npm - @vertesia/workflow - Versions diffs - 1.1.0-dev.20260327.125707Z → 1.1.0 - Mend

@vertesia/workflow 1.1.0-dev.20260327.125707Z → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (98) hide show

package/src/dsl/dsl-workflow.ts CHANGED Viewed

@@ -183,9 +183,9 @@ async function executeSteps(definition: DSLWorkflowSpec, payload: DSLWorkflowExe
             if (stepType === 'workflow') {
                 const childWorkflowStep = step as DSLChildWorkflowStep;
                 if (childWorkflowStep.async) {
-                    await startChildWorkflow(childWorkflowStep, payload, vars, basePayload.debug_mode);
+                    await startChildWorkflow(childWorkflowStep, payload, vars, basePayload.debug_mode, defaultProxy, basePayload);
                 } else {
-                    await executeChildWorkflow(childWorkflowStep, payload, vars, basePayload.debug_mode);
+                    await executeChildWorkflow(childWorkflowStep, payload, vars, basePayload.debug_mode, defaultProxy, basePayload);
                 }
             } else { // activity
                 await runActivity(step as DSLActivitySpec, basePayload, vars, defaultProxy, defaultOptions, remoteActivities);
@@ -236,11 +236,20 @@ async function handleError(originalError: any, basePayload: BaseActivityPayload,
     throw originalError;
 }
-async function startChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkflowExecutionPayload, vars: Vars, debug_mode?: boolean) {
+async function startChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkflowExecutionPayload, vars: Vars, debug_mode?: boolean, proxy?: ActivityInterfaceFor<UntypedActivities>, basePayload?: BaseActivityPayload) {
     if (step.condition && !vars.match(step.condition)) {
         log.info("Child workflow skipped: condition not satisfied", { workflow: step.name, condition: step.condition });
         return;
     }
+    if (step.name.startsWith('dsl:') && !step.spec && proxy && basePayload) {
+        const workflowName = step.name.slice(4);
+        const specPayload = dslActivityPayload(basePayload, { name: 'loadChildWorkflowSpec' } as DSLActivitySpec, { workflowName });
+        const spec = await proxy.loadChildWorkflowSpec(specPayload) as DSLWorkflowSpec;
+        const humanName = spec.name.replace(/([A-Z])/g, ' $1').trim();
+        const objectIds = getDocumentIds(payload);
+        const workflowId = objectIds.length > 0 ? `${humanName}:${objectIds[0]}` : humanName;
+        step = { ...step, name: 'dslWorkflow', spec, options: { ...step.options, workflowId } };
+    }
     const resolvedVars = vars.resolve();
     if (step.vars) {
         // copy user vars (from step definition) to the resolved vars, resolving any expressions
@@ -274,11 +283,20 @@ async function startChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkfl
     }
 }
-async function executeChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkflowExecutionPayload, vars: Vars, debug_mode?: boolean) {
+async function executeChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkflowExecutionPayload, vars: Vars, debug_mode?: boolean, proxy?: ActivityInterfaceFor<UntypedActivities>, basePayload?: BaseActivityPayload) {
     if (step.condition && !vars.match(step.condition)) {
         log.info("Child workflow skipped: condition not satisfied", { workflow: step.name, condition: step.condition });
         return;
     }
+    if (step.name.startsWith('dsl:') && !step.spec && proxy && basePayload) {
+        const workflowName = step.name.slice(4);
+        const specPayload = dslActivityPayload(basePayload, { name: 'loadChildWorkflowSpec' } as DSLActivitySpec, { workflowName });
+        const spec = await proxy.loadChildWorkflowSpec(specPayload) as DSLWorkflowSpec;
+        const humanName = spec.name.replace(/([A-Z])/g, ' $1').trim();
+        const objectIds = getDocumentIds(payload);
+        const workflowId = objectIds.length > 0 ? `${humanName}:${objectIds[0]}` : humanName;
+        step = { ...step, name: 'dslWorkflow', spec, options: { ...step.options, workflowId } };
+    }
     const resolvedVars = vars.resolve();
     if (step.vars) {
         // copy user vars (from step definition) to the resolved vars, resolving any expressions

package/src/dsl/setup/ActivityContext.test.ts ADDED Viewed

@@ -0,0 +1,57 @@
+import { ContentEventName, DSLActivityExecutionPayload } from "@vertesia/common";
+import { describe, expect, it } from "vitest";
+import { setupActivity } from "./ActivityContext.js";
+const MOCK_AUTH_TOKEN =
+    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbW9jay10b2tlbi1zZXJ2ZXIiLCJzdWIiOiJ0ZXN0In0.signature";
+function basePayload<T extends Record<string, any>>(
+    activity: DSLActivityExecutionPayload<T>["activity"],
+    params: T,
+): DSLActivityExecutionPayload<T> {
+    return {
+        event: ContentEventName.create,
+        vars: {},
+        account_id: "acc",
+        project_id: "prj",
+        auth_token: MOCK_AUTH_TOKEN,
+        config: { studio_url: "http://localhost", store_url: "http://localhost" },
+        activity,
+        params,
+        workflow_name: "test",
+    };
+}
+describe("setupActivity", () => {
+    // Regression guard: user-supplied strings containing "${...}" must be preserved
+    // verbatim when the activity is dispatched from TypeScript code (no activity.params,
+    // no activity.fetch). Previously Vars.parse/resolve would treat any "${...}" as a
+    // template ref and silently drop the key when it failed to resolve.
+    it("preserves user data containing literal ${} in code-dispatched activities", async () => {
+        const data = {
+            task: 'preserve "${}" literal',
+            other: "also has ${undefined_ref}",
+        };
+        const payload = basePayload({ name: "testActivity" }, { data });
+        const ctx = await setupActivity(payload);
+        expect(ctx.params.data.task).toBe('preserve "${}" literal');
+        expect(ctx.params.data.other).toBe("also has ${undefined_ref}");
+    });
+    it("returns empty params when code-dispatched activity has no params", async () => {
+        const payload = basePayload({ name: "testActivity" }, undefined as any);
+        const ctx = await setupActivity(payload);
+        expect(ctx.params).toEqual({});
+    });
+    // Counter-test: DSL-defined activities (those carrying activity.params) must
+    // still have their ${refs} resolved against payload.params (imported vars).
+    it("still resolves ${refs} in activity.params for DSL-dispatched activities", async () => {
+        const payload = basePayload(
+            { name: "dslActivity", params: { message: "Hello ${name}" } },
+            { name: "World" } as any,
+        );
+        const ctx = await setupActivity(payload);
+        expect((ctx.params as any).message).toBe("Hello World");
+    });
+});

package/src/dsl/setup/ActivityContext.ts CHANGED Viewed

@@ -183,6 +183,22 @@ export class ActivityContext<ParamsT extends Record<string, any>> {
 export async function setupActivity<ParamsT extends Record<string, any>>(
     payload: DSLActivityExecutionPayload<ParamsT>,
 ) {
+    const client = await getVertesiaClient(payload);
+    // Activities dispatched from TypeScript code (via dslProxyActivities) set
+    // only `activity.name`; their params are a plain TS object that must not
+    // be run through Vars template expansion — doing so would interpret any
+    // `${...}` in user-supplied strings as a variable reference and silently
+    // drop the key when it fails to resolve. Only DSL-defined activities
+    // (which carry `activity.params` and/or `activity.fetch`) need Vars.
+    const isDslDispatched =
+        payload.activity.params !== undefined || payload.activity.fetch !== undefined;
+    if (!isDslDispatched) {
+        const params = (payload.params ?? {}) as ParamsT;
+        return new ActivityContext<ParamsT>(payload, client, params);
+    }
     const isDebugMode = !!payload.debug_mode;
     const vars = new Vars({
@@ -190,7 +206,6 @@ export async function setupActivity<ParamsT extends Record<string, any>>(
         ...payload.activity.params, // activity params (may contain expressions)
     });
-    //}
     if (isDebugMode) {
         log.info(`Setting up activity ${payload.activity.name}`, {
             config: payload.config,
@@ -200,7 +215,6 @@ export async function setupActivity<ParamsT extends Record<string, any>>(
         });
     }
-    const client = await getVertesiaClient(payload);
     const fetchSpecs = payload.activity.fetch;
     if (fetchSpecs) {
         const keys = Object.keys(fetchSpecs);

package/src/security/ssrf.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * SSRF protection shim for @vertesia/workflow.
+ *
+ * URL validation is delegated via client.apps.validateUrl() so that security
+ * policy details (blocked IP ranges, ports, hostnames) are not exposed in this
+ * public package.
+ *
+ * This file only provides redirect-safe fetch and the error class.
+ */
+export class URLValidationError extends Error {
+    constructor(message: string) {
+        super(message);
+        this.name = 'URLValidationError';
+    }
+}
+/**
+ * Redirect-safe fetch wrapper. Does not validate the URL — call client.apps.validateUrl() first.
+ * @throws {URLValidationError} if the server redirects (potential redirect-based SSRF)
+ */
+export async function safeFetch(url: string, init: RequestInit = {}): Promise<Response> {
+    const response = await fetch(url, { ...init, redirect: 'manual' });
+    // Only block actual redirects (those with a Location header). 304 Not Modified is a 3xx
+    // but carries no Location and must not be treated as a redirect.
+    if (response.headers.has('location')) {
+        throw new URLValidationError(
+            `Request to ${url} returned a redirect (${response.status}), which is not allowed`,
+        );
+    }
+    return response;
+}