Merge pull request #96 from VectorlyApp/js-looser-blocker

Js looser blocker

Author: dimavrem22

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "web-hacker"
-version = "1.2.3"
+version = "1.3"
 description = "SDK for reverse engineering web apps"
 readme = "README.md"
 requires-python = ">=3.12.3,<3.13"

tests/unit/test_operations.py

@@ -237,6 +237,20 @@ def test_blocked_fetch_in_async_iife(self) -> None:
         errors = exc_info.value.errors()
         assert any("fetch" in str(e.get("msg", "")) for e in errors)
 
+    def test_allowed_prefetch(self) -> None:
+        """Test that prefetch() is not blocked by the fetch pattern."""
+        operation = RoutineJsEvaluateOperation(
+            js="(function() { var link = document.createElement('link'); link.rel = 'prefetch'; return prefetch('/next-page'); })()"
+        )
+        assert operation.js is not None
+
+    def test_allowed_refetch(self) -> None:
+        """Test that refetch() is not blocked by the fetch pattern."""
+        operation = RoutineJsEvaluateOperation(
+            js="(function() { return refetch(); })()"
+        )
+        assert operation.js is not None
+
     def test_blocked_eval_in_async_iife(self) -> None:
         """Test that eval() is blocked even in async IIFE."""
         with pytest.raises(ValidationError) as exc_info:
@@ -287,16 +301,6 @@ def test_blocked_addeventlistener(self) -> None:
         errors = exc_info.value.errors()
         assert any("addEventListener" in str(e.get("msg", "")) for e in errors)
 
-    def test_blocked_onevent_handler(self) -> None:
-        """Test that onclick= style handlers are blocked."""
-        with pytest.raises(ValidationError) as exc_info:
-            RoutineJsEvaluateOperation(
-                js="(function() { document.onclick = () => {}; })()"
-            )
-        
-        errors = exc_info.value.errors()
-        assert any("on" in str(e.get("msg", "")) for e in errors)
-
     def test_blocked_mutation_observer(self) -> None:
         """Test that MutationObserver is blocked."""
         with pytest.raises(ValidationError) as exc_info:
@@ -327,26 +331,6 @@ def test_blocked_window_close(self) -> None:
         errors = exc_info.value.errors()
         assert any("window\\.close" in str(e.get("msg", "")) or "window.close" in str(e.get("msg", "")) for e in errors)
 
-    def test_blocked_location(self) -> None:
-        """Test that location.* is blocked."""
-        with pytest.raises(ValidationError) as exc_info:
-            RoutineJsEvaluateOperation(
-                js="(function() { location.href = 'http://example.com'; })()"
-            )
-        
-        errors = exc_info.value.errors()
-        assert any("location" in str(e.get("msg", "")) for e in errors)
-
-    def test_blocked_history(self) -> None:
-        """Test that history.* is blocked."""
-        with pytest.raises(ValidationError) as exc_info:
-            RoutineJsEvaluateOperation(
-                js="(function() { history.pushState({}, '', '/new'); })()"
-            )
-        
-        errors = exc_info.value.errors()
-        assert any("history" in str(e.get("msg", "")) for e in errors)
-
     def test_allowed_promise(self) -> None:
         """Test that Promise is allowed."""
         operation = RoutineJsEvaluateOperation(
@@ -660,6 +644,28 @@ def test_post_interpolation_validation_allows_safe_interpolation(self) -> None:
     # Complex Real-World Examples
     # ============================================================================
 
+    def test_allowed_string_containing_on_prefix(self) -> None:
+        """Test that string literals containing 'on' followed by word chars and '=' are not blocked.
+
+        The pattern r'on\\w+\\s*=' is meant to block event handlers like onclick=, onload=, etc.
+        But it should NOT block occurrences inside string literals (e.g., 'lots_json_length=').
+        """
+        js_code = (
+            "(function () { var r = window.chrComponents && window.chrComponents.lots; "
+            "if (!(r && r.data && Array.isArray(r.data.lots) && r.data.lots.length)) { "
+            "console.log('no_lots'); return null; } var a = r.data.lots; var o = []; "
+            "for (var i = 0; i < a.length; i++) { var l = a[i]; o.push({ "
+            "lot_number: l.lot_id_txt || null, artist: l.title_primary_txt || null, "
+            "title: l.title_secondary_txt || null, estimate_text: l.estimate_txt || null, "
+            "estimate_low: l.estimate_low || null, estimate_high: l.estimate_high || null, "
+            "price_realised_text: l.price_realised_txt || null, price_realised: l.price_realised || null, "
+            "url: l.url || null }); } var s = JSON.stringify(o); "
+            "console.log('lots_json_length=' + s.length); "
+            "sessionStorage.setItem('lots_json', s); return null; })()"
+        )
+        operation = RoutineJsEvaluateOperation(js=js_code)
+        assert operation.js == js_code
+
     def test_complex_valid_code(self) -> None:
         """Test complex but valid JS code."""
         js_code = """(function() {

web_hacker/agent_docs/common-issues/js-evaluate-issues.md

@@ -86,7 +86,7 @@ Check `console_logs` in operation metadata.
 **Cause:** Security restrictions block certain APIs.
 
 **Blocked patterns:**
-- `fetch()` → Use `fetch` operation instead
+- `fetch()` → Use `fetch` operation instead (note: `prefetch()`, `refetch()` etc. are allowed)
 - `eval()`, `Function()` → Rewrite without dynamic code
-- `addEventListener()` → Not supported
-- `location`, `history` → Use `navigate` operation
+- `addEventListener()`, `MutationObserver`, `IntersectionObserver` → Not supported
+- `window.close()` → Not supported

web_hacker/agent_docs/operations/js-evaluate.md

@@ -212,17 +212,14 @@ These patterns are detected and rejected:
 |---------|--------|
 | `eval()` | Dynamic code generation |
 | `Function()` constructor | Dynamic code generation |
-| `fetch()` | Use `fetch` operation instead |
+| `fetch()` | Use `fetch` operation instead (note: `prefetch()`, `refetch()` etc. are allowed) |
 | `XMLHttpRequest` | Network requests |
 | `WebSocket` | Network requests |
 | `sendBeacon` | Exfiltration |
 | `addEventListener()` | Persistent event hooks |
-| `on*=` handlers | Persistent event hooks |
 | `MutationObserver` | Persistent observers |
 | `IntersectionObserver` | Persistent observers |
 | `window.close()` | Lifecycle control |
-| `location.*` | Navigation |
-| `history.*` | Navigation |
 
 ---
 

web_hacker/data_models/routine/operation.py

@@ -1004,8 +1004,8 @@ class RoutineJsEvaluateOperation(RoutineOperation):
     BLOCKED:
     - Dynamic code generation: eval(), Function constructor
     - Network requests: fetch(), XMLHttpRequest, WebSocket, sendBeacon (use RoutineFetchOperation instead)
-    - Persistent event hooks: addEventListener(), on*=, MutationObserver, IntersectionObserver
-    - Navigation/lifecycle: window.close(), location.*, history.*
+    - Persistent event hooks: addEventListener(), MutationObserver, IntersectionObserver
+    - Navigation/lifecycle: window.close()
 
     FORMAT REQUIREMENT:
     The JavaScript code MUST be wrapped in an IIFE (Immediately Invoked Function Expression):
@@ -1043,21 +1043,18 @@ class RoutineJsEvaluateOperation(RoutineOperation):
         r'(?:^|[^a-zA-Z0-9_])Function\s*\(', 
 
         # Network / exfiltration
-        r'fetch\s*\(',
+        r'(?<![a-zA-Z0-9_])fetch\s*\(',
         r'XMLHttpRequest',
         r'WebSocket',
         r'sendBeacon',
 
         # Persistent event hooks
         r'addEventListener\s*\(',
-        r'on\w+\s*=',
         r'MutationObserver',
         r'IntersectionObserver',
 
         # Navigation / lifecycle control
         r'window\.close\s*\(',
-        r'location\.',
-        r'history\.',
     ]
 
     @field_validator("js")