdir, exposeCustomGlobal, exposeMutableRuntimeStateGlobal, } from "@secure-exec/core";
 import { createBrowserNetworkAdapter, createOpfsFileSystem, } from "./driver.js";
+import { validatePermissionSource } from "./permission-validation.js";
 let filesystem = null;
 let networkAdapter = null;
 let commandExecutor = null;
@@ -12,6 +13,26 @@ const MAX_STDIO_MESSAGE_CHARS = 8192;
 const MAX_STDIO_DEPTH = 6;
 const MAX_STDIO_OBJECT_KEYS = 60;
 const MAX_STDIO_ARRAY_ITEMS = 120;
+// Payload size defaults matching the Node runtime path
+const DEFAULT_BASE64_TRANSFER_BYTES = 16 * 1024 * 1024;
+const DEFAULT_JSON_PAYLOAD_BYTES = 4 * 1024 * 1024;
+const PAYLOAD_LIMIT_ERROR_CODE = "ERR_SANDBOX_PAYLOAD_TOO_LARGE";
+let base64TransferLimitBytes = DEFAULT_BASE64_TRANSFER_BYTES;
+let jsonPayloadLimitBytes = DEFAULT_JSON_PAYLOAD_BYTES;
+const encoder = new TextEncoder();
+function getUtf8ByteLength(text) {
+    return encoder.encode(text).byteLength;
+}
+function assertPayloadByteLength(payloadLabel, actualBytes, maxBytes) {
+    if (actualBytes <= maxBytes)
+        return;
+    const error = new Error(`[${PAYLOAD_LIMIT_ERROR_CODE}] ${payloadLabel}: payload is ${actualBytes} bytes, limit is ${maxBytes} bytes`);
+    error.code = PAYLOAD_LIMIT_ERROR_CODE;
+    throw error;
+}
+function assertTextPayloadSize(payloadLabel, text, maxBytes) {
+    assertPayloadByteLength(payloadLabel, getUtf8ByteLength(text), maxBytes);
+}
 const dynamicImportModule = new Function("specifier", "return import(specifier);");
 function boundErrorMessage(message) {
     if (message.length <= MAX_ERROR_MESSAGE_CHARS) {
@@ -28,6 +49,9 @@ function boundStdioMessage(message) {
 function revivePermission(source) {
     if (!source)
         return undefined;
+    // Validate source before eval to prevent code injection
+    if (!validatePermissionSource(source))
+        return undefined;
     try {
         const fn = new Function(`return (${source});`)();
         if (typeof fn === "function")
@@ -74,8 +98,10 @@ function makeApplyPromise(fn) {
         },
     };
 }
+// Save real postMessage before sandbox code can replace it
+const _realPostMessage = self.postMessage.bind(self);
 function postResponse(message) {
-    self.postMessage(message);
+    _realPostMessage(message);
 }
 function postStdio(requestId, channel, message) {
     const payload = {
@@ -84,7 +110,7 @@ function postStdio(requestId, channel, message) {
         channel,
         message,
     };
-    self.postMessage(payload);
+    _realPostMessage(payload);
 }
 function formatConsoleValue(value, seen = new WeakSet(), depth = 0) {
     if (value === null) {
@@ -156,6 +182,9 @@ async function initRuntime(payload) {
     if (initialized)
         return;
     permissions = revivePermissions(payload.permissions);
+    // Apply payload limits (use defaults if not configured)
+    base64TransferLimitBytes = payload.payloadLimits?.base64TransferBytes ?? DEFAULT_BASE64_TRANSFER_BYTES;
+    jsonPayloadLimitBytes = payload.payloadLimits?.jsonPayloadBytes ?? DEFAULT_JSON_PAYLOAD_BYTES;
     const baseFs = payload.filesystem === "memory"
         ? createInMemoryFileSystem()
         : await createOpfsFileSystem();
@@ -174,22 +203,27 @@ async function initRuntime(payload) {
     exposeCustomGlobal("_osConfig", payload.osConfig ?? {});
     // Set up filesystem bridge globals before loading runtime shims.
     const readFileRef = makeApplySyncPromise(async (path) => {
-        return fsOps.readTextFile(path);
+        const text = await fsOps.readTextFile(path);
+        assertTextPayloadSize(`fs.readFile ${path}`, text, jsonPayloadLimitBytes);
+        return text;
     });
     const writeFileRef = makeApplySyncPromise(async (path, content) => {
         return fsOps.writeFile(path, content);
     });
     const readFileBinaryRef = makeApplySyncPromise(async (path) => {
         const data = await fsOps.readFile(path);
-        return btoa(String.fromCharCode(...data));
+        assertPayloadByteLength(`fs.readFileBinary ${path}`, data.byteLength, base64TransferLimitBytes);
+        return new Uint8Array(data.buffer, data.byteOffset, data.byteLength);
     });
-    const writeFileBinaryRef = makeApplySyncPromise(async (path, base64) => {
-        const bytes = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
-        return fsOps.writeFile(path, bytes);
+    const writeFileBinaryRef = makeApplySyncPromise(async (path, binaryContent) => {
+        assertPayloadByteLength(`fs.writeFileBinary ${path}`, binaryContent.byteLength, base64TransferLimitBytes);
+        return fsOps.writeFile(path, binaryContent);
     });
     const readDirRef = makeApplySyncPromise(async (path) => {
         const entries = await fsOps.readDirWithTypes(path);
-        return JSON.stringify(entries);
+        const json = JSON.stringify(entries);
+        assertTextPayloadSize(`fs.readDir ${path}`, json, jsonPayloadLimitBytes);
+        return json;
     });
     const mkdirRef = makeApplySyncPromise(async (path) => {
         return mkdir(fsOps, path);
@@ -358,6 +392,43 @@ async function initRuntime(payload) {
     exposeMutableRuntimeStateGlobal("_pendingModules", {});
     exposeMutableRuntimeStateGlobal("_currentModule", { dirname: "/" });
     eval(getRequireSetupCode());
+    // Block dangerous Web APIs that bypass bridge permission checks
+    const dangerousApis = [
+        "XMLHttpRequest",
+        "WebSocket",
+        "importScripts",
+        "indexedDB",
+        "caches",
+        "BroadcastChannel",
+    ];
+    for (const api of dangerousApis) {
+        try {
+            delete self[api];
+        }
+        catch {
+            // May not exist or may be non-configurable
+        }
+        Object.defineProperty(self, api, {
+            get() {
+                throw new ReferenceError(`${api} is not available in sandbox`);
+            },
+            configurable: false,
+        });
+    }
+    // Lock down self.onmessage so sandbox code cannot hijack the control channel
+    const currentHandler = self.onmessage;
+    Object.defineProperty(self, "onmessage", {
+        value: currentHandler,
+        writable: false,
+        configurable: false,
+    });
+    // Block self.postMessage so sandbox code cannot forge responses to host
+    Object.defineProperty(self, "postMessage", {
+        get() {
+            throw new TypeError("postMessage is not available in sandbox");
+        },
+        configurable: false,
+    });
     initialized = true;
 }
 function resetModuleState(cwd) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@secure-exec/browser",
-  "version": "0.1.0",
+  "version": "0.1.1-rc.1",
   "type": "module",
   "license": "Apache-2.0",
   "main": "./dist/index.js",
@@ -34,11 +34,16 @@
       "types": "./dist/worker-protocol.d.ts",
       "import": "./dist/worker-protocol.js",
       "default": "./dist/worker-protocol.js"
+    },
+    "./internal/permission-validation": {
+      "types": "./dist/permission-validation.d.ts",
+      "import": "./dist/permission-validation.js",
+      "default": "./dist/permission-validation.js"
     }
   },
   "dependencies": {
     "sucrase": "^3.35.0",
-    "@secure-exec/core": "0.1.0"
+    "@secure-exec/core": "0.1.1-rc.1"
   },
   "devDependencies": {
     "@types/node": "^22.10.2",