@vortexm/vjt 0.1.2 → 0.1.3

package/dist/index.js

@@ -3683,6 +3683,159 @@ function logRuntimeError(scope, error, details) {
   console.error("[VJT error]", payload);
 }
 
+// src/lib/security.ts
+var BLOCKED_OBJECT_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+var TRUSTED_CONFIG_ONLY_KEYS = /* @__PURE__ */ new Set(["widget", "style", "css", "actions", "events", "onClick", "onRefresh"]);
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function escapeHtmlAttribute(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&#39;");
+}
+function coerceFiniteNumber(value, kind, path) {
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return kind === "int" ? Math.trunc(value) : value;
+  }
+  if (typeof value === "string" && value.trim().length > 0) {
+    const parsed = kind === "int" ? Number.parseInt(value, 10) : Number.parseFloat(value);
+    if (Number.isFinite(parsed)) {
+      return kind === "int" ? Math.trunc(parsed) : parsed;
+    }
+  }
+  throw new Error(`Invalid ${kind} at ${path}`);
+}
+function isBlockedObjectKey(key) {
+  return BLOCKED_OBJECT_KEYS.has(key);
+}
+function hasBlockedReferenceSegment(reference) {
+  return reference.split(".").some((segment) => isBlockedObjectKey(segment));
+}
+function isTrustedConfigOnlyKey(key) {
+  return TRUSTED_CONFIG_ONLY_KEYS.has(key);
+}
+function templateValueUsesReference(value) {
+  if (typeof value === "string") {
+    return value.includes("$ref:");
+  }
+  if (Array.isArray(value)) {
+    return value.some((entry) => templateValueUsesReference(entry));
+  }
+  if (isPlainObject(value)) {
+    return Object.values(value).some((entry) => templateValueUsesReference(entry));
+  }
+  return false;
+}
+function sanitizeConfigStyleMap(styleMap) {
+  const safe = {};
+  for (const [key, value] of Object.entries(styleMap)) {
+    if (isBlockedObjectKey(key) || typeof value !== "string") {
+      continue;
+    }
+    safe[key] = value;
+  }
+  return safe;
+}
+function sanitizeUrl(rawValue, options = {}) {
+  if (typeof rawValue !== "string") {
+    return null;
+  }
+  const value = rawValue.trim();
+  if (!value) {
+    return null;
+  }
+  if (/^(javascript|data|vbscript):/i.test(value)) {
+    return null;
+  }
+  if (value.startsWith("//")) {
+    return null;
+  }
+  const schemeMatch = value.match(/^([A-Za-z][A-Za-z\d+\-.]*):/);
+  if (!schemeMatch) {
+    return options.allowRelative !== false ? value : null;
+  }
+  const scheme = schemeMatch[1].toLowerCase();
+  if (scheme === "http" || scheme === "https") {
+    return value;
+  }
+  if (scheme === "mailto" && options.allowMailto) {
+    return value;
+  }
+  return null;
+}
+function sanitizeMarkdownSource(markdown) {
+  return markdown.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
+}
+function sanitizeGeneratedHtml(html) {
+  const withoutDangerousTags = html.replace(/<\s*(script|style|iframe|object|embed|link|meta|base|form)\b[^>]*>[\s\S]*?<\s*\/\s*\1\s*>/gi, "").replace(/<\s*(script|style|iframe|object|embed|link|meta|base|form)\b[^>]*\/?>/gi, "").replace(/\son[a-z]+\s*=\s*(".*?"|'.*?'|[^\s>]+)/gi, "");
+  return withoutDangerousTags.replace(/\s(href|src)\s*=\s*("([^"]*)"|'([^']*)'|([^\s>]+))/gi, (_match, attributeName, _full, dq, sq, bare) => {
+    const rawUrl = dq ?? sq ?? bare ?? "";
+    const safeUrl = sanitizeUrl(rawUrl, {
+      allowRelative: true,
+      allowMailto: attributeName.toLowerCase() === "href"
+    });
+    const fallback = attributeName.toLowerCase() === "href" ? "#" : "";
+    return ` ${attributeName}="${escapeHtmlAttribute(safeUrl ?? fallback)}"`;
+  });
+}
+function sanitizeSchemaValue(schema, value, path = "value") {
+  if (value === void 0 || value === null) {
+    return void 0;
+  }
+  if (schema.type === "object") {
+    if (!isPlainObject(value)) {
+      throw new Error(`Expected object at ${path}`);
+    }
+    const result = {};
+    for (const property of schema.properties ?? []) {
+      if (!property.name || isBlockedObjectKey(property.name)) {
+        continue;
+      }
+      result[property.name] = sanitizeSchemaValue(property, value[property.name], `${path}.${property.name}`);
+    }
+    return result;
+  }
+  if (schema.type === "array") {
+    if (!Array.isArray(value)) {
+      throw new Error(`Expected array at ${path}`);
+    }
+    return value.map((entry, index) => sanitizeSchemaValue(schema.elements, entry, `${path}[${index}]`));
+  }
+  switch (schema.type) {
+    case "int":
+      return coerceFiniteNumber(value, "int", path);
+    case "float":
+      return coerceFiniteNumber(value, "float", path);
+    case "boolean":
+      if (typeof value === "boolean") {
+        return value;
+      }
+      if (value === "true" || value === "1" || value === 1) {
+        return true;
+      }
+      if (value === "false" || value === "0" || value === 0) {
+        return false;
+      }
+      throw new Error(`Invalid boolean at ${path}`);
+    case "string": {
+      const stringValue = typeof value === "string" ? value : typeof value === "number" || typeof value === "boolean" || typeof value === "bigint" ? String(value) : (() => {
+        throw new Error(`Invalid string at ${path}`);
+      })();
+      if (typeof schema.maxLength === "number" && stringValue.length > schema.maxLength) {
+        throw new Error(`String too long at ${path}`);
+      }
+      if (typeof schema.regexp === "string" && schema.regexp) {
+        const regexp = new RegExp(schema.regexp);
+        if (!regexp.test(stringValue)) {
+          throw new Error(`String does not match regexp at ${path}`);
+        }
+      }
+      return stringValue;
+    }
+    default:
+      return value;
+  }
+}
+
 // src/lib/network.ts
 var NetworkRuntime = class {
   requestsMap;
@@ -3707,7 +3860,12 @@ var NetworkRuntime = class {
       if (!config?.url) {
         continue;
       }
-      const source = new EventSource(config.url);
+      const safeUrl = sanitizeUrl(config.url, { allowRelative: true });
+      if (!safeUrl) {
+        logRuntimeError("sseConfig", new Error("Blocked unsafe SSE url"), { url: config.url });
+        continue;
+      }
+      const source = new EventSource(safeUrl);
       this.eventSources.push(source);
       for (const eventDefinition of config.events ?? []) {
         if (!eventDefinition?.name) {
@@ -3717,7 +3875,7 @@ var NetworkRuntime = class {
           void this.handleSseEvent(eventDefinition, event).catch((error) => {
             logRuntimeError("handleSseEvent", error, {
               eventName: eventDefinition.name,
-              url: config.url
+              url: safeUrl
             });
           });
         });
@@ -3745,7 +3903,11 @@ var NetworkRuntime = class {
     if (!requestUrl) {
       throw new Error(`Request ${requestName} has no url in config`);
     }
-    const response = await fetch(requestUrl, {
+    const safeRequestUrl = sanitizeUrl(requestUrl, { allowRelative: true });
+    if (!safeRequestUrl) {
+      throw new Error(`Request ${requestName} has unsafe url`);
+    }
+    const response = await fetch(safeRequestUrl, {
       method: "POST",
       headers: {
         "Content-Type": "application/json"
@@ -3765,7 +3927,13 @@ var NetworkRuntime = class {
     } catch {
       throw new Error(`Request ${requestName} returned non-JSON response: ${responseText.slice(0, 120)}`);
     }
-    const result = json.result;
+    if (json.error) {
+      throw new Error(`Request ${requestName} returned JSON-RPC error: ${String(json.error.message ?? "unknown error")}`);
+    }
+    if (!definition.response) {
+      throw new Error(`Request ${requestName} must define response schema`);
+    }
+    const result = sanitizeSchemaValue(definition.response, json.result, `response.${requestName}`);
     if (definition.onResponse?.length) {
       await this.runActions(definition.onResponse, null, {
         currentValue: null,
@@ -3778,7 +3946,7 @@ var NetworkRuntime = class {
     if (schema.type === "object") {
       const result = {};
       for (const property of schema.properties ?? []) {
-        if (!property.name) {
+        if (!property.name || isBlockedObjectKey(property.name)) {
           continue;
         }
         result[property.name] = await this.buildSchemaValue(property, currentValue, responseValue);
@@ -3834,12 +4002,15 @@ var NetworkRuntime = class {
     }
   }
   async handleSseEvent(eventDefinition, event) {
-    let message = {};
+    let parsedMessage = {};
     try {
-      message = event.data ? JSON.parse(event.data) : {};
+      parsedMessage = event.data ? JSON.parse(event.data) : {};
     } catch {
-      message = { value: event.data ?? "" };
+      parsedMessage = { value: event.data ?? "" };
     }
+    const message = eventDefinition.message ? sanitizeSchemaValue(eventDefinition.message, parsedMessage, `sse.${eventDefinition.name}`) : (() => {
+      throw new Error(`SSE event ${eventDefinition.name} must define message schema`);
+    })();
     if (!eventDefinition.onEvent?.length) {
       return;
     }
@@ -3852,12 +4023,15 @@ var NetworkRuntime = class {
 };
 
 // src/lib/references.ts
-function isPlainObject(value) {
+function isPlainObject2(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function readPath(target, path) {
   let current = target;
   for (const segment of path) {
+    if (isBlockedObjectKey(segment)) {
+      return void 0;
+    }
     if (current == null) {
       return void 0;
     }
@@ -3869,6 +4043,9 @@ function readPath(target, path) {
     if (typeof current !== "object") {
       return void 0;
     }
+    if (!Object.prototype.hasOwnProperty.call(current, segment)) {
+      return void 0;
+    }
     current = current[segment];
   }
   return current;
@@ -4008,7 +4185,7 @@ var ReferenceRuntime = class {
       }
       return readPath(currentValue.descriptor, reference.split("."));
     }
-    if (isPlainObject(currentValue) || Array.isArray(currentValue)) {
+    if (isPlainObject2(currentValue) || Array.isArray(currentValue)) {
       return readPath(currentValue, reference.split("."));
     }
     return void 0;
@@ -4033,7 +4210,7 @@ var ReferenceRuntime = class {
         if (state.widget === "combobox") {
           const index = state.selected ?? 0;
           const entry = (state.comboboxElements ?? [])[index];
-          if (isPlainObject(entry)) {
+          if (isPlainObject2(entry)) {
             return entry.value ?? entry.text ?? index;
           }
           return index;
@@ -4041,7 +4218,7 @@ var ReferenceRuntime = class {
         if (state.widget === "listbox") {
           const index = state.selected ?? 0;
           const entry = (state.listboxElements ?? [])[index];
-          if (isPlainObject(entry)) {
+          if (isPlainObject2(entry)) {
             return entry.value ?? entry.text ?? index;
           }
           return index;
@@ -4091,7 +4268,7 @@ var ReferenceRuntime = class {
     }
   }
   assignReference(reference, inputValue, _currentValue, options) {
-    if (reference.startsWith("current.")) {
+    if (reference.startsWith("current.") || hasBlockedReferenceSegment(reference)) {
       return;
     }
     if (reference.startsWith("cookies.")) {
@@ -4136,7 +4313,7 @@ var ReferenceRuntime = class {
       case "elements":
         if (state.widget === "list" || state.widget === "grid-view") {
           this.clearListElementState(state.key);
-          state.elements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject(item) && typeof item.widget === "string") : [];
+          state.elements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject2(item) && typeof item.widget === "string") : [];
           state.elements.forEach((element, index) => {
             const listNode = this.host.nodeById.get(widgetId);
             if (listNode?.widget === "list" || listNode?.widget === "grid-view") {
@@ -4145,10 +4322,10 @@ var ReferenceRuntime = class {
           });
         }
         if (state.widget === "listbox") {
-          state.listboxElements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject(item)) : [];
+          state.listboxElements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject2(item)) : [];
         }
         if (state.widget === "combobox") {
-          state.comboboxElements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject(item)) : [];
+          state.comboboxElements = Array.isArray(inputValue) ? inputValue.filter((item) => isPlainObject2(item)) : [];
         }
         break;
       default:
@@ -4187,9 +4364,15 @@ var ReferenceRuntime = class {
     if (Array.isArray(template)) {
       return template.map((entry) => this.resolveMappedValue(entry, currentValue, responseValue));
     }
-    if (isPlainObject(template)) {
+    if (isPlainObject2(template)) {
       const result = {};
       for (const [key, value] of Object.entries(template)) {
+        if (isBlockedObjectKey(key)) {
+          continue;
+        }
+        if (isTrustedConfigOnlyKey(key) && templateValueUsesReference(value)) {
+          continue;
+        }
         result[key] = this.resolveMappedValue(value, currentValue, responseValue);
       }
       return result;
@@ -4197,7 +4380,7 @@ var ReferenceRuntime = class {
     return template;
   }
   isListElementContext(value) {
-    return isPlainObject(value) && value.kind === "list-element" && typeof value.listId === "string" && typeof value.index === "number" && isPlainObject(value.descriptor) && typeof value.descriptor.widget === "string";
+    return isPlainObject2(value) && value.kind === "list-element" && typeof value.listId === "string" && typeof value.index === "number" && isPlainObject2(value.descriptor) && typeof value.descriptor.widget === "string";
   }
   findNamedWidget(node, name) {
     if (!node) {
@@ -4486,7 +4669,7 @@ function isIfElseArgs(value) {
 }
 
 // src/lib/dom-state.ts
-function isPlainObject2(value) {
+function isPlainObject3(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function supportsTextSelection(element) {
@@ -4656,7 +4839,7 @@ function getListElementContextFromElement(element, stateByKey) {
   }
   const listState = stateByKey.get(listId);
   const descriptor = listState?.elements?.[index];
-  if (!descriptor || !isPlainObject2(descriptor) || typeof descriptor.widget !== "string") {
+  if (!descriptor || !isPlainObject3(descriptor) || typeof descriptor.widget !== "string") {
     return null;
   }
   return {
@@ -5173,7 +5356,7 @@ var renderMdText = (env, node, state, key) => {
   const verticalAlign = VERTICAL_ALIGN_MAP2[node["vert-align"] ?? "center"];
   const common = state.id ? ` id="${env.escapeHtml(state.id)}"` : "";
   const markdown = env.resolveI18nValue(state.text ?? node.text);
-  const html = markdownConverter.makeHtml(markdown);
+  const html = sanitizeGeneratedHtml(markdownConverter.makeHtml(sanitizeMarkdownSource(markdown)));
   const inlineStyle = [
     "display:flex",
     `align-items:${verticalAlign}`,
@@ -5279,7 +5462,7 @@ var renderCheckbox = (env, node, state, key) => {
 
 // src/lib/widgets/image.ts
 var renderImage = (env, node, state, key) => {
-  const url = env.escapeHtml(state.url ?? node.url ?? "");
+  const url = env.escapeHtml(sanitizeUrl(state.url ?? node.url ?? "", { allowRelative: true }) ?? "");
   const styleParts = [
     "box-sizing:border-box",
     "width:100%",
@@ -5306,7 +5489,7 @@ var renderLink = (env, node, state, key) => {
   const classes = `vjt-link vjt-link--${type}${enabled ? "" : " is-disabled"}`;
   const styleString = env.buildStyleString(node);
   const styleAttribute = styleString ? ` style="${env.escapeHtml(styleString)}"` : "";
-  const href = enabled && typeof node.url === "string" ? node.url : "#";
+  const href = enabled ? sanitizeUrl(state.url ?? node.url, { allowRelative: true, allowMailto: true }) ?? "#" : "#";
   const tabIndex = enabled ? "" : ' tabindex="-1" aria-disabled="true"';
   return `<a${state.id ? ` id="${env.escapeHtml(state.id)}"` : ""}${env.buildWidgetDataAttributes(key, node)} class="${classes}" data-widget="link" href="${env.escapeHtml(href)}"${tabIndex}${styleAttribute}>${text}</a>`;
 };
@@ -5868,7 +6051,7 @@ function toFiniteNumber3(value) {
   }
   return null;
 }
-function isPlainObject3(value) {
+function isPlainObject4(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function deepClone(value) {
@@ -5878,6 +6061,9 @@ function sanitizeIdFragment2(value) {
   const cleaned = value.replaceAll(/[^A-Za-z0-9_-]+/g, "");
   return cleaned || "item";
 }
+function buildDefinitionSignature(value) {
+  return JSON.stringify(value) ?? "null";
+}
 function isGeneratedElementId(value) {
   return !value.includes(".") && !value.includes(":") && /Element\d+/.test(value);
 }
@@ -5952,7 +6138,7 @@ var RuntimeRenderer = class {
   constructor(description, options = {}) {
     this.description = deepClone(description);
     this.resourceManager = options.resourceManager ?? null;
-    const customStyleMap = options.styleMap ?? this.resourceManager?.getStyleMap() ?? {};
+    const customStyleMap = sanitizeConfigStyleMap(options.styleMap ?? this.resourceManager?.getStyleMap() ?? {});
     this.styleMap = {
       ...DEFAULT_STYLE_MAP,
       ...customStyleMap
@@ -6160,7 +6346,11 @@ var RuntimeRenderer = class {
     if (typeof window === "undefined" || !url.trim()) {
       return;
     }
-    const nextUrl = new URL(url, window.location.href);
+    const safeUrl = sanitizeUrl(url, { allowRelative: true });
+    if (!safeUrl) {
+      throw new Error("Blocked unsafe navigation url");
+    }
+    const nextUrl = new URL(safeUrl, window.location.href);
     if (nextUrl.origin !== window.location.origin) {
       window.location.assign(nextUrl.toString());
       return;
@@ -6398,6 +6588,7 @@ var RuntimeRenderer = class {
         existing.id = stateId2;
         this.stateById.set(stateId2, existing);
       }
+      this.syncStateDefinition(existing, node);
       return existing;
     }
     const stateId = node.id ?? (isGeneratedElementId(key) ? key : void 0);
@@ -6467,6 +6658,7 @@ var RuntimeRenderer = class {
           id: stateId,
           name: node.name,
           enabled: normalizeBoolean(node.enabled, true),
+          definitionSignature: buildDefinitionSignature(node.elements ?? []),
           elements: deepClone(node.elements ?? [])
         };
         break;
@@ -6477,6 +6669,7 @@ var RuntimeRenderer = class {
           id: stateId,
           name: node.name,
           enabled: normalizeBoolean(node.enabled, true),
+          definitionSignature: buildDefinitionSignature(node.elements ?? []),
           listboxElements: deepClone(node.elements ?? []),
           selected: toFiniteNumber3(node.selected) ?? 0
         };
@@ -6488,6 +6681,7 @@ var RuntimeRenderer = class {
           id: stateId,
           name: node.name,
           enabled: normalizeBoolean(node.enabled, true),
+          definitionSignature: buildDefinitionSignature(node.elements ?? []),
           comboboxElements: deepClone(node.elements ?? []),
           selected: toFiniteNumber3(node.selected) ?? 0
         };
@@ -6551,6 +6745,45 @@ var RuntimeRenderer = class {
     }
     return state;
   }
+  syncStateDefinition(state, node) {
+    if (state.widget !== node.widget) {
+      return;
+    }
+    switch (node.widget) {
+      case "list":
+      case "grid-view": {
+        const nextSignature = buildDefinitionSignature(node.elements ?? []);
+        if (state.definitionSignature !== nextSignature) {
+          if (state.widget === "list" || state.widget === "grid-view") {
+            this.clearListElementState(state.key);
+            state.elements = deepClone(node.elements ?? []);
+            state.definitionSignature = nextSignature;
+          }
+        }
+        break;
+      }
+      case "listbox": {
+        const nextSignature = buildDefinitionSignature(node.elements ?? []);
+        if (state.definitionSignature !== nextSignature) {
+          state.listboxElements = deepClone(node.elements ?? []);
+          state.selected = toFiniteNumber3(node.selected) ?? 0;
+          state.definitionSignature = nextSignature;
+        }
+        break;
+      }
+      case "combobox": {
+        const nextSignature = buildDefinitionSignature(node.elements ?? []);
+        if (state.definitionSignature !== nextSignature) {
+          state.comboboxElements = deepClone(node.elements ?? []);
+          state.selected = toFiniteNumber3(node.selected) ?? 0;
+          state.definitionSignature = nextSignature;
+        }
+        break;
+      }
+      default:
+        break;
+    }
+  }
   getStateForNode(node, fallbackPath) {
     const key = fallbackPath ? this.resolveNodeKey(node, fallbackPath) : node.id ?? this.resolveNodeKey(node, `auto:${node.widget}`);
     return this.ensureWidgetState(node, key);
@@ -6941,7 +7174,7 @@ var RuntimeRenderer = class {
       return;
     }
     const descriptor = listState.elements[indexValue];
-    if (!descriptor || !isPlainObject3(descriptor) || typeof descriptor.widget !== "string") {
+    if (!descriptor || !isPlainObject4(descriptor) || typeof descriptor.widget !== "string") {
       return;
     }
     mutate(descriptor);

package/dist/lib/security.d.ts

@@ -0,0 +1,13 @@
+import type { RequestSchema, StyleMap } from './types.js';
+export declare function isBlockedObjectKey(key: string): boolean;
+export declare function hasBlockedReferenceSegment(reference: string): boolean;
+export declare function isTrustedConfigOnlyKey(key: string): boolean;
+export declare function templateValueUsesReference(value: unknown): boolean;
+export declare function sanitizeConfigStyleMap(styleMap: StyleMap): StyleMap;
+export declare function sanitizeUrl(rawValue: unknown, options?: {
+    allowRelative?: boolean;
+    allowMailto?: boolean;
+}): string | null;
+export declare function sanitizeMarkdownSource(markdown: string): string;
+export declare function sanitizeGeneratedHtml(html: string): string;
+export declare function sanitizeSchemaValue(schema: RequestSchema, value: unknown, path?: string): unknown;

package/dist/lib/types.d.ts

@@ -91,6 +91,7 @@ export type WidgetState = {
     widget: DescriptionNode['widget'];
     id?: string;
     name?: string;
+    definitionSignature?: string;
     currentRef?: string;
     text?: string;
     url?: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vortexm/vjt",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",