runframe 1.0.4 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.integrity +24 -0
- package/README.md +309 -48
- package/dist/execution-hooks.d.ts +57 -0
- package/dist/execution-hooks.d.ts.map +1 -0
- package/dist/execution-hooks.js +93 -0
- package/dist/execution-hooks.js.map +1 -0
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -0
- package/dist/index.js.map +1 -1
- package/dist/integrity-check.d.ts +38 -0
- package/dist/integrity-check.d.ts.map +1 -0
- package/dist/integrity-check.js +179 -0
- package/dist/integrity-check.js.map +1 -0
- package/dist/module-loader.d.ts +53 -0
- package/dist/module-loader.d.ts.map +1 -0
- package/dist/module-loader.js +105 -0
- package/dist/module-loader.js.map +1 -0
- package/dist/sandbox.d.ts +16 -1
- package/dist/sandbox.d.ts.map +1 -1
- package/dist/sandbox.js +67 -4
- package/dist/sandbox.js.map +1 -1
- package/dist/security-audit.d.ts +6 -0
- package/dist/security-audit.d.ts.map +1 -0
- package/dist/security-audit.js +331 -0
- package/dist/security-audit.js.map +1 -0
- package/dist/test-security.d.ts +5 -0
- package/dist/test-security.d.ts.map +1 -0
- package/dist/test-security.js +367 -0
- package/dist/test-security.js.map +1 -0
- package/dist/vm-runtime.d.ts +3 -1
- package/dist/vm-runtime.d.ts.map +1 -1
- package/dist/vm-runtime.js +81 -5
- package/dist/vm-runtime.js.map +1 -1
- package/dist/worker.js +44 -7
- package/dist/worker.js.map +1 -1
- package/package.json +8 -3
|
@@ -0,0 +1,367 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Comprehensive security test suite for Tier 1 features
|
|
3
|
+
*/
|
|
4
|
+
import { createSandbox } from './sandbox.js';
|
|
5
|
+
const results = [];
|
|
6
|
+
async function test(name, fn) {
|
|
7
|
+
const start = Date.now();
|
|
8
|
+
try {
|
|
9
|
+
await fn();
|
|
10
|
+
results.push({ name, passed: true, duration: Date.now() - start });
|
|
11
|
+
console.log(`✓ ${name}`);
|
|
12
|
+
}
|
|
13
|
+
catch (err) {
|
|
14
|
+
results.push({
|
|
15
|
+
name,
|
|
16
|
+
passed: false,
|
|
17
|
+
error: err instanceof Error ? err.message : String(err),
|
|
18
|
+
duration: Date.now() - start
|
|
19
|
+
});
|
|
20
|
+
console.log(`✗ ${name}: ${err instanceof Error ? err.message : String(err)}`);
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
async function runTests() {
|
|
24
|
+
console.log('\n📋 TIER 1: CUSTOM GLOBALS SECURITY TESTS\n');
|
|
25
|
+
// Test 1: Accept safe custom globals
|
|
26
|
+
await test('Should accept safe custom globals', async () => {
|
|
27
|
+
const sandbox = createSandbox({
|
|
28
|
+
cpuMs: 5000,
|
|
29
|
+
memoryMb: 128,
|
|
30
|
+
globals: { API_KEY: 'secret-key-123', CONFIG: { timeout: 5000 } }
|
|
31
|
+
});
|
|
32
|
+
const result = await sandbox.run('API_KEY');
|
|
33
|
+
if (result.type !== 'result' || result.result !== 'secret-key-123') {
|
|
34
|
+
throw new Error('Failed to access custom global');
|
|
35
|
+
}
|
|
36
|
+
});
|
|
37
|
+
// Test 2: Prevent overwriting system globals
|
|
38
|
+
await test('Should prevent overwriting system globals', async () => {
|
|
39
|
+
const sandbox = createSandbox({
|
|
40
|
+
cpuMs: 5000,
|
|
41
|
+
memoryMb: 128,
|
|
42
|
+
globals: { Math: {} } // Empty object instead of function
|
|
43
|
+
});
|
|
44
|
+
try {
|
|
45
|
+
await sandbox.run('1 + 1');
|
|
46
|
+
throw new Error('Should have blocked Math override');
|
|
47
|
+
}
|
|
48
|
+
catch (err) {
|
|
49
|
+
if (!(err instanceof Error) || !err.message.includes('Cannot override'))
|
|
50
|
+
throw err;
|
|
51
|
+
}
|
|
52
|
+
});
|
|
53
|
+
// Test 3: Prevent overwriting Promise
|
|
54
|
+
await test('Should prevent overwriting Promise', async () => {
|
|
55
|
+
const sandbox = createSandbox({
|
|
56
|
+
cpuMs: 5000,
|
|
57
|
+
memoryMb: 128,
|
|
58
|
+
globals: { Promise: {} } // Empty object instead of function
|
|
59
|
+
});
|
|
60
|
+
try {
|
|
61
|
+
await sandbox.run('1 + 1');
|
|
62
|
+
throw new Error('Should have blocked Promise override');
|
|
63
|
+
}
|
|
64
|
+
catch (err) {
|
|
65
|
+
if (!(err instanceof Error) || !err.message.includes('Cannot override'))
|
|
66
|
+
throw err;
|
|
67
|
+
}
|
|
68
|
+
});
|
|
69
|
+
// Test 4: Freeze custom objects
|
|
70
|
+
await test('Should freeze custom objects to prevent modification', async () => {
|
|
71
|
+
const sandbox = createSandbox({
|
|
72
|
+
cpuMs: 5000,
|
|
73
|
+
memoryMb: 128,
|
|
74
|
+
globals: { CONFIG: { secret: 'value' } }
|
|
75
|
+
});
|
|
76
|
+
const result = await sandbox.run(`
|
|
77
|
+
(function() {
|
|
78
|
+
try {
|
|
79
|
+
CONFIG.secret = 'modified';
|
|
80
|
+
return 'modified';
|
|
81
|
+
} catch (e) {
|
|
82
|
+
return 'blocked';
|
|
83
|
+
}
|
|
84
|
+
})()
|
|
85
|
+
`);
|
|
86
|
+
if (result.type !== 'result' || result.result === 'modified') {
|
|
87
|
+
throw new Error('Custom object should not be modifiable');
|
|
88
|
+
}
|
|
89
|
+
});
|
|
90
|
+
// Test 5: Make globals non-writable
|
|
91
|
+
await test('Should make custom globals non-writable', async () => {
|
|
92
|
+
const sandbox = createSandbox({
|
|
93
|
+
cpuMs: 5000,
|
|
94
|
+
memoryMb: 128,
|
|
95
|
+
globals: { API_KEY: 'secret' }
|
|
96
|
+
});
|
|
97
|
+
const result = await sandbox.run(`
|
|
98
|
+
(function() {
|
|
99
|
+
try {
|
|
100
|
+
API_KEY = 'hacked';
|
|
101
|
+
return typeof API_KEY === 'string' ? 'not-modified' : 'modified';
|
|
102
|
+
} catch (e) {
|
|
103
|
+
return 'blocked';
|
|
104
|
+
}
|
|
105
|
+
})()
|
|
106
|
+
`);
|
|
107
|
+
if (result.type !== 'result') {
|
|
108
|
+
throw new Error('Failed to test globals');
|
|
109
|
+
}
|
|
110
|
+
if (result.result === 'modified') {
|
|
111
|
+
throw new Error('Custom global should not be writable');
|
|
112
|
+
}
|
|
113
|
+
});
|
|
114
|
+
console.log('\n🎣 TIER 1: EXECUTION HOOKS SECURITY TESTS\n');
|
|
115
|
+
// Test 6: Fire before hook
|
|
116
|
+
await test('Should fire before hook', async () => {
|
|
117
|
+
const sandbox = createSandbox({ cpuMs: 5000, memoryMb: 128 });
|
|
118
|
+
let beforeFired = false;
|
|
119
|
+
sandbox.onBefore(() => { beforeFired = true; });
|
|
120
|
+
await sandbox.run('1 + 1');
|
|
121
|
+
if (!beforeFired)
|
|
122
|
+
throw new Error('Before hook not called');
|
|
123
|
+
});
|
|
124
|
+
// Test 7: Fire after hook
|
|
125
|
+
await test('Should fire after hook', async () => {
|
|
126
|
+
const sandbox = createSandbox({ cpuMs: 5000, memoryMb: 128 });
|
|
127
|
+
let afterFired = false;
|
|
128
|
+
sandbox.onAfter(() => { afterFired = true; });
|
|
129
|
+
await sandbox.run('1 + 1');
|
|
130
|
+
if (!afterFired)
|
|
131
|
+
throw new Error('After hook not called');
|
|
132
|
+
});
|
|
133
|
+
// Test 8: Fire error hook
|
|
134
|
+
await test('Should fire error hook on execution error', async () => {
|
|
135
|
+
const sandbox = createSandbox({ cpuMs: 5000, memoryMb: 128 });
|
|
136
|
+
let errorFired = false;
|
|
137
|
+
sandbox.onError(() => { errorFired = true; });
|
|
138
|
+
try {
|
|
139
|
+
await sandbox.run(`
|
|
140
|
+
(function() {
|
|
141
|
+
throw new Error("test error");
|
|
142
|
+
})()
|
|
143
|
+
`);
|
|
144
|
+
}
|
|
145
|
+
catch { }
|
|
146
|
+
await new Promise(r => setTimeout(r, 100));
|
|
147
|
+
if (!errorFired)
|
|
148
|
+
throw new Error('Error hook not called');
|
|
149
|
+
});
|
|
150
|
+
// Test 9: Hook context
|
|
151
|
+
await test('Should provide execution context in hooks', async () => {
|
|
152
|
+
const sandbox = createSandbox({ cpuMs: 5000, memoryMb: 128 });
|
|
153
|
+
let contextData = null;
|
|
154
|
+
sandbox.onBefore((ctx) => { contextData = ctx; });
|
|
155
|
+
const code = '1 + 1';
|
|
156
|
+
await sandbox.run(code);
|
|
157
|
+
if (!contextData || contextData.code !== code || !contextData.executionId) {
|
|
158
|
+
throw new Error('Hook context missing required fields');
|
|
159
|
+
}
|
|
160
|
+
});
|
|
161
|
+
console.log('\n📦 TIER 1: MODULE SYSTEM SECURITY TESTS\n');
|
|
162
|
+
// Test 10: Block non-whitelisted modules
|
|
163
|
+
await test('Should block access to non-whitelisted modules', async () => {
|
|
164
|
+
const sandbox = createSandbox({
|
|
165
|
+
cpuMs: 5000,
|
|
166
|
+
memoryMb: 128,
|
|
167
|
+
allowedModules: ['crypto']
|
|
168
|
+
});
|
|
169
|
+
const result = await sandbox.run(`
|
|
170
|
+
(function() {
|
|
171
|
+
try {
|
|
172
|
+
require('fs');
|
|
173
|
+
return 'success';
|
|
174
|
+
} catch (e) {
|
|
175
|
+
return 'blocked';
|
|
176
|
+
}
|
|
177
|
+
})()
|
|
178
|
+
`);
|
|
179
|
+
if (result.type !== 'result' || result.result !== 'blocked') {
|
|
180
|
+
throw new Error('Non-whitelisted module should be blocked');
|
|
181
|
+
}
|
|
182
|
+
});
|
|
183
|
+
// Test 11: Allow whitelisted crypto
|
|
184
|
+
await test('Should allow whitelisted crypto module', async () => {
|
|
185
|
+
const sandbox = createSandbox({
|
|
186
|
+
cpuMs: 5000,
|
|
187
|
+
memoryMb: 128,
|
|
188
|
+
allowedModules: ['crypto']
|
|
189
|
+
});
|
|
190
|
+
const result = await sandbox.run(`
|
|
191
|
+
(function() {
|
|
192
|
+
try {
|
|
193
|
+
const crypto = require('crypto');
|
|
194
|
+
return typeof crypto.createHash === 'function' ? 'ok' : 'fail';
|
|
195
|
+
} catch (e) {
|
|
196
|
+
return 'error:' + e.message;
|
|
197
|
+
}
|
|
198
|
+
})()
|
|
199
|
+
`);
|
|
200
|
+
if (result.type !== 'result' || result.result !== 'ok') {
|
|
201
|
+
const msg = result.type === 'result' ? String(result.result) : result.error;
|
|
202
|
+
throw new Error(`crypto.createHash should be accessible: ${msg}`);
|
|
203
|
+
}
|
|
204
|
+
});
|
|
205
|
+
// Test 12: Block non-whitelisted exports
|
|
206
|
+
await test('Should block non-whitelisted exports from crypto', async () => {
|
|
207
|
+
const sandbox = createSandbox({
|
|
208
|
+
cpuMs: 5000,
|
|
209
|
+
memoryMb: 128,
|
|
210
|
+
allowedModules: ['crypto']
|
|
211
|
+
});
|
|
212
|
+
const result = await sandbox.run(`
|
|
213
|
+
(function() {
|
|
214
|
+
try {
|
|
215
|
+
const crypto = require('crypto');
|
|
216
|
+
crypto.randomFill;
|
|
217
|
+
return 'success';
|
|
218
|
+
} catch (e) {
|
|
219
|
+
return 'blocked';
|
|
220
|
+
}
|
|
221
|
+
})()
|
|
222
|
+
`);
|
|
223
|
+
if (result.type !== 'result' || result.result !== 'blocked') {
|
|
224
|
+
throw new Error('Non-whitelisted export should be blocked');
|
|
225
|
+
}
|
|
226
|
+
});
|
|
227
|
+
// Test 13: Path module
|
|
228
|
+
await test('Should allow path module with whitelisted exports', async () => {
|
|
229
|
+
const sandbox = createSandbox({
|
|
230
|
+
cpuMs: 5000,
|
|
231
|
+
memoryMb: 128,
|
|
232
|
+
allowedModules: ['path']
|
|
233
|
+
});
|
|
234
|
+
const result = await sandbox.run(`
|
|
235
|
+
(function() {
|
|
236
|
+
try {
|
|
237
|
+
const path = require('path');
|
|
238
|
+
const result = path.join('a', 'b');
|
|
239
|
+
return typeof result === 'string' ? 'ok' : 'fail';
|
|
240
|
+
} catch (e) {
|
|
241
|
+
return 'error:' + e.message;
|
|
242
|
+
}
|
|
243
|
+
})()
|
|
244
|
+
`);
|
|
245
|
+
if (result.type !== 'result' || result.result !== 'ok') {
|
|
246
|
+
const msg = result.type === 'result' ? String(result.result) : result.error;
|
|
247
|
+
throw new Error(`path.join should work: ${msg}`);
|
|
248
|
+
}
|
|
249
|
+
});
|
|
250
|
+
// Test 14: Prevent module modification
|
|
251
|
+
await test('Should prevent module modification', async () => {
|
|
252
|
+
const sandbox = createSandbox({
|
|
253
|
+
cpuMs: 5000,
|
|
254
|
+
memoryMb: 128,
|
|
255
|
+
allowedModules: ['crypto']
|
|
256
|
+
});
|
|
257
|
+
const result = await sandbox.run(`
|
|
258
|
+
(function() {
|
|
259
|
+
try {
|
|
260
|
+
const crypto = require('crypto');
|
|
261
|
+
crypto.newFunc = () => {};
|
|
262
|
+
return 'modified';
|
|
263
|
+
} catch (e) {
|
|
264
|
+
return 'blocked';
|
|
265
|
+
}
|
|
266
|
+
})()
|
|
267
|
+
`);
|
|
268
|
+
if (result.type !== 'result' || result.result === 'modified') {
|
|
269
|
+
throw new Error('Module should not be modifiable');
|
|
270
|
+
}
|
|
271
|
+
});
|
|
272
|
+
console.log('\n❌ TIER 1: ERROR HANDLING & CONTEXT TESTS\n');
|
|
273
|
+
// Test 15: Meaningful error messages
|
|
274
|
+
await test('Should provide meaningful error messages', async () => {
|
|
275
|
+
const sandbox = createSandbox({ cpuMs: 5000, memoryMb: 128 });
|
|
276
|
+
try {
|
|
277
|
+
await sandbox.run('undefined.property.access');
|
|
278
|
+
}
|
|
279
|
+
catch (err) {
|
|
280
|
+
const error = err;
|
|
281
|
+
if (!error.message.includes('Cannot read')) {
|
|
282
|
+
throw new Error(`Error message not descriptive: ${error.message}`);
|
|
283
|
+
}
|
|
284
|
+
}
|
|
285
|
+
});
|
|
286
|
+
// Test 16: Line numbers in errors
|
|
287
|
+
await test('Should include line numbers in errors', async () => {
|
|
288
|
+
const sandbox = createSandbox({ cpuMs: 5000, memoryMb: 128 });
|
|
289
|
+
try {
|
|
290
|
+
await sandbox.run('throw new Error("test")');
|
|
291
|
+
}
|
|
292
|
+
catch (err) {
|
|
293
|
+
const error = err;
|
|
294
|
+
const msg = error.message;
|
|
295
|
+
if (!msg.includes('sandboxed.js') && !msg.includes('line')) {
|
|
296
|
+
throw new Error(`Line info missing in error: ${msg}`);
|
|
297
|
+
}
|
|
298
|
+
}
|
|
299
|
+
});
|
|
300
|
+
// Test 17: Sanitize errors
|
|
301
|
+
await test('Should sanitize errors to prevent info leakage', async () => {
|
|
302
|
+
const sandbox = createSandbox({ cpuMs: 5000, memoryMb: 128 });
|
|
303
|
+
try {
|
|
304
|
+
// Try to access process object (not available in sandbox)
|
|
305
|
+
await sandbox.run('typeof process');
|
|
306
|
+
}
|
|
307
|
+
catch (err) {
|
|
308
|
+
const error = err;
|
|
309
|
+
const msg = error.message;
|
|
310
|
+
// Should not leak Node.js internal paths
|
|
311
|
+
if (msg.includes('node_modules')) {
|
|
312
|
+
throw new Error('Error leaked internal implementation details');
|
|
313
|
+
}
|
|
314
|
+
}
|
|
315
|
+
});
|
|
316
|
+
console.log('\n🔗 TIER 1: COMBINED FEATURE TESTS\n');
|
|
317
|
+
// Test 18: Combine globals + modules + hooks
|
|
318
|
+
await test('Should combine globals + modules + hooks', async () => {
|
|
319
|
+
const sandbox = createSandbox({
|
|
320
|
+
cpuMs: 5000,
|
|
321
|
+
memoryMb: 128,
|
|
322
|
+
globals: { API_BASE: 'https://api.example.com' },
|
|
323
|
+
allowedModules: ['crypto']
|
|
324
|
+
});
|
|
325
|
+
let hookCalled = false;
|
|
326
|
+
sandbox.onBefore(() => { hookCalled = true; });
|
|
327
|
+
const result = await sandbox.run(`
|
|
328
|
+
(function() {
|
|
329
|
+
const crypto = require('crypto');
|
|
330
|
+
const hash = crypto.createHash('sha256');
|
|
331
|
+
return [API_BASE, typeof hash.update];
|
|
332
|
+
})()
|
|
333
|
+
`);
|
|
334
|
+
if (!hookCalled || result.type !== 'result') {
|
|
335
|
+
throw new Error('Combined features test failed');
|
|
336
|
+
}
|
|
337
|
+
const [apiBase, hashType] = result.result;
|
|
338
|
+
if (apiBase !== 'https://api.example.com' || hashType !== 'function') {
|
|
339
|
+
throw new Error('Combined globals and modules not working correctly');
|
|
340
|
+
}
|
|
341
|
+
});
|
|
342
|
+
// Results
|
|
343
|
+
console.log('\n' + '='.repeat(70));
|
|
344
|
+
console.log('TEST RESULTS SUMMARY');
|
|
345
|
+
console.log('='.repeat(70) + '\n');
|
|
346
|
+
const passed = results.filter(r => r.passed).length;
|
|
347
|
+
const failed = results.filter(r => !r.passed).length;
|
|
348
|
+
console.log(`Total: ${results.length} | Passed: ${passed} | Failed: ${failed}`);
|
|
349
|
+
console.log(`Success Rate: ${((passed / results.length) * 100).toFixed(2)}%\n`);
|
|
350
|
+
if (failed > 0) {
|
|
351
|
+
console.log('FAILURES:\n');
|
|
352
|
+
results.filter(r => !r.passed).forEach(r => {
|
|
353
|
+
console.log(` ✗ ${r.name}`);
|
|
354
|
+
console.log(` ${r.error}\n`);
|
|
355
|
+
});
|
|
356
|
+
}
|
|
357
|
+
console.log('PERFORMANCE:\n');
|
|
358
|
+
const totalTime = results.reduce((sum, r) => sum + r.duration, 0);
|
|
359
|
+
console.log(`Total execution time: ${totalTime}ms`);
|
|
360
|
+
console.log(`Average per test: ${(totalTime / results.length).toFixed(2)}ms\n`);
|
|
361
|
+
process.exit(failed > 0 ? 1 : 0);
|
|
362
|
+
}
|
|
363
|
+
runTests().catch(err => {
|
|
364
|
+
console.error('Test suite failed:', err);
|
|
365
|
+
process.exit(1);
|
|
366
|
+
});
|
|
367
|
+
//# sourceMappingURL=test-security.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"test-security.js","sourceRoot":"","sources":["../src/test-security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAS7C,MAAM,OAAO,GAAiB,EAAE,CAAC;AAEjC,KAAK,UAAU,IAAI,CAAC,IAAY,EAAE,EAAuB;IACvD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;QACnE,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC;YACX,IAAI;YACJ,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;YACvD,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC7B,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,QAAQ;IACrB,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;IAE5D,qCAAqC;IACrC,MAAM,IAAI,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,OAAO,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;SAClE,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,gBAAgB,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,6CAA6C;IAC7C,MAAM,IAAI,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,OAAO,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,mCAAmC;SAC1D,CAAC,CAAC;QACH,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,CAAC,GAAG,YAAY,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAAE,MAAM,GAAG,CAAC;QACrF,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,sCAAsC;IACtC,MAAM,IAAI,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,mCAAmC;SAC7D,CAAC,CAAC;QACH,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,CAAC,GAAG,YAAY,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAAE,MAAM,GAAG,CAAC;QACrF,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,gCAAgC;IAChC,MAAM,IAAI,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,OAAO,EAAE,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE;SACzC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;;;;;;;;;KAShC,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,oCAAoC;IACpC,MAAM,IAAI,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,OAAO,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE;SAC/B,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;;;;;;;;;KAShC,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;IAE7D,2BAA2B;IAC3B,MAAM,IAAI,CAAC,yBAAyB,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,IAAI,WAAW,GAAG,KAAK,CAAC;QACxB,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAChD,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC3B,IAAI,CAAC,WAAW;YAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,IAAI,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC3B,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,IAAI,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,GAAG,CAAC;;;;OAIjB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;QACV,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAC3C,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,MAAM,IAAI,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,IAAI,WAAW,GAAQ,IAAI,CAAC;QAC5B,OAAO,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,EAAE,GAAG,WAAW,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAClD,MAAM,IAAI,GAAG,OAAO,CAAC;QACrB,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxB,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;YAC1E,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;IAE3D,yCAAyC;IACzC,MAAM,IAAI,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,cAAc,EAAE,CAAC,QAAQ,CAAC;SAC3B,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;;;;;;;;;KAShC,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC5D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,oCAAoC;IACpC,MAAM,IAAI,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,cAAc,EAAE,CAAC,QAAQ,CAAC;SAC3B,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;;;;;;;;;KAShC,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACvD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YAC5E,MAAM,IAAI,KAAK,CAAC,2CAA2C,GAAG,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,yCAAyC;IACzC,MAAM,IAAI,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,cAAc,EAAE,CAAC,QAAQ,CAAC;SAC3B,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;KAUhC,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC5D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,MAAM,IAAI,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,cAAc,EAAE,CAAC,MAAM,CAAC;SACzB,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;KAUhC,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACvD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YAC5E,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,uCAAuC;IACvC,MAAM,IAAI,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,cAAc,EAAE,CAAC,QAAQ,CAAC;SAC3B,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;KAUhC,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;IAE5D,qCAAqC;IACrC,MAAM,IAAI,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,GAAG,GAAY,CAAC;YAC3B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC3C,MAAM,IAAI,KAAK,CAAC,kCAAkC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,kCAAkC;IAClC,MAAM,IAAI,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;QAC/C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,GAAG,GAAY,CAAC;YAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC;YAC1B,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,2BAA2B;IAC3B,MAAM,IAAI,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,0DAA0D;YAC1D,MAAM,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,GAAG,GAAY,CAAC;YAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC;YAC1B,yCAAyC;YACzC,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IAErD,6CAA6C;IAC7C,MAAM,IAAI,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,OAAO,GAAG,aAAa,CAAC;YAC5B,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,GAAG;YACb,OAAO,EAAE,EAAE,QAAQ,EAAE,yBAAyB,EAAE;YAChD,cAAc,EAAE,CAAC,QAAQ,CAAC;SAC3B,CAAC,CAAC;QACH,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;;;;;;KAMhC,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QACD,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,GAAG,MAAM,CAAC,MAAmB,CAAC;QACvD,IAAI,OAAO,KAAK,yBAAyB,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YACrE,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,UAAU;IACV,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IACnC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IAEnC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IACpD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAErD,OAAO,CAAC,GAAG,CAAC,UAAU,OAAO,CAAC,MAAM,cAAc,MAAM,cAAc,MAAM,EAAE,CAAC,CAAC;IAChF,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAEhF,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;YACzC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,yBAAyB,SAAS,IAAI,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAEhF,OAAO,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACnC,CAAC;AAED,QAAQ,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;IACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
package/dist/vm-runtime.d.ts
CHANGED
|
@@ -6,10 +6,12 @@ import { PromiseTracker } from "./async.js";
|
|
|
6
6
|
* This prevents prototype poisoning attacks AND constructor.constructor escapes
|
|
7
7
|
*/
|
|
8
8
|
export declare function freezeIntrinsics(): void;
|
|
9
|
-
export declare function createSandboxScope(capabilities: CapabilityGrant, statsCollector: StatsCollector, promiseTracker: PromiseTracker, seed?: number): Record<string, unknown>;
|
|
9
|
+
export declare function createSandboxScope(capabilities: CapabilityGrant, statsCollector: StatsCollector, promiseTracker: PromiseTracker, seed?: number, customGlobals?: Record<string, unknown>): Record<string, unknown>;
|
|
10
10
|
export interface SandboxRuntimeOptions {
|
|
11
11
|
capabilities?: Partial<CapabilityGrant>;
|
|
12
12
|
seed?: number;
|
|
13
|
+
globals?: Record<string, unknown>;
|
|
14
|
+
executionId?: string;
|
|
13
15
|
}
|
|
14
16
|
/**
|
|
15
17
|
* Run code in a strict, isolated VM context with full tracking
|
package/dist/vm-runtime.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vm-runtime.d.ts","sourceRoot":"","sources":["../src/vm-runtime.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,eAAe,EAChB,MAAM,mBAAmB,CAAC;AAO3B,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,cAAc,EAA4B,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"vm-runtime.d.ts","sourceRoot":"","sources":["../src/vm-runtime.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,eAAe,EAChB,MAAM,mBAAmB,CAAC;AAO3B,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,cAAc,EAA4B,MAAM,YAAY,CAAC;AA0DtE;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAwCvC;AAmED,wBAAgB,kBAAkB,CAChC,YAAY,EAAE,eAAe,EAC7B,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,cAAc,EAC9B,IAAI,CAAC,EAAE,MAAM,EACb,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACtC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAkLzB;AAED,MAAM,WAAW,qBAAqB;IACpC,YAAY,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACxC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,cAAc,CAAA;CAAE,CAAC,CAmErD"}
|
package/dist/vm-runtime.js
CHANGED
|
@@ -50,6 +50,11 @@ function deepFreeze(obj, visited = new WeakSet()) {
|
|
|
50
50
|
}
|
|
51
51
|
}
|
|
52
52
|
}
|
|
53
|
+
/**
|
|
54
|
+
* Set of protected objects that cannot be modified via defineProperty
|
|
55
|
+
* Includes all intrinsics and their prototypes
|
|
56
|
+
*/
|
|
57
|
+
const PROTECTED_OBJECTS = new WeakSet();
|
|
53
58
|
/**
|
|
54
59
|
* Freeze all intrinsic constructors and their prototypes
|
|
55
60
|
* This prevents prototype poisoning attacks AND constructor.constructor escapes
|
|
@@ -59,6 +64,8 @@ export function freezeIntrinsics() {
|
|
|
59
64
|
for (const intrinsic of INTRINSICS_TO_FREEZE) {
|
|
60
65
|
deepFreeze(intrinsic);
|
|
61
66
|
deepFreeze(intrinsic.prototype);
|
|
67
|
+
PROTECTED_OBJECTS.add(intrinsic);
|
|
68
|
+
PROTECTED_OBJECTS.add(intrinsic.prototype);
|
|
62
69
|
}
|
|
63
70
|
// Block .constructor access on all prototype chains
|
|
64
71
|
const blockConstructor = (proto) => {
|
|
@@ -137,7 +144,7 @@ function createConstructorBlockingProxy(target) {
|
|
|
137
144
|
}
|
|
138
145
|
});
|
|
139
146
|
}
|
|
140
|
-
export function createSandboxScope(capabilities, statsCollector, promiseTracker, seed) {
|
|
147
|
+
export function createSandboxScope(capabilities, statsCollector, promiseTracker, seed, customGlobals) {
|
|
141
148
|
const deterministicGlobals = createDeterministicGlobals(seed);
|
|
142
149
|
const sandbox = Object.create(null, {
|
|
143
150
|
// Safe console (captured, no actual I/O)
|
|
@@ -206,7 +213,31 @@ export function createSandboxScope(capabilities, statsCollector, promiseTracker,
|
|
|
206
213
|
},
|
|
207
214
|
// Block reflection APIs
|
|
208
215
|
Object: {
|
|
209
|
-
value: createConstructorBlockingProxy(
|
|
216
|
+
value: createConstructorBlockingProxy({
|
|
217
|
+
defineProperty(target, prop, descriptor) {
|
|
218
|
+
// Block modifications to intrinsic objects and prototypes
|
|
219
|
+
if (PROTECTED_OBJECTS.has(target)) {
|
|
220
|
+
throw new TypeError(`Cannot define properties on protected object: ${String(prop)}`);
|
|
221
|
+
}
|
|
222
|
+
// Block defineProperty on built-in prototypes
|
|
223
|
+
const proto = Object.getPrototypeOf(target);
|
|
224
|
+
if (proto && PROTECTED_OBJECTS.has(proto)) {
|
|
225
|
+
throw new TypeError(`Cannot define properties on object with protected prototype: ${String(prop)}`);
|
|
226
|
+
}
|
|
227
|
+
return Object.defineProperty(target, prop, descriptor);
|
|
228
|
+
},
|
|
229
|
+
// Expose safe Object methods
|
|
230
|
+
keys: Object.keys,
|
|
231
|
+
values: Object.values,
|
|
232
|
+
entries: Object.entries,
|
|
233
|
+
assign: Object.assign,
|
|
234
|
+
create: Object.create,
|
|
235
|
+
freeze: Object.freeze,
|
|
236
|
+
seal: Object.seal,
|
|
237
|
+
getOwnPropertyNames: Object.getOwnPropertyNames,
|
|
238
|
+
getOwnPropertyDescriptor: Object.getOwnPropertyDescriptor,
|
|
239
|
+
getPrototypeOf: Object.getPrototypeOf
|
|
240
|
+
}),
|
|
210
241
|
writable: false,
|
|
211
242
|
enumerable: true
|
|
212
243
|
},
|
|
@@ -217,6 +248,46 @@ export function createSandboxScope(capabilities, statsCollector, promiseTracker,
|
|
|
217
248
|
enumerable: false
|
|
218
249
|
}
|
|
219
250
|
});
|
|
251
|
+
// Inject custom globals if provided
|
|
252
|
+
if (customGlobals) {
|
|
253
|
+
for (const [key, value] of Object.entries(customGlobals)) {
|
|
254
|
+
// Security: prevent overwriting critical globals
|
|
255
|
+
if (["console", "Math", "Date", "JSON", "Promise", "Object", "Reflect", "undefined"].includes(key)) {
|
|
256
|
+
throw new Error(`Cannot override system global: "${key}"`);
|
|
257
|
+
}
|
|
258
|
+
// Skip null and undefined values
|
|
259
|
+
if (value === null || value === undefined) {
|
|
260
|
+
continue;
|
|
261
|
+
}
|
|
262
|
+
// Special handling for functions (like require)
|
|
263
|
+
if (typeof value === "function") {
|
|
264
|
+
Object.defineProperty(sandbox, key, {
|
|
265
|
+
value,
|
|
266
|
+
writable: false,
|
|
267
|
+
enumerable: true,
|
|
268
|
+
configurable: false
|
|
269
|
+
});
|
|
270
|
+
}
|
|
271
|
+
// Freeze objects to prevent modification
|
|
272
|
+
else if (typeof value === "object" && typeof value !== "function") {
|
|
273
|
+
Object.defineProperty(sandbox, key, {
|
|
274
|
+
value: Object.freeze(value),
|
|
275
|
+
writable: false,
|
|
276
|
+
enumerable: true,
|
|
277
|
+
configurable: false
|
|
278
|
+
});
|
|
279
|
+
}
|
|
280
|
+
else {
|
|
281
|
+
// Primitives (string, number, boolean, symbol)
|
|
282
|
+
Object.defineProperty(sandbox, key, {
|
|
283
|
+
value,
|
|
284
|
+
writable: false,
|
|
285
|
+
enumerable: true,
|
|
286
|
+
configurable: false
|
|
287
|
+
});
|
|
288
|
+
}
|
|
289
|
+
}
|
|
290
|
+
}
|
|
220
291
|
// Lock down the sandbox object itself
|
|
221
292
|
return Object.freeze(sandbox);
|
|
222
293
|
}
|
|
@@ -231,8 +302,8 @@ export async function runInSandbox(code, options = {}) {
|
|
|
231
302
|
freezeIntrinsics();
|
|
232
303
|
const capabilities = createCapabilityGrant(options.capabilities);
|
|
233
304
|
const promiseTracker = new PromiseTracker();
|
|
234
|
-
// Step 2: Build sandbox scope with capabilities and
|
|
235
|
-
const sandbox = createSandboxScope(capabilities, stats, promiseTracker, options.seed);
|
|
305
|
+
// Step 2: Build sandbox scope with capabilities, tracking, and custom globals
|
|
306
|
+
const sandbox = createSandboxScope(capabilities, stats, promiseTracker, options.seed, options.globals);
|
|
236
307
|
// Step 3: Create VM context with strict settings
|
|
237
308
|
const context = vm.createContext(sandbox, {
|
|
238
309
|
name: "node-sandbox",
|
|
@@ -242,10 +313,15 @@ export async function runInSandbox(code, options = {}) {
|
|
|
242
313
|
}
|
|
243
314
|
});
|
|
244
315
|
// Step 4: Wrap user code in strict mode
|
|
316
|
+
// Code is executed in an async context and the result is returned
|
|
317
|
+
// If code uses multiple statements, the last expression becomes the result
|
|
318
|
+
// OR user can explicitly return a value
|
|
245
319
|
const wrapped = `
|
|
246
320
|
"use strict";
|
|
247
321
|
(async () => {
|
|
248
|
-
return (
|
|
322
|
+
return (
|
|
323
|
+
${code}
|
|
324
|
+
);
|
|
249
325
|
})();
|
|
250
326
|
`;
|
|
251
327
|
// Step 5: Compile and execute
|
package/dist/vm-runtime.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vm-runtime.js","sourceRoot":"","sources":["../src/vm-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EAEzB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,0BAA0B,EAI3B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAEtE;;;GAGG;AACH,MAAM,oBAAoB,GAAG;IAC3B,MAAM;IACN,KAAK;IACL,QAAQ;IACR,OAAO;IACP,GAAG;IACH,GAAG;IACH,OAAO;IACP,OAAO;IACP,IAAI;IACJ,MAAM;IACN,KAAK;IACL,SAAS;IACT,cAAc;IACd,WAAW;IACX,UAAU;CACX,CAAC;AAEF;;;GAGG;AACH,SAAS,UAAU,CAAC,GAAY,EAAE,OAAO,GAAG,IAAI,OAAO,EAAE;IACvD,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO;IACpD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAa,CAAC;QAAE,OAAO;IAEvC,OAAO,CAAC,GAAG,CAAC,GAAa,CAAC,CAAC;IAC3B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAEnB,wBAAwB;IACxB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC;QACnD,MAAM,UAAU,GAAG,MAAM,CAAC,wBAAwB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC9D,IAAI,UAAU,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACnC,UAAU,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;QACpD,MAAM,UAAU,GAAG,MAAM,CAAC,wBAAwB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC7D,IAAI,UAAU,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACnC,UAAU,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,+BAA+B;IAC/B,KAAK,MAAM,SAAS,IAAI,oBAAoB,EAAE,CAAC;QAC7C,UAAU,CAAC,SAAS,CAAC,CAAC;QACtB,UAAU,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"vm-runtime.js","sourceRoot":"","sources":["../src/vm-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EAEzB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,0BAA0B,EAI3B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAEtE;;;GAGG;AACH,MAAM,oBAAoB,GAAG;IAC3B,MAAM;IACN,KAAK;IACL,QAAQ;IACR,OAAO;IACP,GAAG;IACH,GAAG;IACH,OAAO;IACP,OAAO;IACP,IAAI;IACJ,MAAM;IACN,KAAK;IACL,SAAS;IACT,cAAc;IACd,WAAW;IACX,UAAU;CACX,CAAC;AAEF;;;GAGG;AACH,SAAS,UAAU,CAAC,GAAY,EAAE,OAAO,GAAG,IAAI,OAAO,EAAE;IACvD,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO;IACpD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAa,CAAC;QAAE,OAAO;IAEvC,OAAO,CAAC,GAAG,CAAC,GAAa,CAAC,CAAC;IAC3B,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAEnB,wBAAwB;IACxB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC;QACnD,MAAM,UAAU,GAAG,MAAM,CAAC,wBAAwB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC9D,IAAI,UAAU,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACnC,UAAU,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC;QACpD,MAAM,UAAU,GAAG,MAAM,CAAC,wBAAwB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC7D,IAAI,UAAU,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACnC,UAAU,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,iBAAiB,GAAG,IAAI,OAAO,EAAE,CAAC;AAExC;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,+BAA+B;IAC/B,KAAK,MAAM,SAAS,IAAI,oBAAoB,EAAE,CAAC;QAC7C,UAAU,CAAC,SAAS,CAAC,CAAC;QACtB,UAAU,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAChC,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACjC,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;IAED,oDAAoD;IACpD,MAAM,gBAAgB,GAAG,CAAC,KAAc,EAAE,EAAE;QAC1C,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO;QACxD,IAAI,CAAC;YACH,MAAM,CAAC,cAAc,CAAC,KAAK,EAAE,aAAa,EAAE;gBAC1C,KAAK,EAAE,SAAS;gBAChB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,KAAK;gBACjB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC,CAAC;IAEF,0BAA0B;IAC1B,KAAK,MAAM,SAAS,IAAI,oBAAoB,EAAE,CAAC;QAC7C,gBAAgB,CAAE,SAAoC,CAAC,SAAS,CAAC,CAAC;QAClE,gBAAgB,CAAC,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC;IACrD,CAAC;IAED,4DAA4D;IAC5D,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IACrC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;IAC/C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC1C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC7B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE9B,iCAAiC;IACjC,IAAI,OAAO,OAAO,KAAK,WAAW,EAAE,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,8BAA8B,CAAmB,MAAS;IACjE,OAAO,IAAI,KAAK,CAAC,MAAM,EAAE;QACvB,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ;YACrB,6BAA6B;YAC7B,IACE,IAAI,KAAK,aAAa;gBACtB,IAAI,KAAK,WAAW;gBACpB,IAAI,KAAK,eAAe,EACxB,CAAC;gBACD,MAAM,IAAI,KAAK,CACb,uBAAuB,MAAM,CAAC,IAAI,CAAC,gBAAgB,CACpD,CAAC;YACJ,CAAC;YAED,qCAAqC;YACrC,IACE,IAAI,KAAK,gBAAgB;gBACzB,IAAI,KAAK,gBAAgB;gBACzB,IAAI,KAAK,0BAA0B;gBACnC,IAAI,KAAK,qBAAqB;gBAC9B,IAAI,KAAK,uBAAuB,EAChC,CAAC;gBACD,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAC7D,CAAC;YACJ,CAAC;YAED,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC1C,CAAC;QAED,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK;YAClB,IAAI,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;gBACnD,MAAM,IAAI,KAAK,CACb,8BAA8B,MAAM,CAAC,IAAI,CAAC,GAAG,CAC9C,CAAC;YACJ,CAAC;YACD,OAAO,KAAK,CAAC,CAAC,oBAAoB;QACpC,CAAC;QAED,GAAG,CAAC,GAAG,EAAE,IAAI;YACX,IAAI,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;gBACnD,OAAO,KAAK,CAAC;YACf,CAAC;YACD,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,CAAC,GAAG;YACT,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAChC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,WAAW,CACtD,CAAC;QACJ,CAAC;QAED,wBAAwB,CAAC,GAAG,EAAE,IAAI;YAChC,IAAI,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;gBACnD,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,OAAO,OAAO,CAAC,wBAAwB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACrD,CAAC;KACF,CAAM,CAAC;AACV,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,YAA6B,EAC7B,cAA8B,EAC9B,cAA8B,EAC9B,IAAa,EACb,aAAuC;IAEvC,MAAM,oBAAoB,GAAG,0BAA0B,CAAC,IAAI,CAAC,CAAC;IAE9D,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE;QAClC,yCAAyC;QACzC,OAAO,EAAE;YACP,KAAK,EAAE,wBAAwB,CAC7B;gBACE,GAAG,EAAE,CAAC,GAAG,KAAgB,EAAE,EAAE;oBAC3B,qCAAqC;gBACvC,CAAC;gBACD,KAAK,EAAE,CAAC,GAAG,KAAgB,EAAE,EAAE;oBAC7B,QAAQ;gBACV,CAAC;gBACD,IAAI,EAAE,CAAC,GAAG,KAAgB,EAAE,EAAE;oBAC5B,QAAQ;gBACV,CAAC;gBACD,IAAI,EAAE,CAAC,GAAG,KAAgB,EAAE,EAAE;oBAC5B,QAAQ;gBACV,CAAC;gBACD,KAAK,EAAE,CAAC,GAAG,KAAgB,EAAE,EAAE;oBAC7B,QAAQ;gBACV,CAAC;aACF,EACD,SAAS,EACT,YAAY,CAAC,OAAO,CACrB;YACD,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;SACjB;QAED,qBAAqB;QACrB,IAAI,EAAE;YACJ,KAAK,EAAE,wBAAwB,CAC7B,oBAAoB,CAAC,IAAW,EAChC,MAAM,EACN,YAAY,CAAC,IAAI,CAClB;YACD,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;SACjB;QAED,wBAAwB;QACxB,IAAI,EAAE;YACJ,KAAK,EAAE,wBAAwB,CAC7B,oBAAoB,CAAC,IAAW,EAChC,MAAM,EACN,YAAY,CAAC,IAAI,CAClB;YACD,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;SACjB;QAED,YAAY;QACZ,IAAI,EAAE;YACJ,KAAK,EAAE,wBAAwB,CAC7B,oBAAoB,CAAC,IAAW,EAChC,MAAM,EACN,YAAY,CAAC,IAAI,CAClB;YACD,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;SACjB;QAED,wBAAwB;QACxB,OAAO,EAAE;YACP,KAAK,EAAE,wBAAwB,CAAC,cAAc,CAAC;YAC/C,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;SACjB;QAED,qCAAqC;QACrC,SAAS,EAAE;YACT,KAAK,EAAE,SAAS;YAChB,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;SACjB;QAED,uBAAuB;QACvB,SAAS,EAAE;YACT,KAAK,EAAE,cAAc;YACrB,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,KAAK;SAClB;QAED,2CAA2C;QAC3C,QAAQ,EAAE;YACR,KAAK,EAAE,oBAAoB,CAAC,WAAW;YACvC,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,KAAK;SAClB;QAED,wBAAwB;QACxB,MAAM,EAAE;YACN,KAAK,EAAE,8BAA8B,CAAC;gBACpC,cAAc,CAAC,MAAW,EAAE,IAAS,EAAE,UAAe;oBACpD,0DAA0D;oBAC1D,IAAI,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;wBAClC,MAAM,IAAI,SAAS,CAAC,iDAAiD,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACvF,CAAC;oBAED,8CAA8C;oBAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;oBAC5C,IAAI,KAAK,IAAI,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;wBAC1C,MAAM,IAAI,SAAS,CAAC,gEAAgE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACtG,CAAC;oBAED,OAAO,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;gBACzD,CAAC;gBAED,6BAA6B;gBAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;gBAC/C,wBAAwB,EAAE,MAAM,CAAC,wBAAwB;gBACzD,cAAc,EAAE,MAAM,CAAC,cAAc;aAC/B,CAAC;YACT,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,IAAI;SACjB;QAED,8BAA8B;QAC9B,OAAO,EAAE;YACP,KAAK,EAAE,8BAA8B,CAAC,OAAO,IAAI,EAAE,CAAC;YACpD,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,KAAK;SAClB;KACF,CAAC,CAAC;IAEH,oCAAoC;IACpC,IAAI,aAAa,EAAE,CAAC;QAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YACzD,iDAAiD;YACjD,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnG,MAAM,IAAI,KAAK,CAAC,mCAAmC,GAAG,GAAG,CAAC,CAAC;YAC7D,CAAC;YAED,iCAAiC;YACjC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBAC1C,SAAS;YACX,CAAC;YAED,gDAAgD;YAChD,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE,CAAC;gBAChC,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,EAAE;oBAClC,KAAK;oBACL,QAAQ,EAAE,KAAK;oBACf,UAAU,EAAE,IAAI;oBAChB,YAAY,EAAE,KAAK;iBACpB,CAAC,CAAC;YACL,CAAC;YACD,yCAAyC;iBACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE,CAAC;gBAClE,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,EAAE;oBAClC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBAC3B,QAAQ,EAAE,KAAK;oBACf,UAAU,EAAE,IAAI;oBAChB,YAAY,EAAE,KAAK;iBACpB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,+CAA+C;gBAC/C,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,GAAG,EAAE;oBAClC,KAAK;oBACL,QAAQ,EAAE,KAAK;oBACf,UAAU,EAAE,IAAI;oBAChB,YAAY,EAAE,KAAK;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,CAAQ,CAAC;AACvC,CAAC;AASD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAY,EACZ,UAAiC,EAAE;IAEnC,MAAM,KAAK,GAAG,IAAI,cAAc,EAAE,CAAC;IACnC,KAAK,CAAC,KAAK,EAAE,CAAC;IAEd,IAAI,CAAC;QACH,2DAA2D;QAC3D,gBAAgB,EAAE,CAAC;QAEnB,MAAM,YAAY,GAAG,qBAAqB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACjE,MAAM,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC;QAE5C,8EAA8E;QAC9E,MAAM,OAAO,GAAG,kBAAkB,CAChC,YAAY,EACZ,KAAK,EACL,cAAc,EACd,OAAO,CAAC,IAAI,EACZ,OAAO,CAAC,OAAO,CAChB,CAAC;QAEF,iDAAiD;QACjD,MAAM,OAAO,GAAG,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE;YACxC,IAAI,EAAE,cAAc;YACpB,cAAc,EAAE;gBACd,OAAO,EAAE,KAAK,EAAG,gCAAgC;gBACjD,IAAI,EAAE,KAAK,CAAM,iBAAiB;aACnC;SACF,CAAC,CAAC;QAEH,wCAAwC;QACxC,kEAAkE;QAClE,2EAA2E;QAC3E,wCAAwC;QACxC,MAAM,OAAO,GAAG;;;;MAId,IAAI;;;KAGL,CAAC;QAEF,8BAA8B;QAC9B,MAAM,MAAM,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE;YACpC,QAAQ,EAAE,cAAc;YACxB,UAAU,EAAE,CAAC;YACb,YAAY,EAAE,CAAC;SAChB,CAAC,CAAC;QAEH,sDAAsD;QACtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE;YAChD,OAAO,EAAE,KAAK,EAAE,6BAA6B;YAC7C,aAAa,EAAE,IAAI;YACnB,aAAa,EAAE,IAAI;SACpB,CAAC,CAAC;QAEH,kCAAkC;QAClC,MAAM,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAEtC,KAAK,CAAC,aAAa,EAAE,CAAC;QACtB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,KAAK,CAAC,WAAW,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACpE,MAAM,GAAG,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,KAAK,CAAC,YAAY,EAAE,CAAC;IACvB,CAAC;AACH,CAAC"}
|
package/dist/worker.js
CHANGED
|
@@ -2,10 +2,20 @@ import { parentPort, workerData } from "node:worker_threads";
|
|
|
2
2
|
import { runInSandbox } from "./vm-runtime.js";
|
|
3
3
|
(async () => {
|
|
4
4
|
try {
|
|
5
|
-
const { code, options, capabilities, seed } = workerData;
|
|
5
|
+
const { code, options, capabilities, seed, globals, allowedModules, executionId } = workerData;
|
|
6
|
+
// Build additional context with user globals and module support
|
|
7
|
+
const additionalGlobals = { ...globals };
|
|
8
|
+
// Add safe require if modules are allowed (create it in worker to avoid serialization issues)
|
|
9
|
+
if (allowedModules && allowedModules.length > 0) {
|
|
10
|
+
// Import module loader in worker to create require function
|
|
11
|
+
const { createSafeRequire } = await import('./module-loader.js');
|
|
12
|
+
additionalGlobals.require = createSafeRequire({ allowed: allowedModules });
|
|
13
|
+
}
|
|
6
14
|
const { result, stats } = await runInSandbox(code, {
|
|
7
15
|
capabilities,
|
|
8
|
-
seed
|
|
16
|
+
seed,
|
|
17
|
+
globals: additionalGlobals,
|
|
18
|
+
executionId
|
|
9
19
|
});
|
|
10
20
|
stats.updateMemory();
|
|
11
21
|
const finalStats = stats.finish();
|
|
@@ -16,24 +26,51 @@ import { runInSandbox } from "./vm-runtime.js";
|
|
|
16
26
|
});
|
|
17
27
|
}
|
|
18
28
|
catch (err) {
|
|
29
|
+
const errorMessage = sanitizeError(err);
|
|
30
|
+
// Log the full error to stderr for debugging
|
|
31
|
+
if (err instanceof Error && err.stack) {
|
|
32
|
+
console.error('[WORKER ERROR]', err.message);
|
|
33
|
+
console.error('[WORKER STACK]', err.stack);
|
|
34
|
+
}
|
|
19
35
|
parentPort?.postMessage({
|
|
20
36
|
type: "error",
|
|
21
|
-
error:
|
|
37
|
+
error: errorMessage
|
|
22
38
|
});
|
|
23
39
|
}
|
|
24
40
|
})();
|
|
25
41
|
/**
|
|
26
42
|
* Sanitize errors before returning to parent thread
|
|
27
|
-
* Prevents leaking internal implementation details
|
|
43
|
+
* Prevents leaking internal implementation details but preserves useful context
|
|
28
44
|
*/
|
|
29
45
|
function sanitizeError(err) {
|
|
30
46
|
if (err instanceof Error) {
|
|
31
|
-
//
|
|
32
|
-
|
|
47
|
+
// Expose error message and relevant line info, but not full stack
|
|
48
|
+
const lines = err.stack?.split('\n') ?? [];
|
|
49
|
+
// Get the first meaningful error line
|
|
50
|
+
const errorLine = lines[0] || err.message;
|
|
51
|
+
// If we have no message but have stack lines, include more context
|
|
52
|
+
if (!err.message && lines.length > 0) {
|
|
53
|
+
return lines.slice(0, 3).join('\n');
|
|
54
|
+
}
|
|
55
|
+
// Try to extract line number from "sandboxed.js:X:Y" format
|
|
56
|
+
const userCodeLines = lines.filter(line => line.includes('sandboxed.js'));
|
|
57
|
+
if (userCodeLines.length > 0) {
|
|
58
|
+
// Extract just the location from sandboxed.js
|
|
59
|
+
const match = userCodeLines[0].match(/sandboxed\.js:(\d+):(\d+)/);
|
|
60
|
+
if (match) {
|
|
61
|
+
const lineNum = Math.max(0, parseInt(match[1]) - 4); // Account for wrapping
|
|
62
|
+
return `${err.message || 'Error'} (at line ${lineNum}, column ${match[2]})`;
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
// Return message with some context, but not full stack trace
|
|
66
|
+
return errorLine || err.message || 'Unknown error in sandbox';
|
|
33
67
|
}
|
|
34
68
|
if (typeof err === "string") {
|
|
35
69
|
return err;
|
|
36
70
|
}
|
|
37
|
-
|
|
71
|
+
if (typeof err === "object" && err !== null && 'message' in err) {
|
|
72
|
+
return String(err.message);
|
|
73
|
+
}
|
|
74
|
+
return String(err) || 'Unknown error in sandbox';
|
|
38
75
|
}
|
|
39
76
|
//# sourceMappingURL=worker.js.map
|