vm2 - npm Package Compare versions

Comparing version 3.9.7 to 3.9.8

.eslintrc.js

 module.exports = {
-    env: {
-        es6: true,
-        node: true
-    },
-    extends: [
-        'integromat'
-    ],
-    parserOptions: {
-        "ecmaVersion": 2017,
-        "ecmaFeatures": {
-            "globalReturn": true
-        }
-    },
-    globals: {
-    },
-    rules: {
-    }
-};
+	env: {
+		es6: true,
+		node: true
+	},
+	extends: [
+		'integromat'
+	],
+	parserOptions: {
+		'ecmaVersion': 2017,
+		'ecmaFeatures': {
+			'globalReturn': true
+		}
+	},
+	globals: {
+	},
+	rules: {
+	}
+};

CHANGELOG.md

@@ -0,5 +1,10 @@
+v3.9.8 (2022-92-16)
+-------------------
+[fix] Add function type check for arguments, caller, and callee property check (GeoffRen)  
+[fix] Fix find best extension handler  
+
 v3.9.7 (2022-02-10)
 -------------------
 [fix] Allow relative require from base script  
-[fix] Fix issue with modules with exports clause in package json  
+[fix] Fix issue with modules with exports clause in package JSON  
 [fix] Added missing whitelist check before custom require  
@@ -6,0 +11,0 @@ [fix] Revert plain object toString behavior

index.d.ts

@@ -7,7 +7,8 @@ import {EventEmitter} from 'events';
 export interface VMRequire {
-  /** Array of allowed builtin modules, accepts ["*"] for all (default: none) */
+  /** Array of allowed built-in modules, accepts ["*"] for all. Using "*" increases the attack surface and potential
+   * new modules allow to escape the sandbox. (default: none) */
   builtin?: string[];
   /*
    * `host` (default) to require modules in host and proxy them to sandbox. `sandbox` to load, compile and
-   * require modules in sandbox. Builtin modules except `events` always required in host and proxied to sandbox
+   * require modules in sandbox. Built-in modules except `events` always required in host and proxied to sandbox
    */
@@ -21,6 +22,6 @@ context?: "host" | "sandbox";
   root?: string | string[];
-  /** Collection of mock modules (both external or builtin). */
+  /** Collection of mock modules (both external or built-in). */
   mock?: any;
   /* An additional lookup function in case a module wasn't found in one of the traditional node lookup paths. */
-  resolve?: (moduleName: string, parentDirname: string) => string;
+  resolve?: (moduleName: string, parentDirname: string) => string | undefined;
   /** Custom require to require host and built-in modules. */
@@ -41,3 +42,3 @@ customRequire?: (id: string) => any;
   /**
-   * `javascript` (default) or `coffeescript` or custom compiler function (which receives the code, and it's filepath).
+   * `javascript` (default) or `coffeescript` or custom compiler function (which receives the code, and it's file path).
    *  The library expects you to have coffee-script pre-installed if the compiler is set to `coffeescript`.
@@ -54,3 +55,3 @@ */
   /**
-   * If set to `false` any calls to eval or function constructors (`Function`, `GeneratorFunction`, etc) will throw an
+   * If set to `false` any calls to eval or function constructors (`Function`, `GeneratorFunction`, etc.) will throw an
    * `EvalError` (default: `true`).
@@ -65,3 +66,3 @@ */
    * If set to `true` any attempt to run code using async will throw a `VMError` (default: `false`).
-   * @deprecated Use ``allowAsync` instead
+   * @deprecated Use `allowAsync` instead.
    */
@@ -84,3 +85,4 @@ fixAsync?: boolean;
   require?: true | VMRequire;
-  /** `true` to enable VMs nesting (default: `false`). */
+  /** **WARNING**: This should be disabled. It allows to create a NodeVM form within the sandbox which could return any host module.
+   * `true` to enable VMs nesting (default: `false`). */
   nesting?: boolean;
@@ -128,2 +130,4 @@ /** `commonjs` (default) to wrap script into CommonJS wrapper, `none` to retrieve value returned by the script. */
   freeze(object: any, name?: string): any;
+  /** Freezes the object inside VM making it read-only. Not available for primitive values. */
+  readonly(object: any): any;
   /** Protects the object inside VM making impossible to set functions as it's properties. Not available for primitive values */
@@ -145,3 +149,3 @@ protect(object: any, name?: string): any;
    *
-   * @param {string} script Javascript code.
+   * @param {string} script JavaScript code.
    * @param {string} [filename] File name (used in stack traces only).
@@ -148,0 +152,0 @@ * @param {Object} [options] VM options.

lib/bridge.js

@@ -434,3 +434,5 @@ 'use strict';
 				case 'callee':
-					if (thisOtherHasOwnProperty(object, key)) throw thisThrowCallerCalleeArgumentsAccess(key);
+					if (typeof object === 'function' && thisOtherHasOwnProperty(object, key)) {
+						throw thisThrowCallerCalleeArgumentsAccess(key);
+					}
 					break;
@@ -437,0 +439,0 @@ }

lib/nodevm.js

@@ -265,3 +265,4 @@ 'use strict';
 			jsonParse,
-			createRequireForModule
+			createRequireForModule,
+			requireImpl
 		} = closure(HOST, {
@@ -282,2 +283,3 @@ __proto__: null,
 			_createRequireForModule: {__proto__: null, value: createRequireForModule},
+			_requireImpl: {__proto__: null, value: requireImpl},
 			_cacheRequireModule: {__proto__: null, value: null, writable: true}
@@ -287,3 +289,3 @@ });
 
-		resolver.init(this, ()=>true);
+		resolver.init(this);
 
@@ -337,6 +339,8 @@ // prepare global sandbox
 		if (!mod || mod.path !== path) {
-			mod = new (this._Module)(this._resolver.pathConcat(path, '/vm.js'), path);
+			const filename = this._resolver.pathConcat(path, '/vm.js');
+			mod = new (this._Module)(filename, path);
+			this._resolver.registerModule(mod, filename, path, null, false);
 			this._cacheRequireModule = mod;
 		}
-		return mod.require(module);
+		return this._requireImpl(mod, module, true);
 	}
@@ -412,5 +416,5 @@
 			const prefix = strict ? STRICT_MODULE_PREFIX : MODULE_PREFIX;
-			let scriptCode = prefix + this._compiler(code, unresolvedFilename) + MODULE_SUFFIX;
+			let scriptCode = this._compiler(code, unresolvedFilename);
 			scriptCode = transformer(null, scriptCode, false, false).code;
-			script = new Script(scriptCode, {
+			script = new Script(prefix + scriptCode + MODULE_SUFFIX, {
 				__proto__: null,
@@ -417,0 +421,0 @@ filename: unresolvedFilename,

lib/setup-node-sandbox.js

@@ -151,3 +151,3 @@ /* global host, data, VMError */
 	for (let i = 0; (i = localStringPrototypeIndexOf(name, '.', i + 1)) !== -1;) {
-		const ext = localStringPrototypeSlice(name, i + 1);
+		const ext = localStringPrototypeSlice(name, i);
 		const handler = Module._extensions[ext];
@@ -463,3 +463,4 @@ if (handler) return handler;
 	jsonParse: JSON.parse,
-	createRequireForModule
+	createRequireForModule,
+	requireImpl
 };

lib/transformer.js

 
 const {parse: acornParse} = require('acorn');
 const {full: acornWalkFull} = require('acorn-walk');
+const {compileFunction} = require('vm');
 
@@ -29,17 +30,24 @@ const INTERNAL_STATE_NAME = 'VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL';
 
-	const ast = acornParse(code, {
-		__proto__: null,
-		ecmaVersion: 2020,
-		allowAwaitOutsideFunction: args === null && isAsync,
-		allowReturnOutsideFunction: args === null
-	});
+	let ast;
+	try {
+		ast = acornParse(code, {
+			__proto__: null,
+			ecmaVersion: 2020,
+			allowAwaitOutsideFunction: args === null && isAsync,
+			allowReturnOutsideFunction: args === null
+		});
+	} catch (e) {
+		// Try to generate a nicer error message.
+		compileFunction(code);
+		throw e;
+	}
 
 	if (args !== null) {
 		const pBody = assertType(ast, 'Program').body;
-		if (pBody.length !== 1) throw new Error('Invalid arguments');
+		if (pBody.length !== 1) throw new SyntaxError('Single function literal required');
 		const expr = pBody[0];
-		if (expr.type !== 'ExpressionStatement') throw new Error('Invalid arguments');
+		if (expr.type !== 'ExpressionStatement') throw new SyntaxError('Single function literal required');
 		const func = expr.expression;
-		if (func.type !== 'FunctionExpression') throw new Error('Invalid arguments');
-		if (func.body.start !== argsOffset + 3) throw new Error('Invalid arguments');
+		if (func.type !== 'FunctionExpression') throw new SyntaxError('Single function literal required');
+		if (func.body.start !== argsOffset + 3) throw new SyntaxError('Unexpected end of arg string');
 	}
@@ -83,3 +91,3 @@
 			if (node.name === INTERNAL_STATE_NAME) {
-				throw new Error('Use of internal vm2 state variable');
+				throw new SyntaxError('Use of internal vm2 state variable');
 			}
@@ -86,0 +94,0 @@ } else if (type === 'ImportExpression') {

package.json

@@ -16,3 +16,3 @@ {
   ],
-  "version": "3.9.7",
+  "version": "3.9.8",
   "main": "index.js",
@@ -19,0 +19,0 @@ "sideEffects": false,

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

202528

increased by0.47%

Lines of code

5319

increased by0.38%

Worsened metrics

Number of low supply chain risk alerts

13

increased by8.33%

No dependency changes