Skip to content
This repository has been archived by the owner on Jan 1, 2025. It is now read-only.

Commit

Permalink
Release 3.9.8 (#408)
Browse files Browse the repository at this point in the history
Finalize release 3.9.8
  • Loading branch information
XmiliaH authored Feb 16, 2022
1 parent 777ffb0 commit 925e3e6
Show file tree
Hide file tree
Showing 11 changed files with 1,155 additions and 510 deletions.
36 changes: 18 additions & 18 deletions .eslintrc.js
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
module.exports = {
env: {
es6: true,
node: true
},
extends: [
'integromat'
],
parserOptions: {
"ecmaVersion": 2017,
"ecmaFeatures": {
"globalReturn": true
}
},
globals: {
},
rules: {
}
};
env: {
es6: true,
node: true
},
extends: [
'integromat'
],
parserOptions: {
'ecmaVersion': 2017,
'ecmaFeatures': {
'globalReturn': true
}
},
globals: {
},
rules: {
}
};
2 changes: 1 addition & 1 deletion .github/workflows/node-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [8, 10, 12, 14, 16]
node-version: [8, 10, 12, 14, 16, 17]
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
Expand Down
6 changes: 3 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
v3.9.8 (TBD)
v3.9.8 (2022-92-16)
-------------------
[fix] Add function typecheck for arguments, caller, and callee property check (GeoffRen)
[fix] Add function type check for arguments, caller, and callee property check (GeoffRen)
[fix] Fix find best extension handler

v3.9.7 (2022-02-10)
-------------------
[fix] Allow relative require from base script
[fix] Fix issue with modules with exports clause in package json
[fix] Fix issue with modules with exports clause in package JSON
[fix] Added missing whitelist check before custom require
[fix] Revert plain object toString behavior
[fix] Root path check improved
Expand Down
20 changes: 12 additions & 8 deletions index.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ import {EventEmitter} from 'events';
* Require options for a VM
*/
export interface VMRequire {
/** Array of allowed builtin modules, accepts ["*"] for all (default: none) */
/** Array of allowed built-in modules, accepts ["*"] for all. Using "*" increases the attack surface and potential
* new modules allow to escape the sandbox. (default: none) */
builtin?: string[];
/*
* `host` (default) to require modules in host and proxy them to sandbox. `sandbox` to load, compile and
* require modules in sandbox. Builtin modules except `events` always required in host and proxied to sandbox
* require modules in sandbox. Built-in modules except `events` always required in host and proxied to sandbox
*/
context?: "host" | "sandbox";
/** `true`, an array of allowed external modules or an object with external options (default: `false`) */
Expand All @@ -17,7 +18,7 @@ export interface VMRequire {
import?: string[];
/** Restricted path(s) where local modules can be required (default: every path). */
root?: string | string[];
/** Collection of mock modules (both external or builtin). */
/** Collection of mock modules (both external or built-in). */
mock?: any;
/* An additional lookup function in case a module wasn't found in one of the traditional node lookup paths. */
resolve?: (moduleName: string, parentDirname: string) => string | undefined;
Expand All @@ -36,7 +37,7 @@ type CompilerFunction = (code: string, filename: string) => string;
*/
export interface VMOptions {
/**
* `javascript` (default) or `coffeescript` or custom compiler function (which receives the code, and it's filepath).
* `javascript` (default) or `coffeescript` or custom compiler function (which receives the code, and it's file path).
* The library expects you to have coffee-script pre-installed if the compiler is set to `coffeescript`.
*/
compiler?: "javascript" | "coffeescript" | CompilerFunction;
Expand All @@ -48,7 +49,7 @@ export interface VMOptions {
*/
timeout?: number;
/**
* If set to `false` any calls to eval or function constructors (`Function`, `GeneratorFunction`, etc) will throw an
* If set to `false` any calls to eval or function constructors (`Function`, `GeneratorFunction`, etc.) will throw an
* `EvalError` (default: `true`).
*/
eval?: boolean;
Expand All @@ -58,7 +59,7 @@ export interface VMOptions {
wasm?: boolean;
/**
* If set to `true` any attempt to run code using async will throw a `VMError` (default: `false`).
* @deprecated Use ``allowAsync` instead
* @deprecated Use `allowAsync` instead.
*/
fixAsync?: boolean;

Expand All @@ -76,7 +77,8 @@ export interface NodeVMOptions extends VMOptions {
console?: "inherit" | "redirect" | "off";
/** `true` or an object to enable `require` options (default: `false`). */
require?: true | VMRequire;
/** `true` to enable VMs nesting (default: `false`). */
/** **WARNING**: This should be disabled. It allows to create a NodeVM form within the sandbox which could return any host module.
* `true` to enable VMs nesting (default: `false`). */
nesting?: boolean;
/** `commonjs` (default) to wrap script into CommonJS wrapper, `none` to retrieve value returned by the script. */
wrapper?: "commonjs" | "none";
Expand Down Expand Up @@ -119,6 +121,8 @@ export class VM {
getGlobal(name: string): any;
/** Freezes the object inside VM making it read-only. Not available for primitive values. */
freeze(object: any, name?: string): any;
/** Freezes the object inside VM making it read-only. Not available for primitive values. */
readonly(object: any): any;
/** Protects the object inside VM making impossible to set functions as it's properties. Not available for primitive values */
protect(object: any, name?: string): any;
}
Expand All @@ -135,7 +139,7 @@ export class NodeVM extends EventEmitter implements VM {
/**
* Create NodeVM and run code inside it.
*
* @param {string} script Javascript code.
* @param {string} script JavaScript code.
* @param {string} [filename] File name (used in stack traces only).
* @param {Object} [options] VM options.
*/
Expand Down
12 changes: 8 additions & 4 deletions lib/nodevm.js
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,8 @@ class NodeVM extends VM {
const {
Module,
jsonParse,
createRequireForModule
createRequireForModule,
requireImpl
} = closure(HOST, {
__proto__: null,
argv,
Expand All @@ -278,11 +279,12 @@ class NodeVM extends VM {
_Module: {__proto__: null, value: Module},
_jsonParse: {__proto__: null, value: jsonParse},
_createRequireForModule: {__proto__: null, value: createRequireForModule},
_requireImpl: {__proto__: null, value: requireImpl},
_cacheRequireModule: {__proto__: null, value: null, writable: true}
});


resolver.init(this, ()=>true);
resolver.init(this);

// prepare global sandbox
if (sandbox) {
Expand Down Expand Up @@ -331,10 +333,12 @@ class NodeVM extends VM {
const path = this._resolver.pathResolve('.');
let mod = this._cacheRequireModule;
if (!mod || mod.path !== path) {
mod = new (this._Module)(this._resolver.pathConcat(path, '/vm.js'), path);
const filename = this._resolver.pathConcat(path, '/vm.js');
mod = new (this._Module)(filename, path);
this._resolver.registerModule(mod, filename, path, null, false);
this._cacheRequireModule = mod;
}
return mod.require(module);
return this._requireImpl(mod, module, true);
}

/**
Expand Down
3 changes: 2 additions & 1 deletion lib/setup-node-sandbox.js
Original file line number Diff line number Diff line change
Expand Up @@ -459,5 +459,6 @@ return {
__proto__: null,
Module,
jsonParse: JSON.parse,
createRequireForModule
createRequireForModule,
requireImpl
};
30 changes: 19 additions & 11 deletions lib/transformer.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@

const {parse: acornParse} = require('acorn');
const {full: acornWalkFull} = require('acorn-walk');
const {compileFunction} = require('vm');

const INTERNAL_STATE_NAME = 'VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL';

Expand All @@ -26,21 +27,28 @@ function transformer(args, body, isAsync, isGenerator) {
code += '\n})';
}

const ast = acornParse(code, {
__proto__: null,
ecmaVersion: 2020,
allowAwaitOutsideFunction: args === null && isAsync,
allowReturnOutsideFunction: args === null
});
let ast;
try {
ast = acornParse(code, {
__proto__: null,
ecmaVersion: 2020,
allowAwaitOutsideFunction: args === null && isAsync,
allowReturnOutsideFunction: args === null
});
} catch (e) {
// Try to generate a nicer error message.
compileFunction(code);
throw e;
}

if (args !== null) {
const pBody = assertType(ast, 'Program').body;
if (pBody.length !== 1) throw new Error('Invalid arguments');
if (pBody.length !== 1) throw new SyntaxError('Single function literal required');
const expr = pBody[0];
if (expr.type !== 'ExpressionStatement') throw new Error('Invalid arguments');
if (expr.type !== 'ExpressionStatement') throw new SyntaxError('Single function literal required');
const func = expr.expression;
if (func.type !== 'FunctionExpression') throw new Error('Invalid arguments');
if (func.body.start !== argsOffset + 3) throw new Error('Invalid arguments');
if (func.type !== 'FunctionExpression') throw new SyntaxError('Single function literal required');
if (func.body.start !== argsOffset + 3) throw new SyntaxError('Unexpected end of arg string');
}

const insertions = [];
Expand Down Expand Up @@ -79,7 +87,7 @@ function transformer(args, body, isAsync, isGenerator) {
});
} else if (type === 'Identifier') {
if (node.name === INTERNAL_STATE_NAME) {
throw new Error('Use of internal vm2 state variable');
throw new SyntaxError('Use of internal vm2 state variable');
}
} else if (type === 'ImportExpression') {
insertions.push({
Expand Down
Loading

0 comments on commit 925e3e6

Please sign in to comment.