fix(this): fix 'this' exposing the global object inside sandboxed code

solkimicreb · solkimicreb · commit bcc5168758aa · 2016-08-17T15:59:55.000+02:00
diff --git a/README.md b/README.md
@@ -132,6 +132,37 @@ const code = compiler.compileCode('console.log(localVariable)')
 code({}, ['console', 'localVariable'])
 ```
 
+#### 'this' inside the sandboxed code
+
+`this` points to the sandbox inside the sandboxed code.
+
+```js
+const compiler = require('@risingstack/nx-compile')
+
+const message = 'local message'
+const code = compiler.compileCode('console.log(this.message)')
+
+// outputs 'sandboxed message' to the console
+code({message: 'sandboxed message'}, ['console'])
+```
+
+#### functions defined inside the sandboxed code
+
+Functions defined inside the sandboxed code are also sandboxed.
+
+```js
+const compiler = require('@risingstack/nx-compile')
+
+const message = 'local message'
+const rawCode = '({}).__proto__.func = function() { return message }'
+const code = compiler.compileCode(rawCode)
+
+code({message: 'sandboxed message'})
+
+// outputs 'sandboxed message' to the console
+console.log(({}).func())
+```
+
 ## Contributions
 
 This library has the very specific purpose of supporting the [NX framework](https://github.com/RisingStack/nx-framework). Features should only be added, if they are used by the framework. Otherwise please fork.
diff --git a/compiler.js b/compiler.js
@@ -31,13 +31,14 @@ function compileCode (src) {
     }
 
     if (!sandboxProxies.has(sandbox)) {
-      sandboxProxies.set(sandbox, new Proxy(sandbox, {has: has, get: get}))
+      sandboxProxies.set(sandbox, new Proxy(sandbox, {has, get}))
     }
     currentAllowedGlobals = allowedGlobals
+    const sandboxProxy = sandboxProxies.get(sandbox)
 
     let result
     try {
-      result = code(sandboxProxies.get(sandbox))
+      result = code.call(sandboxProxy, sandboxProxy)
     } finally {
       currentAllowedGlobals = undefined
     }
diff --git a/compiler.test.js b/compiler.test.js
@@ -9,12 +9,6 @@ const localProp = 1
 
 describe('nx-compile', () => {
   describe('compileCode', () => {
-    it('should execute code in a sandbox', () => {
-      const code = compiler.compileCode('return prop1 + prop2')
-      const value = code({prop1: 1, prop2: 2})
-      expect(value).to.equal(3)
-    })
-
     it('should throw TypeError on invalid source argument', () => {
       expect(() => compiler.compileCode({})).to.throw(TypeError)
       expect(() => compiler.compileCode()).to.throw(TypeError)
@@ -23,12 +17,6 @@ describe('nx-compile', () => {
   })
 
   describe('compileExpression', () => {
-    it('should execute expression in a sandbox', () => {
-      const expression = compiler.compileExpression('prop1 + prop2')
-      const value = expression({prop1: 1, prop2: 2})
-      expect(value).to.equal(3)
-    })
-
     it('should throw TypeError on invalid source argument', () => {
       expect(() => compiler.compileExpression({})).to.throw(TypeError)
       expect(() => compiler.compileExpression()).to.throw(TypeError)
@@ -37,6 +25,31 @@ describe('nx-compile', () => {
   })
 
   describe('returned function (compiled code or expression)', () => {
+    it('should execute in a sandbox', () => {
+      const expression = compiler.compileExpression('prop1 + prop2')
+      const value = expression({prop1: 1, prop2: 2})
+      expect(value).to.equal(3)
+    })
+
+    it('should not expose globals to the sandbox', () => {
+      const expression = compiler.compileExpression('prop1')
+      const value = expression({})
+      expect(value).to.equal(undefined)
+    })
+
+    it('should not expose globals inside functions defined in the passed code', () => {
+      const rawCode = '({}).__proto__.evil = function() { return prop1 + prop2 }'
+      const code = compiler.compileCode(rawCode)
+      code({prop1: 1, prop2: 2})
+      expect(({}).evil()).to.equal(3)
+    })
+
+    it('"this" should be the sandbox instead of the global object', () => {
+      const expression = compiler.compileExpression('this.prop1 + this.prop2')
+      const value = expression({prop1: 1, prop2: 2}, [])
+      expect(value).to.equal(3)
+    })
+
     it('should expose specified globals to the sandbox', () => {
       const expression = compiler.compileExpression('prop1 + prop2')
       const value = expression({}, ['prop1', 'prop2'])
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@risingstack/nx-compile",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Execution of strings as code in a secure, sandboxed environment.",
   "main": "compiler.js",
   "scripts": {

Original file line number	Diff line number	Diff line change
`@@ -31,13 +31,14 @@ function compileCode (src) {`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`if (!sandboxProxies.has(sandbox)) {`
`34`		`- sandboxProxies.set(sandbox, new Proxy(sandbox, {has: has, get: get}))`
	`34`	`+ sandboxProxies.set(sandbox, new Proxy(sandbox, {has, get}))`
`35`	`35`	`}`
`36`	`36`	`currentAllowedGlobals = allowedGlobals`
	`37`	`+ const sandboxProxy = sandboxProxies.get(sandbox)`
`37`	`38`
`38`	`39`	`let result`
`39`	`40`	`try {`
`40`		`- result = code(sandboxProxies.get(sandbox))`
	`41`	`+ result = code.call(sandboxProxy, sandboxProxy)`
`41`	`42`	`} finally {`
`42`	`43`	`currentAllowedGlobals = undefined`
`43`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@risingstack/nx-compile",`
`3`		`- "version": "1.0.1",`
	`3`	`+ "version": "1.0.2",`
`4`	`4`	`"description": "Execution of strings as code in a secure, sandboxed environment.",`
`5`	`5`	`"main": "compiler.js",`
`6`	`6`	`"scripts": {`