isolated-function 0.0.3

package/LICENSE.md

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright © 2024 microlink.io <hello@microlink.io> (microlink.io)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

package/README.md

@@ -0,0 +1,74 @@
+# isolated-function
+
+![Last version](https://img.shields.io/github/tag/Kikobeats/isolated-function.svg?style=flat-square)
+[![Coverage Status](https://img.shields.io/coveralls/Kikobeats/isolated-function.svg?style=flat-square)](https://coveralls.io/github/Kikobeats/isolated-function)
+[![NPM Status](https://img.shields.io/npm/dm/isolated-function.svg?style=flat-square)](https://www.npmjs.org/package/isolated-function)
+
+**Highlights**
+
+- Based on [v8-sandbox](https://github.com/fulcrumapp/v8-sandbox).
+- Auto install npm dependencies.
+- Timeout support.
+
+## Install
+
+```bash
+npm install isolated-function --save
+```
+
+## Usage
+
+```js
+const isoaltedFunction = require('isolated-function')
+
+/* This function will run in a sandbox, in a separate process */
+const sum = isoaltedFunction((y, z) => y + z)
+
+/* Interact with it as usual from your main code */
+const result = await sum(3, 2)
+
+console.log(result)
+```
+
+You can also use `require' for external dependencies:
+
+```js
+const isEmoji = isoaltedFunction(emoji => {
+  const isEmoji = require('is-standard-emoji')
+  return isEmoji(emoji)
+})
+
+await isEmoji('🙌') // => true
+await isEmoji('foo') // => false
+```
+
+The dependencies are bundled with the source code into a single file that is executed in the sandbox.
+
+It's intentionally not possible to expose any Node.js objects or functions directly to the sandbox (such as `process`, or filesystem). This makes it slightly harder to integrate into a project, but has the benefit of guaranteed isolation.
+
+## API
+
+### isoaltedFunction(snippet, [options])
+
+#### snippet
+
+*Required*<br>
+Type: `string`
+
+The source code to run.
+
+#### options
+
+##### foo
+
+Type: `boolean`<br>
+Default: `false`
+
+Lorem ipsum.
+
+## License
+
+**isolated-function** © [Kiko Beats](https://kikobeats.com), released under the [MIT](https://github.com/Kikobeats/isolated-function/blob/master/LICENSE.md) License.<br>
+Authored and maintained by Kiko Beats with help from [contributors](https://github.com/Kikobeats/isolated-function/contributors).
+
+> [kikobeats.com](https://kikobeats.com) · GitHub [@Kiko Beats](https://github.com/Kikobeats) · X [@Kikobeats](https://x.com/Kikobeats)

package/package.json

@@ -0,0 +1,102 @@
+{
+  "name": "isolated-function",
+  "description": "Runs untrusted code in a Node.js v8 sandbox.",
+  "homepage": "https://github.com/Kikobeats/isolated-function",
+  "version": "0.0.3",
+  "main": "src/index.js",
+  "exports": {
+    ".": "./src/index.js"
+  },
+  "author": {
+    "email": "hello@microlink.io",
+    "name": "microlink.io",
+    "url": "https://microlink.io"
+  },
+  "contributors": [
+    {
+      "name": "Kiko Beats",
+      "email": "josefrancisco.verdu@gmail.com"
+    }
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Kikobeats/isolated-function.git"
+  },
+  "bugs": {
+    "url": "https://github.com/Kikobeats/isolated-function/issues"
+  },
+  "keywords": [
+    "isolated",
+    "javascript",
+    "js",
+    "sandbox",
+    "v8"
+  ],
+  "dependencies": {
+    "acorn": "~8.12.1",
+    "acorn-walk": "~8.3.3",
+    "ensure-error": "~3.0.1",
+    "esbuild": "~0.23.1",
+    "process-stats": "~3.7.10",
+    "serialize-error": "8",
+    "tinyspawn": "~1.3.2",
+    "v8-sandbox": "~3.2.12"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "latest",
+    "@commitlint/config-conventional": "latest",
+    "@ksmithut/prettier-standard": "latest",
+    "ava": "latest",
+    "c8": "latest",
+    "ci-publish": "latest",
+    "finepack": "latest",
+    "git-authors-cli": "latest",
+    "github-generate-release": "latest",
+    "nano-staged": "latest",
+    "simple-git-hooks": "latest",
+    "standard": "latest",
+    "standard-version": "latest"
+  },
+  "engines": {
+    "node": ">= 18"
+  },
+  "files": [
+    "src"
+  ],
+  "scripts": {
+    "clean": "rm -rf node_modules",
+    "contributors": "(npx git-authors-cli && npx finepack && git add package.json && git commit -m 'build: contributors' --no-verify) || true",
+    "coverage": "c8 report --reporter=text-lcov > coverage/lcov.info",
+    "lint": "standard",
+    "postrelease": "npm run release:tags && npm run release:github && (ci-publish || npm publish --access=public)",
+    "pretest": "npm run lint",
+    "release": "standard-version -a",
+    "release:github": "github-generate-release",
+    "release:tags": "git push --follow-tags origin HEAD:master",
+    "test": "c8 ava"
+  },
+  "license": "MIT",
+  "commitlint": {
+    "extends": [
+      "@commitlint/config-conventional"
+    ],
+    "rules": {
+      "body-max-line-length": [
+        0
+      ]
+    }
+  },
+  "nano-staged": {
+    "*.js": [
+      "prettier-standard",
+      "standard --fix"
+    ],
+    "package.json": [
+      "finepack"
+    ]
+  },
+  "simple-git-hooks": {
+    "commit-msg": "npx commitlint --edit",
+    "pre-commit": "npx nano-staged"
+  }
+}

package/src/compile.js

@@ -0,0 +1,76 @@
+'use strict'
+
+const { execSync } = require('child_process')
+const walk = require('acorn-walk')
+const esbuild = require('esbuild')
+const fs = require('fs/promises')
+const { tmpdir } = require('os')
+const acorn = require('acorn')
+const $ = require('tinyspawn')
+const path = require('path')
+
+const generateTemplate = require('./template')
+
+const packageManager = (() => {
+  try {
+    execSync('which pnpm').toString().trim()
+    return { init: 'pnpm init', install: 'pnpm install' }
+  } catch {
+    return { init: 'npm init --yes', install: 'npm install' }
+  }
+})()
+
+// Function to detect require and import statements using acorn
+const detectDependencies = code => {
+  const dependencies = new Set()
+
+  // Parse the code into an AST
+  const ast = acorn.parse(code, { ecmaVersion: 2020, sourceType: 'module' })
+
+  // Traverse the AST to find require and import statements
+  walk.simple(ast, {
+    CallExpression (node) {
+      if (
+        node.callee.name === 'require' &&
+        node.arguments.length === 1 &&
+        node.arguments[0].type === 'Literal'
+      ) {
+        dependencies.add(node.arguments[0].value)
+      }
+    },
+    ImportDeclaration (node) {
+      dependencies.add(node.source.value)
+    }
+  })
+
+  return Array.from(dependencies)
+}
+
+module.exports = async snippet => {
+  const tmp = await fs.mkdtemp(path.join(tmpdir(), 'compile-'))
+  await fs.mkdir(tmp, { recursive: true })
+
+  const template = generateTemplate(snippet)
+
+  const entryFile = path.join(tmp, 'index.js')
+  await fs.writeFile(entryFile, template)
+
+  const dependencies = detectDependencies(template)
+  await $(packageManager.init, { cwd: tmp })
+  await $(`${packageManager.install} ${dependencies.join(' ')}`, { cwd: tmp })
+
+  const result = await esbuild.build({
+    entryPoints: [entryFile],
+    bundle: true,
+    write: false,
+    platform: 'node'
+  })
+
+  const bundledCode = result.outputFiles[0].text
+
+  await fs.rm(tmp, { recursive: true })
+
+  return bundledCode
+}
+
+module.exports.detectDependencies = detectDependencies

package/src/index.js

@@ -0,0 +1,32 @@
+'use strict'
+
+const { Sandbox } = require('v8-sandbox')
+const { deserializeError } = require('serialize-error')
+
+const compile = require('./compile')
+
+module.exports = (snippet, { timeout = 10000, globals = {} } = {}) => {
+  if (typeof snippet !== 'function') {
+    throw new TypeError('Expected a function')
+  }
+
+  const sandbox = new Sandbox({
+    httpEnabled: false,
+    timersEnabled: true,
+    debug: true
+  })
+  const compiling = compile(snippet)
+  const initializing = sandbox.initialize()
+
+  return async (...args) => {
+    const [code] = await Promise.all([compiling, initializing])
+    const { error, value } = await sandbox.execute({
+      code,
+      timeout,
+      globals: { ...globals, arguments: args }
+    })
+    await sandbox.shutdown()
+    if (error) throw require('ensure-error')(deserializeError(error))
+    return value
+  }
+}

package/src/template/index.js

@@ -0,0 +1,40 @@
+'use strict'
+
+const SERIALIZE_ERROR = require('./serialize-error')
+
+const DISALLOW_INTERNALS = [
+  '_dispatch',
+  'base64ToBuffer',
+  'bufferToBase64',
+  'define',
+  'defineAsync',
+  'dispatch',
+  'httpRequest',
+  'info',
+  'setResult'
+]
+
+const generateTemplate = snippet => {
+  const value = (() => {
+    return `await (() => {
+      let ${DISALLOW_INTERNALS.join(',')};
+      globalThis = { clearTimeout, setTimeout }
+      globalThis.global = globalThis
+      return (${snippet.toString()})(...arguments)
+    })()`
+  })()
+
+  const template = `;(async () => {
+  try {
+    setResult({
+      value: ${value}
+    })
+  } catch(error) {
+   setResult({ error: ${SERIALIZE_ERROR}(error) })
+  }
+})()`
+
+  return template
+}
+
+module.exports = generateTemplate

package/src/template/serialize-error.js

@@ -0,0 +1,107 @@
+// serialize-error@8.1.0
+module.exports = `(() => {
+  'use strict'
+
+const commonProperties = [
+  { property: 'name', enumerable: false },
+  { property: 'message', enumerable: false },
+  { property: 'stack', enumerable: false },
+  { property: 'code', enumerable: true }
+]
+
+const isCalled = Symbol('.toJSON called')
+
+const toJSON = from => {
+  from[isCalled] = true
+  const json = from.toJSON()
+  delete from[isCalled]
+  return json
+}
+
+const destroyCircular = ({
+  from,
+  seen,
+  to_,
+  forceEnumerable,
+  maxDepth,
+  depth
+}) => {
+  const to = to_ || (Array.isArray(from) ? [] : {})
+
+  seen.push(from)
+
+  if (depth >= maxDepth) {
+    return to
+  }
+
+  if (typeof from.toJSON === 'function' && from[isCalled] !== true) {
+    return toJSON(from)
+  }
+
+  for (const [key, value] of Object.entries(from)) {
+    if (typeof Buffer === 'function' && Buffer.isBuffer(value)) {
+      to[key] = '[object Buffer]'
+      continue
+    }
+
+    if (typeof value === 'function') {
+      continue
+    }
+
+    if (!value || typeof value !== 'object') {
+      to[key] = value
+      continue
+    }
+
+    if (!seen.includes(from[key])) {
+      depth++
+
+      to[key] = destroyCircular({
+        from: from[key],
+        seen: seen.slice(),
+        forceEnumerable,
+        maxDepth,
+        depth
+      })
+      continue
+    }
+
+    to[key] = '[Circular]'
+  }
+
+  for (const { property, enumerable } of commonProperties) {
+    if (typeof from[property] === 'string') {
+      Object.defineProperty(to, property, {
+        value: from[property],
+        enumerable: forceEnumerable ? true : enumerable,
+        configurable: true,
+        writable: true
+      })
+    }
+  }
+
+  return to
+}
+
+return (value, options = {}) => {
+  const { maxDepth = Number.POSITIVE_INFINITY } = options
+
+  if (typeof value === 'object' && value !== null) {
+    return destroyCircular({
+      from: value,
+      seen: [],
+      forceEnumerable: true,
+      maxDepth,
+      depth: 0
+    })
+  }
+
+  // People sometimes throw things besides Error objects…
+  if (typeof value === 'function') {
+    return \`[Function: \${value.name || 'anonymous'}]\`
+  }
+
+  return value
+}
+
+})()`