@trops/dash-core 0.1.483 → 0.1.485

package/dist/electron/index.js

@@ -11,10 +11,11 @@ var require$$3$1 = require('xml2js');
 var require$$4 = require('JSONStream');
 var require$$5 = require('stream');
 var require$$6 = require('csv-parser');
+var require$$0$3 = require('quickjs-emscripten');
 var require$$7 = require('https');
-var require$$0$4 = require('@modelcontextprotocol/sdk/client/index.js');
+var require$$0$5 = require('@modelcontextprotocol/sdk/client/index.js');
 var require$$1$4 = require('@modelcontextprotocol/sdk/client/stdio.js');
-var require$$0$3 = require('pkce-challenge');
+var require$$0$4 = require('pkce-challenge');
 var require$$2$1 = require('os');
 var require$$7$1 = require('child_process');
 var require$$3$2 = require('adm-zip');
@@ -23,17 +24,17 @@ var require$$2$2 = require('vm');
 var require$$1$5 = require('croner');
 var require$$2$3 = require('algoliasearch');
 var require$$3$3 = require('node:path');
-var require$$0$5 = require('openai');
+var require$$0$6 = require('openai');
 require('live-plugin-manager');
-var require$$0$8 = require('@anthropic-ai/sdk');
+var require$$0$9 = require('@anthropic-ai/sdk');
 var require$$3$4 = require('crypto');
 var require$$8$1 = require('zod');
-var require$$0$6 = require('http');
+var require$$0$7 = require('http');
 var require$$1$6 = require('http2');
 var require$$2$4 = require('node-forge');
-var require$$0$7 = require('css');
+var require$$0$8 = require('css');
 var require$$1$7 = require('node-vibrant/node');
-var require$$0$9 = require('ws');
+var require$$0$a = require('ws');
 
 var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
@@ -1649,6 +1650,235 @@ const themeController$5 = {
 
 var themeController_1 = themeController$5;
 
+/**
+ * safeJsExecutor.js
+ *
+ * Run renderer-supplied JavaScript bodies in a QuickJS WASM sandbox.
+ *
+ * Why: dash-core's transformFile API (and a handful of widget eval sites)
+ * historically used the dynamic-function constructor to compile user-
+ * authored JS in the main process. That gives any caller full Node.js
+ * privileges — filesystem, network, child_process — turning a single
+ * dataApi call into an RCE primitive. See
+ * docs/security/ipc-filesystem-audit.md.
+ *
+ * QuickJS-emscripten runs JS in a separate WASM sandbox with no host
+ * globals (no `require`, no `process`, no `fetch`). Code executes
+ * against a tiny built-in surface: `Math`, `JSON`, `Date`, `Array`,
+ * primitives. The WASM boundary is the OS's responsibility, so escapes
+ * are not a keep-up-with-attackers problem the way `vm.runInNewContext`
+ * is.
+ *
+ * Public API:
+ *
+ *   await runOnce({ body, args, inputs, timeoutMs, memoryBytes }) — one
+ *     compile + run, returns `{ value }` or `{ error }`. Cheap to call
+ *     repeatedly but creates a fresh context each time.
+ *
+ *   await createCompiled({ body, args, memoryBytes }) — compile once
+ *     and return `{ run(inputs, timeoutMs), dispose() }` for streaming
+ *     workloads (e.g., transformFile maps over many records).
+ *
+ * Implementation notes:
+ *
+ *   - The QuickJS WASM module loads once per process (cached).
+ *   - Each context gets its own runtime → independent memory limit and
+ *     interrupt handler, no cross-talk between concurrent transforms.
+ *   - Inputs cross the boundary as JSON strings (round-trip serialized);
+ *     output crosses back the same way. Functions/Symbols/Maps don't
+ *     survive — but transform mappings produce plain JSON objects by
+ *     contract.
+ *   - The timeout uses a deadline check inside QuickJS's interrupt
+ *     handler, NOT setTimeout — JS event-loop callbacks can't fire
+ *     while QuickJS is executing synchronously.
+ */
+
+// quickjs-emscripten is loaded lazily inside getModule() rather than at
+// module top. Reason: when transform.js (which lives in the same dir)
+// does require("./safeJsExecutor") and rollup-plugin-commonjs sees a
+// statically-required external (`quickjs-emscripten`) inside that file,
+// it can mark the relative import as transitive-external and then fail
+// to resolve back. Deferring the require breaks the static-analysis
+// chain so the rollup build resolves cleanly.
+const DEFAULT_TIMEOUT_MS = 1000;
+const DEFAULT_MEMORY_BYTES = 32 * 1024 * 1024; // 32 MB
+
+let _modulePromise = null;
+function getModule() {
+  if (!_modulePromise) {
+    const { getQuickJS } = require$$0$3;
+    _modulePromise = getQuickJS();
+  }
+  return _modulePromise;
+}
+
+function injectInputs(vm, args, inputs) {
+  if (!Array.isArray(args) || !Array.isArray(inputs)) {
+    throw new Error(
+      "safeJsExecutor: args and inputs must be arrays of equal length",
+    );
+  }
+  if (args.length !== inputs.length) {
+    throw new Error("safeJsExecutor: args.length must equal inputs.length");
+  }
+  for (let i = 0; i < args.length; i++) {
+    const name = args[i];
+    if (typeof name !== "string" || !/^[A-Za-z_$][\w$]*$/.test(name)) {
+      throw new Error("safeJsExecutor: arg names must be valid JS identifiers");
+    }
+    const json = JSON.stringify(inputs[i]);
+    // Use evalCode to materialize the JSON-typed value inside the
+    // VM. For undefined inputs, JSON.stringify returns undefined
+    // (not a string) — fall through to evaluating the literal
+    // `undefined`.
+    const literal = json === undefined ? "undefined" : json;
+    const result = vm.evalCode(`(${literal})`);
+    if (result.error) {
+      const err = vm.dump(result.error);
+      result.error.dispose();
+      throw new Error(
+        `safeJsExecutor: failed to inject "${name}": ${
+          err && err.message ? err.message : err
+        }`,
+      );
+    }
+    vm.setProp(vm.global, name, result.value);
+    result.value.dispose();
+  }
+}
+
+function setDeadline(vm, timeoutMs) {
+  const deadline = Date.now() + Math.max(1, timeoutMs);
+  vm.runtime.setInterruptHandler(() => Date.now() > deadline);
+}
+
+function buildWrappedBody(args, body) {
+  // Wrap the user body in an IIFE so `return` works at the body level
+  // (matching the dynamic-function-constructor semantics this is
+  // replacing).
+  return `(function(${args.join(",")}){${body}})(${args.join(",")})`;
+}
+
+async function runOnce({
+  body,
+  args = [],
+  inputs = [],
+  timeoutMs = DEFAULT_TIMEOUT_MS,
+  memoryBytes = DEFAULT_MEMORY_BYTES,
+}) {
+  if (typeof body !== "string" || !body.trim()) {
+    return { error: "body must be a non-empty string" };
+  }
+  const QuickJS = await getModule();
+  const vm = QuickJS.newContext();
+  try {
+    vm.runtime.setMemoryLimit(memoryBytes);
+    vm.runtime.setMaxStackSize(1024 * 1024);
+    setDeadline(vm, timeoutMs);
+
+    injectInputs(vm, args, inputs);
+    const wrapped = buildWrappedBody(args, body);
+    const result = vm.evalCode(wrapped);
+
+    if (result.error) {
+      const err = vm.dump(result.error);
+      result.error.dispose();
+      return {
+        error:
+          err && err.message
+            ? String(err.message)
+            : typeof err === "string"
+              ? err
+              : JSON.stringify(err),
+      };
+    }
+    const value = vm.dump(result.value);
+    result.value.dispose();
+    return { value };
+  } catch (e) {
+    return { error: e && e.message ? e.message : String(e) };
+  } finally {
+    vm.dispose();
+  }
+}
+
+async function createCompiled({
+  body,
+  args = [],
+  memoryBytes = DEFAULT_MEMORY_BYTES,
+}) {
+  if (typeof body !== "string" || !body.trim()) {
+    throw new Error("body must be a non-empty string");
+  }
+  const QuickJS = await getModule();
+  const vm = QuickJS.newContext();
+  vm.runtime.setMemoryLimit(memoryBytes);
+  vm.runtime.setMaxStackSize(1024 * 1024);
+
+  // Define the user function once on the VM globals so subsequent
+  // run() calls can invoke it with fresh args without re-parsing.
+  const define = vm.evalCode(
+    `globalThis.__userFn = function(${args.join(",")}){${body}};`,
+  );
+  if (define.error) {
+    const err = vm.dump(define.error);
+    define.error.dispose();
+    vm.dispose();
+    throw new Error(
+      "safeJsExecutor: compile failed: " +
+        (err && err.message ? err.message : JSON.stringify(err)),
+    );
+  }
+  define.value.dispose();
+
+  let disposed = false;
+
+  return {
+    run(inputs, timeoutMs = DEFAULT_TIMEOUT_MS) {
+      if (disposed) {
+        return { error: "executor already disposed" };
+      }
+      try {
+        setDeadline(vm, timeoutMs);
+        const argList = inputs
+          .map((v) => (v === undefined ? "undefined" : JSON.stringify(v)))
+          .join(",");
+        const result = vm.evalCode(`__userFn(${argList})`);
+        if (result.error) {
+          const err = vm.dump(result.error);
+          result.error.dispose();
+          return {
+            error:
+              err && err.message
+                ? String(err.message)
+                : typeof err === "string"
+                  ? err
+                  : JSON.stringify(err),
+          };
+        }
+        const value = vm.dump(result.value);
+        result.value.dispose();
+        return { value };
+      } catch (e) {
+        return { error: e && e.message ? e.message : String(e) };
+      }
+    },
+    dispose() {
+      if (!disposed) {
+        disposed = true;
+        vm.dispose();
+      }
+    },
+  };
+}
+
+var safeJsExecutor$1 = {
+  runOnce,
+  createCompiled,
+  DEFAULT_TIMEOUT_MS,
+  DEFAULT_MEMORY_BYTES,
+};
+
 /**
  * Utils/tranaform
  * Main gial is to transform a file of data into another form (CSV -> Json for example)
@@ -1667,9 +1897,15 @@ var csv = require$$6;
 const path$g = require$$1$2;
 const { app: app$9 } = require$$0$1;
 const { ensureDirectoryExistence: ensureDirectoryExistence$1 } = file;
+const safeJsExecutor = safeJsExecutor$1;
 
 const TRANSFORM_APP_NAME = "Dashboard";
 const MAX_MAPPING_BODY_SIZE = 10240; // 10KB limit for mapping function body
+// Per-record execution limit. Each mapping function call inside the
+// streaming transform must complete within this budget; a runaway loop
+// in the user's mapping triggers an "interrupted" error and the record
+// is skipped rather than blocking the whole stream.
+const PER_RECORD_TIMEOUT_MS = 1000;
 
 /**
  * XtreamerClientTransform
@@ -1975,45 +2211,78 @@ let Transform$1 = class Transform {
       // JSON parser
       var parser = JSONStream$1.parse("*");
 
-      if (fs$b.existsSync(resolvedFilepath)) {
-        console.log("file exists ", resolvedFilepath);
-        // create the readStream to parse the large file (json)
-        var readStream = fs$b.createReadStream(resolvedFilepath).pipe(parser);
-
-        ensureDirectoryExistence$1(resolvedOutFilepath);
-
-        var writeStream = fs$b.createWriteStream(resolvedOutFilepath);
-
-        let sep = "";
-        let count = 0;
-
-        // create our mapping function
-        const fn = new Function(args, mappingFunctionBody);
+      if (!fs$b.existsSync(resolvedFilepath)) {
+        return reject(new Error("File doesnt exist"));
+      }
+      console.log("file exists ", resolvedFilepath);
+      // create the readStream to parse the large file (json)
+      var readStream = fs$b.createReadStream(resolvedFilepath).pipe(parser);
+
+      ensureDirectoryExistence$1(resolvedOutFilepath);
+
+      var writeStream = fs$b.createWriteStream(resolvedOutFilepath);
+
+      let sep = "";
+      let count = 0;
+
+      // Compile the user-supplied mapping function inside a QuickJS
+      // sandbox. The previous implementation compiled the body with
+      // full Node.js privileges (filesystem, network, process). The
+      // sandbox gives the body a tiny pure-JS surface (Math, JSON,
+      // Date, primitives) and no host globals — see
+      // electron/utils/safeJsExecutor.js for full rationale.
+      //
+      // createCompiled is async (the WASM module must be loaded). Use
+      // .then/.catch instead of await because we're inside a sync
+      // Promise executor.
+      safeJsExecutor
+        .createCompiled({
+          body: mappingFunctionBody,
+          args,
+        })
+        .then((executor) => {
+          startStreamingWithExecutor(executor);
+        })
+        .catch((e) => {
+          reject(
+            new Error(
+              "mappingFunctionBody failed to compile: " +
+                (e && e.message ? e.message : String(e)),
+            ),
+          );
+        });
 
+      function startStreamingWithExecutor(executor) {
         // begin the write stream
         writeStream.write("[\n");
 
         readStream.on("data", (data) => {
           try {
-            //console.log("in stream", count, data);
-            // data in this case is the JSON object...
             if (count > 0) {
               sep = ",\n";
             }
 
             if (data) {
-              // transform the data here...
-              const newValue = fn(data, count);
+              const result = executor.run([data, count], PER_RECORD_TIMEOUT_MS);
+              if (result.error) {
+                // Don't block the stream on a single bad record — log,
+                // skip, continue. Matches the previous try/catch in the
+                // unsandboxed implementation.
+                console.log(
+                  "[transform] mapping error on record " +
+                    count +
+                    ": " +
+                    result.error,
+                );
+                return;
+              }
 
-              writeStream.write(sep + JSON.stringify(newValue));
+              writeStream.write(sep + JSON.stringify(result.value));
 
               if (callbackEvent !== null && win !== null) {
-                win.webContents.send(callbackEvent, {
-                  count,
-                });
+                win.webContents.send(callbackEvent, { count });
               }
 
-              // increment the counter
               count++;
             }
           } catch (e) {
@@ -2021,19 +2290,19 @@ let Transform$1 = class Transform {
           }
         });
 
-        readStream.on("end", (data) => {
+        readStream.on("end", () => {
           writeStream.write("\n]");
           writeStream.close();
+          executor.dispose();
           resolve("Complete: wrote " + count + " objects");
         });
 
         readStream.on("error", (err) => {
           console.log("read stream error transform ", err.message);
+          executor.dispose();
           reject(err);
         });
-      } else {
-        reject(new Error("File doesnt exist"));
-      }
+      } // end startStreamingWithExecutor
     });
   };
 
@@ -19134,7 +19403,7 @@ auth$2.exchangeAuthorization = exchangeAuthorization;
 auth$2.refreshAuthorization = refreshAuthorization;
 auth$2.fetchToken = fetchToken;
 auth$2.registerClient = registerClient;
-const pkce_challenge_1 = __importDefault$2(require$$0$3);
+const pkce_challenge_1 = __importDefault$2(require$$0$4);
 const types_js_1$5 = types$2;
 const auth_js_1$1 = auth$1;
 const auth_js_2 = auth$1;
@@ -20663,7 +20932,7 @@ streamableHttp$1.StreamableHTTPClientTransport = StreamableHTTPClientTransport$1
  * Uses @modelcontextprotocol/sdk for protocol handling.
  */
 
-const { Client } = require$$0$4;
+const { Client } = require$$0$5;
 const {
   StdioClientTransport,
 } = require$$1$4;
@@ -25941,7 +26210,7 @@ const algoliaController$1 = {
 
 var algoliaController_1 = algoliaController$1;
 
-const OpenAI = require$$0$5;
+const OpenAI = require$$0$6;
 const events$2 = events$8;
 
 const openaiController$1 = {
@@ -44320,7 +44589,7 @@ __export(src_exports, {
 var dist = __toCommonJS(src_exports);
 
 // src/server.ts
-var import_node_http = require$$0$6;
+var import_node_http = require$$0$7;
 
 // src/listener.ts
 var import_node_http22 = require$$1$6;
@@ -47905,10 +48174,10 @@ var themeFromUrlErrors$1 = {
  * computed styles, and favicon/logo images (via node-vibrant).
  */
 
-const css = require$$0$7;
+const css = require$$0$8;
 const { Vibrant } = require$$1$7;
 const https = require$$7;
-const http = require$$0$6;
+const http = require$$0$7;
 const { URL: URL$1 } = require$$4$1;
 const {
   UrlUnreachableError,
@@ -52468,7 +52737,7 @@ var toolHandlers$1 = {
  * per-request, receiving the full messages array each time.
  */
 
-const Anthropic = require$$0$8;
+const Anthropic = require$$0$9;
 const mcpController$2 = mcpControllerExports;
 const cliController$1 = cliController_1;
 const toolDefinitions = toolDefinitions$1;
@@ -57886,7 +58155,7 @@ var notificationController_1 = notificationController$2;
  * Multiple widgets referencing the same provider share a single socket.
  */
 
-const WebSocket = require$$0$9;
+const WebSocket = require$$0$a;
 
 /**
  * Active WebSocket connections
@@ -58710,7 +58979,7 @@ clientCache$1.registerFactory("algolia", (credentials) => {
 
 // --- OpenAI ---
 clientCache$1.registerFactory("openai", (credentials) => {
-  const OpenAI = require$$0$5;
+  const OpenAI = require$$0$6;
   return new OpenAI({ apiKey: credentials.apiKey });
 });