feat(version 4): remove security for more performance

Author: solkimicreb

README.md

@@ -1,8 +1,9 @@
 # nx-compile
 
-This library is part of the [NX framework](http://nx-framework.com/).
+This library is part of the [NX framework](http://nx-framework.com).
+
 The purpose of this library is to allow the execution of strings as code in the
-context of a sandbox object.
+context of an object. It combines ES6 Proxies with the JavaScript `with` keyword to achieve this.
 
 ## Installation
 
@@ -15,7 +16,7 @@ $ npm install @risingstack/nx-compile
 - Node: 6 and above
 - Chrome: 49 and above (after browserified)
 - Firefox: 38 and above (after browserified)
-- Safari: Technical Preview, 10 and above (after browserified)
+- Safari: 10 and above (after browserified)
 - Edge: 12 and above (after browserified)
 - Opera: 36 and above (after browserified)
 - IE is not supported
@@ -28,39 +29,59 @@ const compiler = require('@risingstack/nx-compile')
 
 ## API
 
-### compiler.compileCode(String, Object)
+### compiler.compileCode(String)
 
-This method creates a function out of a string and returns it. The returned function executes the string as code in the passed sandbox object. The string can be any valid javascript code and it is
-always executed in strict mode.
+This method creates a function out of a string and returns it. The returned function takes
+an object as argument and executes the string as code in the context of the passed object.
+The string can be any valid javascript code.
 
 ```js
-const code = compiler.compileCode('const sum = prop1 + prop2')
+const code = compiler.compileCode('return prop1 + prop2')
+const sum = code({prop1: 1, prop2: 2}) // sum is 3
 ```
 
-### compiler.compileExpression(String, Object)
+### compiler.compileExpression(String)
 
-This method creates a function out of a string and returns it. The returned function executes the string as an expression in the passed sandbox object and returns the result of this execution. The string can be any javascript code that may follow a return statement and it is always executed in
-strict mode.
+This method creates a function out of a string and returns it. The returned function takes
+an object as argument and executes the string as an expression in the context of the passed object.
+It returns the result of the evaluated expression. The string can be any javascript expression
+that may come after a return statement.
 
 ```js
 const expression = compiler.compileExpression('prop1 || prop2')
+const result = expression({prop2: 'Hello'}) // result is 'Hello'
+```
+
+Expressions return undefined instead of throwing a TypeError on invalid property access.
+This allows lazy initialization of your data.
+
+```js
+const expression = compiler.compileExpression('item.name')
+const context = {}
+
+let result = expression(context) // result is undefined, no error is thrown
+
+context.item = {name: 'item name'}
+result = expression(context) // result is 'item name'
 ```
 
 ## Example
 
 ```js
 const compiler = require('@risingstack/nx-compile')
 
-const sandbox = {name: 'nx-compile', version: '3.0.0'}
-const expression = compiler.compileExpression('name + version', sandbox)
+const context = {name: 'nx-compile', version: '4.0.0'}
+const expression = compiler.compileExpression('name + version)', sandbox)
 
-// outputs 'nx-compile3.0.0' to console
-console.log(expression())
+// outputs 'nx-compile4.0.0' to console
+console.log(expression(context))
 ```
 
 ## Contributions
 
-This library has the very specific purpose of supporting the [NX framework](https://github.com/RisingStack/nx-framework). Features should only be added, if they are used by the framework. Otherwise please fork.
+This library has the very specific purpose of supporting the
+[NX framework](https://github.com/RisingStack/nx-framework).
+Features should only be added, if they are used by the framework. Otherwise please fork.
 
 Bug fixes, tests and doc updates are always welcome.
 Tests and linter (standardJS) must pass.

compiler.js

@@ -2,26 +2,34 @@
 
 module.exports = {
   compileCode,
-  compileExpression,
-  sandbox
+  compileExpression
 }
 
+let globalObj
+if (typeof window !== 'undefined') globalObj = window // eslint-disable-line
+else if (typeof global !== 'undefined') globalObj = global // eslint-disable-line
+else if (typeof self !== 'undefined') globalObj = self // eslint-disable-line
+globalObj.$nxCompileToSandbox = toSandbox
+
+const proxies = new WeakMap()
 const expressionCache = new Map()
 const codeCache = new Map()
+const handlers = {has}
 
 function compileExpression (src) {
   if (typeof src !== 'string') {
     throw new TypeError('first argument must be a string')
   }
   let expression = expressionCache.get(src)
   if (!expression) {
-    expression = new Function('sandbox',
-      `try { with (sandbox) { return ${src} } } catch (err) {
+    expression = new Function('sandbox', // eslint-disable-line
+      `sandbox = $nxCompileToSandbox(sandbox)
+      try { with (sandbox) { return ${src} } } catch (err) {
         if (!(err instanceof ReferenceError || err instanceof TypeError)) throw err
       }`)
     expressionCache.set(src, expression)
   }
-  return expression // eslint-disable-line
+  return expression
 }
 
 function compileCode (src) {
@@ -30,17 +38,24 @@ function compileCode (src) {
   }
   let code = codeCache.get(src)
   if (!code) {
-    code = new Function('sandbox', `with (sandbox) { ${src} }`)
+    code = new Function('sandbox', // eslint-disable-line
+    `sandbox = $nxCompileToSandbox(sandbox)
+    with (sandbox) { ${src} }`)
     codeCache.set(src, code)
   }
-  return code // eslint-disable-line
+  return code
 }
 
-function sandbox (obj) {
+function toSandbox (obj) {
   if (typeof obj !== 'object') {
     throw new TypeError('first argument must be an object')
   }
-  return new Proxy(obj, {has})
+  let sandbox = proxies.get(obj)
+  if (!sandbox) {
+    sandbox = new Proxy(obj, handlers)
+    proxies.set(obj, sandbox)
+  }
+  return sandbox
 }
 
 function has () {

compiler.test.js

@@ -3,63 +3,62 @@
 const expect = require('chai').expect
 const compiler = require('./compiler')
 
-global.prop1 = 3
-global.prop2 = 4
-const localProp = 1
+const localProp = 'localProp'
+global.globalProp = 'globalProp'
 
 describe('nx-compile', () => {
   describe('compileCode()', () => {
-    it('should throw TypeError on invalid source argument', () => {
-      expect(() => compiler.compileCode({}, {})).to.throw(TypeError)
-      expect(() => compiler.compileCode(undefined, {})).to.throw(TypeError)
-      expect(() => compiler.compileCode(12, {})).to.throw(TypeError)
-    })
-
-    it('should throw TypeError on invalid sandbox argument', () => {
-      expect(() => compiler.compileExpression('prop1 + prop2', 12)).to.throw(TypeError)
-      expect(() => compiler.compileExpression('prop1 + prop2', undefined)).to.throw(TypeError)
-      expect(() => compiler.compileExpression('prop1 + prop2', '')).to.throw(TypeError)
+    it('should throw a TypeError on non string source argument', () => {
+      expect(() => compiler.compileCode({})).to.throw(TypeError)
+      expect(() => compiler.compileCode(undefined)).to.throw(TypeError)
+      expect(() => compiler.compileCode(12)).to.throw(TypeError)
     })
   })
 
   describe('compileExpression()', () => {
-    it('should throw TypeError on invalid source argument', () => {
-      expect(() => compiler.compileCode({}, {})).to.throw(TypeError)
-      expect(() => compiler.compileCode(undefined, {})).to.throw(TypeError)
-      expect(() => compiler.compileCode(12, {})).to.throw(TypeError)
-    })
-
-    it('should throw TypeError on invalid sandbox argument', () => {
-      expect(() => compiler.compileExpression('prop1 + prop2', 12)).to.throw(TypeError)
-      expect(() => compiler.compileExpression('prop1 + prop2', undefined)).to.throw(TypeError)
-      expect(() => compiler.compileExpression('prop1 + prop2', '')).to.throw(TypeError)
+    it('should throw a TypeError on non string source argument', () => {
+      expect(() => compiler.compileCode({})).to.throw(TypeError)
+      expect(() => compiler.compileCode(undefined)).to.throw(TypeError)
+      expect(() => compiler.compileCode(12)).to.throw(TypeError)
     })
   })
 
   describe('returned function (compiled code or expression)', () => {
+    it('should throw a TypeError on non object sandbox argument', () => {
+      const expression = compiler.compileExpression('prop1 + prop2')
+      expect(() => expression()).to.throw(TypeError)
+      expect(() => expression('string')).to.throw(TypeError)
+      expect(() => expression(12)).to.throw(TypeError)
+    })
+
     it('should execute in the context of the sandbox', () => {
-      const expression = compiler.compileExpression('prop1 + prop2', {prop1: 1, prop2: 2})
-      expect(expression()).to.equal(3)
+      const expression = compiler.compileExpression('prop1 + prop2')
+      expect(expression({prop1: 1, prop2: 2})).to.equal(3)
     })
 
     it('should not expose local variables', () => {
-      const expression = compiler.compileExpression('localProp', {})
-      expect(expression()).to.equal(undefined)
+      const expression = compiler.compileExpression('localProp')
+      expect(expression({})).to.equal(undefined)
     })
 
-    it('should favour sandbox variables over global ones', () => {
-      const expression = compiler.compileExpression('prop1 + prop2', {prop1: 1, prop2: 2})
-      expect(expression()).to.equal(3)
+    it('should not expose global variables', () => {
+      const expression = compiler.compileExpression('globalProp')
+      expect(expression({})).to.equal(undefined)
     })
+  })
 
-    it('should set "this" to the sandbox instead of the global object', () => {
-      const expression = compiler.compileExpression('this.prop1 + this.prop2', {prop1: 1, prop2: 2})
-      expect(expression()).to.equal(3)
+  describe('returned function expression', () => {
+    it('should return undefined instead of throwing on invalid property access', () => {
+      const expression = compiler.compileExpression('inner.prop1')
+      expect(() => expression({})).to.not.throw(TypeError)
+      expect(expression({})).to.equal(undefined)
     })
+  })
 
-    it('should set "this" to be undefined inside functions defined in the passed code', () => {
-      const code = compiler.compileCode('(function () { return this })()', {})
-      expect(code()).to.equal(undefined)
+  describe('returned code expression', () => {
+    it('should throw on invalid property access', () => {
+      const code = compiler.compileCode('inner.prop1')
+      expect(() => code({})).to.throw(TypeError)
     })
   })
 })

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@risingstack/nx-compile",
-  "version": "3.0.0",
-  "description": "Execution of strings as code in a sandboxed environment with optional security.",
+  "version": "4.0.0",
+  "description": "Execution of string as code in the context of an object, similarly to Object.eval().",
   "main": "compiler.js",
   "scripts": {
     "test": "mocha compiler.test.js",
@@ -23,9 +23,10 @@
   "keywords": [
     "nx",
     "compile",
-    "sandbox",
+    "context",
     "eval",
-    "execution"
+    "execution",
+    "code"
   ],
   "devDependencies": {
     "chai": "3.5.0",