Feat/safe mode quickjs (#2825)

* feat: testing quickjs sanbox

* feat: testing quickjs sanbox

* feat: testing quickjs sanbox
This commit is contained in:
Anoop M D 2024-08-13 19:06:17 +05:30 committed by GitHub
parent bde2c57a23
commit a18e5e5b94
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 546 additions and 123 deletions

View File

@ -57,6 +57,9 @@ npm run build:graphql-docs
npm run build:bruno-query
npm run build:bruno-common
# bundle js sandbox libraries
npm run sandbox:bundle-libraries --workspace=packages/bruno-js
# run next app (terminal 1)
npm run dev:web

View File

@ -42,7 +42,7 @@ const runSingleRequest = async function (
// todo: allow to override from cli args
// we will default to vm2 (developer-mode) for 1.x version for backward compatibility
// 2.x will default to isolated-vm (safe mode)
scriptingConfig.runtime = 'vm2';
scriptingConfig.runtime = 'isolated-vm';
// make axios work in node using form data
// reference: https://github.com/axios/axios/issues/1006#issuecomment-320165427

View File

@ -83,7 +83,7 @@ const getEnvVars = (environment = {}) => {
const getJsSandboxRuntime = (collection) => {
const securityConfig = get(collection, 'securityConfig', {});
return securityConfig.jsSandboxMode === 'safe' ? 'isolated-vm' : 'vm2';
return securityConfig.jsSandboxMode === 'safe' ? 'quickjs' : 'vm2';
};
const protocolRegex = /^([-+\w]{1,25})(:?\/\/|:)/;

View File

@ -1 +1 @@
src/bundle-browser-rollup.js
src/sandbox/bundle-browser-rollup.js

View File

@ -12,12 +12,10 @@
},
"scripts": {
"test": "jest --testPathIgnorePatterns test.js",
"rebuild:electron": "cd ./node_modules/isolated-vm && npx electron-rebuild",
"postinstall": "npm run isolated-vm:install && npm run isolated-vm:prebuild:dev && npm run isolated-vm:bundle-libraries",
"sandbox:bundle-libraries": "node ./src/sandbox/bundle-libraries.js",
"isolated-vm:install": "cd ./node_modules/isolated-vm && npm install",
"isolated-vm:prebuild:dev": "node ./scripts/prebuild-isolated-vm-for-dev.js",
"isolated-vm:prebuild:prod": "node ./scripts/prebuild-isolated-vm-for-prod-builds.js",
"isolated-vm:bundle-libraries": "node ./src/sandbox/isolatedvm/utils/bundle-libraries.js"
"isolated-vm:prebuild:prod": "node ./scripts/prebuild-isolated-vm-for-prod-builds.js"
},
"dependencies": {
"@usebruno/common": "0.1.0",
@ -37,6 +35,7 @@
"nanoid": "3.3.4",
"node-fetch": "2.*",
"node-vault": "^0.10.2",
"quickjs-emscripten": "^0.29.2",
"uuid": "^9.0.0"
},
"devDependencies": {

View File

@ -31,6 +31,7 @@ const fetch = require('node-fetch');
const CryptoJS = require('crypto-js');
const NodeVault = require('node-vault');
const { executeInIsolatedVMAsync } = require('../sandbox/isolatedvm');
const { executeQuickJsVmAsync } = require('../sandbox/quickjs');
class TestRuntime {
constructor(props) {
@ -108,61 +109,58 @@ class TestRuntime {
};
}
if (this.mode == 'safe') {
if (this.runtime === 'isolated-vm') {
await executeInIsolatedVMAsync({
script: testsFile,
context: context,
modules: {},
scriptType: 'jsScript'
});
return {
request,
envVariables: cleanJson(envVariables),
runtimeVariables: cleanJson(runtimeVariables),
results: cleanJson(__brunoTestResults.getResults()),
nextRequestName: bru.nextRequest
};
}
// default runtime is vm2
const vm = new NodeVM({
sandbox: context,
require: {
context: 'sandbox',
external: true,
root: [collectionPath, ...additionalContextRootsAbsolute],
mock: {
// node libs
path,
stream,
util,
url,
http,
https,
punycode,
zlib,
// 3rd party libs
ajv,
'ajv-formats': addFormats,
btoa,
atob,
lodash,
moment,
uuid,
nanoid,
axios,
chai,
'node-fetch': fetch,
'crypto-js': CryptoJS,
...whitelistedModules,
fs: allowScriptFilesystemAccess ? fs : undefined,
'node-vault': NodeVault
} else if(this.runtime === 'quickjs') {
await executeQuickJsVmAsync({
script: testsFile,
context: context
});
} else {
// default runtime is vm2
const vm = new NodeVM({
sandbox: context,
require: {
context: 'sandbox',
external: true,
root: [collectionPath, ...additionalContextRootsAbsolute],
mock: {
// node libs
path,
stream,
util,
url,
http,
https,
punycode,
zlib,
// 3rd party libs
ajv,
'ajv-formats': addFormats,
btoa,
atob,
lodash,
moment,
uuid,
nanoid,
axios,
chai,
'node-fetch': fetch,
'crypto-js': CryptoJS,
...whitelistedModules,
fs: allowScriptFilesystemAccess ? fs : undefined,
'node-vault': NodeVault
}
}
}
});
const asyncVM = vm.run(`module.exports = async () => { ${testsFile}}`, path.join(collectionPath, 'vm.js'));
await asyncVM();
});
const asyncVM = vm.run(`module.exports = async () => { ${testsFile}}`, path.join(collectionPath, 'vm.js'));
await asyncVM();
}
return {
request,

View File

@ -11,13 +11,13 @@ const bundleLibraries = async () => {
import moment from "moment";
import btoa from "btoa";
import atob from "atob";
global.expect = expect;
global.assert = assert;
global.moment = moment;
global.btoa = btoa;
global.atob = atob;
global.Buffer = Buffer;
global.requireObject = {
globalThis.expect = expect;
globalThis.assert = assert;
globalThis.moment = moment;
globalThis.btoa = btoa;
globalThis.atob = atob;
globalThis.Buffer = Buffer;
globalThis.requireObject = {
'chai': { expect, assert },
'moment': moment,
'buffer': { Buffer },
@ -54,7 +54,7 @@ const bundleLibraries = async () => {
]
},
output: {
file: './src/bundle-browser-rollup.js',
file: './src/sandbox/bundle-browser-rollup.js',
format: 'iife',
name: 'MyBundle'
}
@ -64,7 +64,7 @@ const bundleLibraries = async () => {
const bundle = await rollup.rollup(config.input);
const { output } = await bundle.generate(config.output);
fs.writeFileSync(
'./src/bundle-browser-rollup.js',
'./src/sandbox/bundle-browser-rollup.js',
`
const getBundledCode = () => {
return function(){

View File

@ -7,7 +7,7 @@ const addTestShimToContext = require('./shims/test');
const addLibraryShimsToContext = require('./shims/lib');
// execute `npm run build:isolated-vm:inbuilt-modules` if the below file doesn't exist
const getBundledCode = require('../../bundle-browser-rollup');
const getBundledCode = require('../bundle-browser-rollup');
const addSleepShimToContext = require('./shims/sleep');
const toNumber = (value) => {

View File

@ -0,0 +1,203 @@
const ivm = require('isolated-vm');
const addBruShimToContext = require('./shims/bru');
const addBrunoRequestShimToContext = require('./shims/bruno-request');
const addBrunoResponseShimToContext = require('./shims/bruno-response');
const addTestShimToContext = require('./shims/test');
const { newQuickJSAsyncWASMModule } = require('quickjs-emscripten');
// execute `npm run build:isolated-vm:inbuilt-modules` if the below file doesn't exist
const getBundledCode = require('../bundle-browser-rollup');
const toNumber = (value) => {
const num = Number(value);
return Number.isInteger(num) ? parseInt(value, 10) : parseFloat(value);
};
const executeQuickJsVm = ({ script: externalScript, context: externalContext }) => {
if (!isNaN(Number(externalScript))) {
return Number(externalScript);
}
let result;
const isolate = new ivm.Isolate();
try {
const context = isolate.createContextSync();
context.global.setSync('global', context.global.derefInto());
const { bru, req, res } = externalContext;
context.evalSync(`
let bru = {};
let req = {};
let res = {};
`);
bru && addBruShimToContext(context, bru);
req && addBrunoRequestShimToContext(context, req);
res && addBrunoResponseShimToContext(context, res);
context.global.setSync('setResult', function (arg) {
result = arg;
});
const templateLiteralText = `
let value = \`${externalScript}\`;
setResult(value);
`;
const jsExpressionText = `
let value = ${externalScript};
setResult(value);
`;
let scriptText = scriptType === 'template-literal' ? templateLiteralText : jsExpressionText;
const script = isolate.compileScriptSync(scriptText);
script.runSync(context);
return result;
} catch (error) {
console.error('Error executing the script!', error);
}
isolate.dispose();
};
const executeQuickJsVmAsync = async ({
script: externalScript,
context: externalContext
}) => {
if (!isNaN(Number(externalScript))) {
return toNumber(externalScript);
}
try {
const module = await newQuickJSAsyncWASMModule()
const runtime = module.newRuntime()
const vm = runtime.newContext()
const bundledCode = getBundledCode?.toString() || '';
let bundledScript = `(${bundledCode})()`;
bundledScript += `
globalThis.require = (module) => {
return globalThis.requireObject[module];
}
`;
bundledScript += `
let bru = {
cwd: __bruno__cwd,
getEnvName: __bruno__getEnvName,
getProcessEnv: __bruno__getProcessEnv,
getEnvVar: __bruno__getEnvVar,
setEnvVar: __bruno__setEnvVar,
getVar: __bruno__getVar,
setVar: __bruno__setVar,
setNextRequest: __bruno__setNextRequest,
visualize: __bruno__visualize,
getSecretVar: __bruno__getSecretVar
};
let req = {
url: __bruno__req__url,
method: __bruno__req__method,
headers: __bruno__req__headers,
body: __bruno__req__body,
timeout: __bruno__req__timeout,
getUrl: __bruno__req__getUrl,
setUrl: __bruno__req__setUrl,
getMethod: __bruno__req__getMethod,
setMethod: __bruno__req__setMethod,
getAuthMode: __bruno__req__getAuthMode,
getHeaders: __bruno__req__getHeaders,
setHeaders: __bruno__req__setHeaders,
getHeader: __bruno__req__getHeader,
setHeader: __bruno__req__setHeader,
getBody: __bruno__req__getBody,
setBody: __bruno__req__setBody,
setMaxRedirects: __bruno__req__setMaxRedirects,
getTimeout: __bruno__req__getTimeout,
setTimeout: __bruno__req__setTimeout
};
let res = {
status: globalThis.__bruno__res__status,
headers: globalThis.__bruno__res__headers,
body: globalThis.__bruno__res__body,
responseTime: globalThis.__bruno__res__responseTime,
getStatus: globalThis.__bruno__res__getStatus,
getHeader: globalThis.__bruno__res__getHeader,
getHeaders: globalThis.__bruno__res__getHeaders,
getBody: globalThis.__bruno__res__getBody,
getResponseTime: globalThis.__bruno__res__getResponseTime
};
`;
const { bru, req, res, test, __brunoTestResults, console: consoleFn } = externalContext;
bru && addBruShimToContext(vm, bru);
req && addBrunoRequestShimToContext(vm, req);
res && addBrunoResponseShimToContext(vm, res);
test && __brunoTestResults && addTestShimToContext(vm, __brunoTestResults);
bundledScript += `
globalThis.expect = require('chai').expect;
globalThis.assert = require('chai').assert;
globalThis.__brunoTestResults = {
addResult: globalThis.__bruno__addResult,
getResults: globalThis.__bruno__getResults,
}
globalThis.DummyChaiAssertionError = class DummyChaiAssertionError extends Error {
constructor(message, props, ssf) {
super(message);
this.name = "AssertionError";
Object.assign(this, props);
}
}
globalThis.Test = (__brunoTestResults) => (description, callback) => {
try {
callback();
__brunoTestResults.addResult({ description, status: "pass" });
} catch (error) {
if (error instanceof DummyChaiAssertionError) {
const { message, actual, expected } = error;
__brunoTestResults.addResult({
description,
status: "fail",
error: message,
actual,
expected,
});
} else {
__brunoTestResults.addResult({
description,
status: "fail",
error: error.message || "An unexpected error occurred.",
});
}
// console.log(error);
}
};
globalThis.test = Test(__brunoTestResults);
`;
bundledScript += externalScript;
const result = await vm.evalCodeAsync(bundledScript);
if (result.error) {
console.log("Execution failed:", vm.dump(result.error))
result.error.dispose()
} else {
result.value.dispose();
}
vm.dispose();
return result;
} catch (error) {
console.error('Error executing the script!', error);
}
};
module.exports = {
executeQuickJsVm,
executeQuickJsVmAsync
};

View File

@ -0,0 +1,65 @@
const { marshallToVm } = require('../utils');
const addBruShimToContext = (vm, bru) => {
let cwd = vm.newFunction('cwd', function () {
return marshallToVm(bru.cwd(), vm);
});
vm.setProp(vm.global, "__bruno__cwd", cwd)
cwd.dispose();
let getEnvName = vm.newFunction('getEnvName', function () {
return marshallToVm(bru.getEnvName(), vm);
});
vm.setProp(vm.global, "__bruno__getEnvName", getEnvName);
getEnvName.dispose();
let getProcessEnv = vm.newFunction('getProcessEnv', function (key) {
return marshallToVm(bru.getProcessEnv(vm.dump(key)), vm);
});
vm.setProp(vm.global, "__bruno__getProcessEnv", getProcessEnv);
getProcessEnv.dispose();
let getEnvVar = vm.newFunction('getEnvVar', function (key) {
return marshallToVm(bru.getEnvVar(vm.dump(key)), vm);
});
vm.setProp(vm.global, "__bruno__getEnvVar", getEnvVar);
getEnvVar.dispose();
let setEnvVar = vm.newFunction('setEnvVar', function (key, value) {
bru.setEnvVar(vm.dump(key), vm.dump(value));
});
vm.setProp(vm.global, "__bruno__setEnvVar", setEnvVar);
setEnvVar.dispose();
let getVar = vm.newFunction('getVar', function (key) {
return marshallToVm(bru.getVar(vm.dump(key)), vm);
});
vm.setProp(vm.global, "__bruno__getVar", getVar);
getVar.dispose();
let setVar = vm.newFunction('setVar', function (key, value) {
bru.setVar(vm.dump(key), vm.dump(value));
});
vm.setProp(vm.global, "__bruno__setVar", setVar);
setVar.dispose();
let setNextRequest = vm.newFunction('setNextRequest', function (nextRequest) {
bru.setNextRequest(vm.dump(nextRequest));
});
vm.setProp(vm.global, "__bruno__setNextRequest", setNextRequest);
setNextRequest.dispose();
let visualize = vm.newFunction('visualize', function (htmlString) {
bru.visualize(vm.dump(htmlString));
});
vm.setProp(vm.global, "__bruno__visualize", visualize);
visualize.dispose();
let getSecretVar = vm.newFunction('getSecretVar', function (key) {
return marshallToVm(bru.getSecretVar(vm.dump(key)), vm);
});
vm.setProp(vm.global, "__bruno__getSecretVar", getSecretVar);
getSecretVar.dispose();
};
module.exports = addBruShimToContext;

View File

@ -0,0 +1,107 @@
const { marshallToVm } = require('../utils');
const addBrunoRequestShimToContext = (vm, req) => {
const url = marshallToVm(req.getUrl(), vm);
const method = marshallToVm(req.getMethod(), vm);
const headers = marshallToVm(req.getHeaders(), vm);
const body = marshallToVm(req.getBody(), vm);
const timeout = marshallToVm(req.getTimeout(), vm);
vm.setProp(vm.global, '__bruno__req__url', url);
vm.setProp(vm.global, '__bruno__req__method', method);
vm.setProp(vm.global, '__bruno__req__headers', headers);
vm.setProp(vm.global, '__bruno__req__body', body);
vm.setProp(vm.global, '__bruno__req__timeout', timeout);
url.dispose();
method.dispose();
headers.dispose();
body.dispose();
timeout.dispose();
let getUrl = vm.newFunction('getUrl', function () {
return marshallToVm(req.getUrl(), vm);
});
vm.setProp(vm.global, '__bruno__req__getUrl', getUrl);
getUrl.dispose();
let setUrl = vm.newFunction('setUrl', function (url) {
req.setUrl(vm.dump(url));
});
vm.setProp(vm.global, '__bruno__req__setUrl', setUrl);
setUrl.dispose();
let getMethod = vm.newFunction('getMethod', function () {
return marshallToVm(req.getMethod(), vm);
});
vm.setProp(vm.global, '__bruno__req__getMethod', getMethod);
getMethod.dispose();
let getAuthMode = vm.newFunction('getAuthMode', function () {
return marshallToVm(req.getAuthMode(), vm);
});
vm.setProp(vm.global, '__bruno__req__getAuthMode', getAuthMode);
getAuthMode.dispose();
let setMethod = vm.newFunction('setMethod', function (method) {
req.setMethod(vm.dump(method));
});
vm.setProp(vm.global, '__bruno__req__setMethod', setMethod);
setMethod.dispose();
let getHeaders = vm.newFunction('getHeaders', function () {
return marshallToVm(req.getHeaders(), vm);
});
vm.setProp(vm.global, '__bruno__req__getHeaders', getHeaders);
getHeaders.dispose();
let setHeaders = vm.newFunction('setHeaders', function (headers) {
req.setHeaders(vm.dump(headers));
});
vm.setProp(vm.global, '__bruno__req__setHeaders', setHeaders);
setHeaders.dispose();
let getHeader = vm.newFunction('getHeader', function (name) {
return marshallToVm(req.getHeader(vm.dump(name)), vm);
});
vm.setProp(vm.global, '__bruno__req__getHeader', getHeader);
getHeader.dispose();
let setHeader = vm.newFunction('setHeader', function (name, value) {
req.setHeader(vm.dump(name), vm.dump(value));
});
vm.setProp(vm.global, '__bruno__req__setHeader', setHeader);
setHeader.dispose();
let getBody = vm.newFunction('getBody', function () {
return marshallToVm(req.getBody(), vm);
});
vm.setProp(vm.global, '__bruno__req__getBody', getBody);
getBody.dispose();
let setBody = vm.newFunction('setBody', function (data) {
req.setBody(vm.dump(data));
});
vm.setProp(vm.global, '__bruno__req__setBody', setBody);
setBody.dispose();
let setMaxRedirects = vm.newFunction('setMaxRedirects', function (maxRedirects) {
req.setMaxRedirects(vm.dump(maxRedirects));
});
vm.setProp(vm.global, '__bruno__req__setMaxRedirects', setMaxRedirects);
setMaxRedirects.dispose();
let getTimeout = vm.newFunction('getTimeout', function () {
return marshallToVm(req.getTimeout(), vm);
});
vm.setProp(vm.global, '__bruno__req__getTimeout', getTimeout);
getTimeout.dispose();
let setTimeout = vm.newFunction('setTimeout', function (timeout) {
req.setTimeout(vm.dump(timeout));
});
vm.setProp(vm.global, '__bruno__req__setTimeout', setTimeout);
setTimeout.dispose();
};
module.exports = addBrunoRequestShimToContext;

View File

@ -0,0 +1,51 @@
const { marshallToVm } = require('../utils');
const addBrunoResponseShimToContext = (vm, res) => {
const status = marshallToVm(res?.status, vm);
const headers = marshallToVm(res?.headers, vm);
const body = marshallToVm(res?.body, vm);
const responseTime = marshallToVm(res?.responseTime, vm);
vm.setProp(vm.global, '__bruno__res__status', status);
vm.setProp(vm.global, '__bruno__res__headers', headers);
vm.setProp(vm.global, '__bruno__res__body', body);
vm.setProp(vm.global, '__bruno__res__responseTime', responseTime);
status.dispose();
headers.dispose();
body.dispose();
responseTime.dispose();
let getStatus = vm.newFunction('getStatus', function () {
return marshallToVm(res.getStatus(), vm);
});
vm.setProp(vm.global, '__bruno__res__getStatus', getStatus);
getStatus.dispose();
let getHeader = vm.newFunction('getHeader', function (name) {
return marshallToVm(res.getHeader(vm.dump(name)), vm);
});
vm.setProp(vm.global, '__bruno__res__getHeader', getHeader);
getHeader.dispose();
let getHeaders = vm.newFunction('getHeaders', function () {
return marshallToVm(res.getHeaders(), vm);
});
vm.setProp(vm.global, '__bruno__res__getHeaders', getHeaders);
getHeaders.dispose();
let getBody = vm.newFunction('getBody', function () {
return marshallToVm(res.getBody(), vm);
});
vm.setProp(vm.global, '__bruno__res__getBody', getBody);
getBody.dispose();
let getResponseTime = vm.newFunction('getResponseTime', function () {
return marshallToVm(res.getResponseTime(), vm);
});
vm.setProp(vm.global, '__bruno__res__getResponseTime', getResponseTime);
getResponseTime.dispose();
};
module.exports = addBrunoResponseShimToContext;

View File

@ -0,0 +1,17 @@
const { marshallToVm } = require('../utils');
const addBruShimToContext = (vm, __brunoTestResults) => {
let addResult = vm.newFunction('addResult', function (v) {
__brunoTestResults.addResult(vm.dump(v));
});
vm.setProp(vm.global, "__bruno__addResult", addResult);
addResult.dispose();
let getResults = vm.newFunction('getResults', function () {
return marshallToVm(__brunoTestResults.getResults(), vm);
});
vm.setProp(vm.global, "__bruno__getResults", getResults);
getResults.dispose();
};
module.exports = addBruShimToContext;

View File

@ -0,0 +1,35 @@
const marshallToVm = (value, vm) => {
if (value === undefined) {
return vm.undefined;
}
if (value === null) {
return vm.null;
}
if (typeof value === "string") {
return vm.newString(value);
} else if (typeof value === "number") {
return vm.newNumber(value);
} else if (typeof value === "boolean") {
return vm.newBoolean(value);
} else if (typeof value === "object") {
if (Array.isArray(value)) {
const arr = vm.newArray();
for (let i = 0; i < value.length; i++) {
vm.setProp(arr, i, marshallToVm(value[i], vm));
}
return arr;
} else {
const obj = vm.newObject();
for (const key in value) {
vm.setProp(obj, key, marshallToVm(value[key], vm));
}
return obj;
}
}
};
module.exports = {
marshallToVm
};

View File

@ -8,6 +8,3 @@ vars {
foo: bar
testSetEnvVar: bruno-29653
}
vars:secret [
bruno
]

View File

@ -9,52 +9,3 @@ get {
body: none
auth: none
}
auth:awsv4 {
accessKeyId: a
secretAccessKey: b
sessionToken: c
service: d
region: e
profileName: f
}
vars:pre-request {
m4: true
pong: pong
}
assert {
res.status: eq 200
res.responseTime: lte 2000
res.body: eq {{pong}}
}
tests {
test("should ping pong", function() {
const data = res.getBody();
expect(data).to.equal(bru.getRequestVar("pong"));
});
}
docs {
# API Documentation
## Introduction
Welcome to the API documentation for [Your API Name]. This document provides instructions on how to make requests to the API and covers available authentication methods.
## Authentication
Before making requests to the API, you need to authenticate your application. [Your API Name] supports the following authentication methods:
### API Key
To use API key authentication, include your API key in the request headers as follows:
```http
GET /api/endpoint
Host: api.example.com
Authorization: Bearer YOUR_API_KEY
}

View File

@ -10,7 +10,6 @@ get {
auth: none
}
script:pre-request {
const envName = bru.getEnvName();
bru.setVar("testEnvName", envName);
@ -21,4 +20,4 @@ tests {
const testEnvName = bru.getVar("testEnvName");
expect(testEnvName).to.equal("Prod");
});
}
}

View File

@ -10,7 +10,6 @@ get {
auth: none
}
script:post-response {
bru.setVar("testSetVar", "bruno-test-87267")
}
@ -20,4 +19,4 @@ tests {
const testSetVar = bru.getVar("testSetVar");
expect(testSetVar).to.equal("bruno-test-87267");
});
}
}

View File

@ -10,7 +10,6 @@ get {
auth: none
}
assert {
res.status: eq 200
res.body: eq pong
@ -21,4 +20,4 @@ tests {
const url = req.getUrl();
expect(url).to.equal("https://testbench-sanity.usebruno.com/ping");
});
}
}