fix: safe mode validations (#2912)

2025-08-18 06:40:20 +02:00 · 2024-08-24 14:29:43 +05:30
parent 4fbd2f0bdb
commit 4bdbfb5c0c
7 changed files with 115 additions and 11 deletions
--- a/packages/bruno-js/src/sandbox/quickjs/index.js
+++ b/packages/bruno-js/src/sandbox/quickjs/index.js
@@ -10,6 +10,7 @@ const { newQuickJSWASMModule, memoizePromiseFactory } = require('quickjs-emscrip
 // execute `npm run sandbox:bundle-libraries` if the below file doesn't exist
 const getBundledCode = require('../bundle-browser-rollup');
 const addPathShimToContext = require('./shims/lib/path');
+const { marshallToVm } = require('./utils');

 let QuickJSSyncContext;
 const loader = memoizePromiseFactory(() => newQuickJSWASMModule());
@@ -48,14 +49,18 @@ const executeQuickJsVm = ({ script: externalScript, context: externalContext, sc
  const vm = QuickJSSyncContext;

  try {
-    const { bru, req, res } = externalContext;
+    const { bru, req, res, ...variables } = externalContext;

    bru && addBruShimToContext(vm, bru);
    req && addBrunoRequestShimToContext(vm, req);
    res && addBrunoResponseShimToContext(vm, res);

-    const templateLiteralText = `\`${externalScript}\`;`;
-    const jsExpressionText = `${externalScript};`;
+    Object.entries(variables)?.forEach(([key, value]) => {
+      vm.setProp(vm.global, key, marshallToVm(value, vm));
+    });
+
+    const templateLiteralText = `\`${externalScript}\``;
+    const jsExpressionText = `${externalScript}`;

    let scriptText = scriptType === 'template-literal' ? templateLiteralText : jsExpressionText;

@@ -66,7 +71,6 @@ const executeQuickJsVm = ({ script: externalScript, context: externalContext, sc
      return e;
    } else {
      let v = vm.dump(result.value);
-      let vString = v.toString();
      result.value.dispose();
      return v;
    }
@@ -124,6 +128,9 @@ const executeQuickJsVmAsync = async ({ script: externalScript, context: external
            // resolve module
            return globalThis.requireObject[mod];
          }
+          else {
+            throw new Error("Cannot find module " + mod);
+          }
        }
      `;
    };
--- a/packages/bruno-js/src/sandbox/quickjs/shims/local-module.js
+++ b/packages/bruno-js/src/sandbox/quickjs/shims/local-module.js
@@ -19,6 +19,10 @@ const addLocalModuleLoaderShimToContext = (vm, collectionPath) => {
      throw new Error('Access to files outside of the collectionPath is not allowed.');
    }

+    if (!fs.existsSync(filePath)) {
+      throw new Error(`Cannot find module ${filename}`);
+    }
+
    let code = fs.readFileSync(filePath).toString();

    return marshallToVm(code, vm);