socket-function 0.142.0 → 0.144.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -11,6 +11,7 @@ import { isNode } from "../src/misc";
|
|
|
11
11
|
import { magenta, red } from "../src/formatting/logColors";
|
|
12
12
|
import { formatTime } from "../src/formatting/format";
|
|
13
13
|
import { batchFunction } from "../src/batching";
|
|
14
|
+
import { getIsAllowClient } from "../require/RequireController";
|
|
14
15
|
|
|
15
16
|
/** Enables some hot reload functionality.
|
|
16
17
|
* - Triggers a refresh clientside
|
|
@@ -142,7 +143,7 @@ const hotReloadModule = cache((module: NodeJS.Module) => {
|
|
|
142
143
|
}
|
|
143
144
|
//module.sourceSHA256;
|
|
144
145
|
// crypto.createHash("sha256").update(contents).digest("hex")
|
|
145
|
-
if (module
|
|
146
|
+
if (getIsAllowClient(module)) {
|
|
146
147
|
triggerClientSideReload({
|
|
147
148
|
files: [module.filename],
|
|
148
149
|
changeTime,
|
package/package.json
CHANGED
|
@@ -18,7 +18,9 @@ module.allowclient = true;
|
|
|
18
18
|
declare global {
|
|
19
19
|
namespace NodeJS {
|
|
20
20
|
interface Module {
|
|
21
|
-
/** Indicates the module is allowed clientside.
|
|
21
|
+
/** Indicates the module is allowed clientside.
|
|
22
|
+
* NOTE: Set with `module.allowclient = true`. HOWEVER, access via getIsAllowClient, which will check
|
|
23
|
+
*/
|
|
22
24
|
allowclient?: boolean;
|
|
23
25
|
|
|
24
26
|
/** Causes the module to not preload, requiring `await import()` for it to load correctly
|
|
@@ -136,8 +138,8 @@ class RequireControllerBase {
|
|
|
136
138
|
if (fs.existsSync(resolved)) {
|
|
137
139
|
let rootResolved = path.resolve(resolved);
|
|
138
140
|
let finalResolved = path.resolve(rootResolved);
|
|
139
|
-
if (!finalResolved.startsWith(
|
|
140
|
-
throw new Error(`Invalid access, did not stay in namespace: ${JSON.stringify(
|
|
141
|
+
if (!finalResolved.startsWith(rootResolved)) {
|
|
142
|
+
throw new Error(`Invalid access, did not stay in namespace: ${JSON.stringify(rootResolved)}, but escaped: ${JSON.stringify(finalResolved)}`);
|
|
141
143
|
}
|
|
142
144
|
result = await fs.promises.readFile(resolved);
|
|
143
145
|
break;
|
|
@@ -153,7 +155,7 @@ class RequireControllerBase {
|
|
|
153
155
|
return setHTTPResultHeaders(result, headers);
|
|
154
156
|
}
|
|
155
157
|
|
|
156
|
-
|
|
158
|
+
return setHTTPResultHeaders(Buffer.from(`Static file not found, ${urlObj.pathname}, have static roots: ${JSON.stringify(staticRoots)}`), headers);
|
|
157
159
|
}
|
|
158
160
|
|
|
159
161
|
}
|
|
@@ -416,6 +418,15 @@ async function compressCached(bufferKey: string, buffer: () => Buffer): Promise<
|
|
|
416
418
|
return cached;
|
|
417
419
|
}
|
|
418
420
|
|
|
421
|
+
export function getIsAllowClient(module: NodeJS.Module) {
|
|
422
|
+
// TODO: Support blacklisting private modules.
|
|
423
|
+
if (module.filename.includes("node_modules")) {
|
|
424
|
+
// The packages are public anyway, so we might as well allow serving them client-side. They still need to be included server side, so this doesn't create any vulnerabilities.
|
|
425
|
+
return true;
|
|
426
|
+
}
|
|
427
|
+
return module.allowclient && !module.serveronly;
|
|
428
|
+
}
|
|
429
|
+
|
|
419
430
|
type ClientRemapCallback = (args: GetModulesArgs) => Promise<GetModulesArgs>;
|
|
420
431
|
declare global {
|
|
421
432
|
/** Must be set clientside BEFORE requests are made (so you likely want to use RequireController.addMapGetModules
|