nx-compile 2.0

Author: solkimicreb

README.md

@@ -1,7 +1,8 @@
 # nx-compile
 
-This library is part of the [NX framework](http://nx-nxframework.rhcloud.com/).
-The purpose of this library is to allow the execution of strings as code in a secure, sandboxed environment.
+This library is part of the [NX framework](http://nx-framework.com/).
+The purpose of this library is to allow the execution of strings as code in the
+context of a sandbox object with optional security restrictions.
 
 ## Installation
 
@@ -27,93 +28,77 @@ const compiler = require('@risingstack/nx-compile')
 
 ## API
 
-### compiler.compileCode(String)
+### compiler.compileCode(String, Object)
 
-This method creates a function out of a string and returns it. The returned function executes the string as code in a sandbox. The string can be any valid javascript code.
+This method creates a function out of a string and returns it. The returned function executes the string as code in the passed sandbox object. The string can be any valid javascript code and it is
+always executed in strict mode.
 
 ```js
 const code = compiler.compileCode('const sum = prop1 + prop2')
 ```
 
-### compiler.compileExpression(String)
+### compiler.compileExpression(String, Object)
 
-This method creates a function out of a string and returns it. The returned function executes the string as an expression in a sandbox and returns the result of this execution. The string can be any javascript code that may follow a return statement.
+This method creates a function out of a string and returns it. The returned function executes the string as an expression in the passed sandbox object and returns the result of this execution. The string can be any javascript code that may follow a return statement and it is always executed in
+strict mode.
 
 ```js
 const expression = compiler.compileExpression('prop1 || prop2')
 ```
 
-### using the returned function, expression(Object, [Array | true])
+### compiler.secure(String, ..., String)
 
-Pass an object as the first argument, this will be the sandbox the function executes in. Optionally you can expose global variables by passing an Array of variable names as second argument. Passing true as the second argument exposes every global variable.
+This methods secures the sandbox and the compiled code. It prevents access to the global scope
+from inside the passed code. You can optionally pass global variable names as strings to expose
+them to the sandbox. Exposed global variables and the prototypes of literals (strings, numbers, etc.)
+are deep frozen with Object.freeze() to prevent security leaks. Deep frozen means that their whole prototype chain and all constructors found on that prototype chain are frozen. Calling secure more than once throws an error.
 
 ```js
-const result = expression({prop1: 'someValue', prop2: 'someOtherValue'}, ['LocalStorage'])
+compiler.secure('console', 'setTimeout')
 ```
 
+This method is experimental, please do not use it in a production environment yet!
+
 ## Example
 
 ```js
 const compiler = require('@risingstack/nx-compile')
+compiler.secure('console')
 
-const code = compiler.compileCode('console.log(name + version)')
+const sandbox = {name: 'nx-compile', version: '1.0'}
+const code = compiler.compileCode('console.log(name + version)', sandbox)
 
 // outputs 'nx-compile1.0' to console
-code({name: 'nx-compile', version: '1.0'}, ['console'])
-
-// outputs 'undefined1.0' to console (name is undefined)
-code({version: '1.0'}, ['console'])
-
-// throws a ReferenceError (console is undefined)
-code({name: 'nx-compile', version: '1.0'})
+code()
 ```
 
 ## Features, limitations and edge cases
 
-#### difference between global and sandbox variables
-
-Javascript throws a ReferenceError if you try to read undeclared variables. The sandbox is more forgiving. It reads it as undefined instead.
-
-```js
-const compiler = require('@risingstack/nx-compile')
-
-const code = compiler.compileCode('console.log(nonExistentVar)')
-
-// tries to retrieve 'nonExistentVar' from the (forgiving) sandbox
-// outputs 'undefined' to the console
-code({}, ['console'])
-
-// tries to retrieve 'nonExistentVar' from the global object
-// throws a ReferenceError
-code({}, ['console', 'nonExistentVar'])
-```
-
 #### lookup order
 
-The compiled function tries to retrieve the variables first from the sandbox and then from the global object (if exposed by the second parameter).
+The compiled function tries to retrieve the variables first from the sandbox and then from the global object.
 
 ```js
 const compiler = require('@risingstack/nx-compile')
 
 global.prop = 'globalValue' // in a browser global would be window
 const sandbox = {prop: 'sandboxValue'}
 
-const code = compiler.compileCode('console.log(prop)')
+const code = compiler.compileCode('console.log(prop)', sandbox)
 
 // outputs 'sandboxValue' to the console
-code(sandbox, ['console', 'prop'])
+code()
 
-sandbox.prop = undefined
 
 // the key is still present in the sandbox
 // outputs 'undefined' to the console
-code(sandbox, ['console', 'prop'])
-
-delete sandbox.prop
+sandbox.prop = undefined
+code()
 
 // the key is not present in the sandbox
 // outputs 'globalValue' to the console
-code(sandbox, ['console', 'prop'])
+delete sandbox.prop
+code()
 ```
 
 #### local variables can't be exposed
@@ -125,11 +110,11 @@ You can only expose variables declared on the global object.
 const compiler = require('@risingstack/nx-compile')
 
 const localVariable = 'localValue'
-const code = compiler.compileCode('console.log(localVariable)')
+const code = compiler.compileCode('console.log(localVariable)', {})
 
 // tries to retrieve 'localVariable' from the global object
 // throws a ReferenceError
-code({}, ['console', 'localVariable'])
+code()
 ```
 
 #### 'this' inside the sandboxed code
@@ -140,10 +125,11 @@ code({}, ['console', 'localVariable'])
 const compiler = require('@risingstack/nx-compile')
 
 const message = 'local message'
-const code = compiler.compileCode('console.log(this.message)')
+const sandbox = {message: 'sandboxed message'}
+const code = compiler.compileCode('console.log(this.message)', sandbox)
 
 // outputs 'sandboxed message' to the console
-code({message: 'sandboxed message'}, ['console'])
+code()
 ```
 
 #### functions defined inside the sandboxed code
@@ -154,13 +140,43 @@ Functions defined inside the sandboxed code are also sandboxed.
 const compiler = require('@risingstack/nx-compile')
 
 const message = 'local message'
-const rawCode = '({}).__proto__.func = function() { return message }'
-const code = compiler.compileCode(rawCode)
-
-code({message: 'sandboxed message'})
+const sandbox = {message: 'sandboxed message'}
+const code = compiler.compileCode('setTimeout(() => console.log(message))', sandbox)
 
 // outputs 'sandboxed message' to the console
-console.log(({}).func())
+code()
+```
+
+#### globals in secure mode
+
+Unexposed global variable access is prevented in secure mode.
+
+```js
+const compiler = require('@risingstack/nx-compile')
+compiler.secure('console')
+
+const sandbox = {}
+const code = compiler.compileCode('console.log(setTimeout)', sandbox)
+
+// console is exposed, setTimeout is not exposed
+// outputs 'undefined' to the console
+code()
+```
+
+#### frozen objects in secure mode
+
+Exposed globals and literal prototypes are frozen in secure mode.
+
+```js
+const compiler = require('@risingstack/nx-compile')
+compiler.secure('console')
+
+const sandbox = {}
+const rawCode = '({}).constructor.create = function(/* evil stuff */) {}'
+const code = compiler.compileCode(, sandbox)
+
+// throws a TypeError, Object.create() can not be overwritten
+code()
 ```
 
 ## Contributions

compiler.js

@@ -1,49 +1,35 @@
 'use strict'
 
-const sandboxProxies = new WeakMap()
-let currentAllowedGlobals
+let secured = false
+let exposedGlobals = []
 
 module.exports = {
   compileCode,
-  compileExpression
+  compileExpression,
+  secure
 }
 
-function compileExpression (src) {
-  if (typeof src !== 'string') {
-    throw new TypeError('first argument must be a string')
-  }
-  return compileCode(`return ${src}`)
+function compileExpression (src, sandbox) {
+  return compileCode(`return ${src}`, sandbox)
 }
 
-function compileCode (src) {
+function compileCode (src, sandbox) {
   if (typeof src !== 'string') {
     throw new TypeError('first argument must be a string')
   }
+  if (typeof sandbox !== 'object') {
+    throw new TypeError('second argument must be an object')
+  }
 
-  const code = new Function('sandbox', `with (sandbox) {${src}}`) // eslint-disable-line
-
-  return function (sandbox, allowedGlobals) {
-    if (typeof sandbox !== 'object') {
-      throw new TypeError('first argument must be an object')
-    }
-    if (allowedGlobals !== undefined && allowedGlobals !== true && !Array.isArray(allowedGlobals)) {
-      throw new TypeError('second argument must be an array of strings or true or undefined')
-    }
+  if (secured) {
+    sandbox = new Proxy(sandbox, {get, has})
+  }
 
-    if (!sandboxProxies.has(sandbox)) {
-      sandboxProxies.set(sandbox, new Proxy(sandbox, {has, get}))
-    }
-    currentAllowedGlobals = allowedGlobals
-    const sandboxProxy = sandboxProxies.get(sandbox)
+  // test for string manipulation
+  new Function(`'use strict'; ${src}`) // eslint-disable-line
 
-    let result
-    try {
-      result = code.call(sandboxProxy, sandboxProxy)
-    } finally {
-      currentAllowedGlobals = undefined
-    }
-    return result
-  }
+  return new Function(`with (this) { return (() => { 'use strict'; ${src} }) }`) // eslint-disable-line
+    .call(sandbox)
 }
 
 function get (target, key, receiver) {
@@ -54,17 +40,41 @@ function get (target, key, receiver) {
 }
 
 function has (target, key) {
-  if (isAllowedGlobal(key)) {
+  if (exposedGlobals.indexOf(key) !== -1) {
     return Reflect.has(target, key)
   }
   return true
 }
 
-function isAllowedGlobal (key) {
-  if (currentAllowedGlobals === true) {
-    return true
+function secure () {
+  if (secured) {
+    throw new Error('the compiler is already secured')
   }
-  if (Array.isArray(currentAllowedGlobals) && currentAllowedGlobals.indexOf(key) !== -1) {
-    return true
+
+  exposedGlobals.push(...arguments)
+  const globalObject = getGlobalObject()
+  for (let exposed of exposedGlobals) {
+    deepFreeze(globalObject[exposed])
   }
+
+  const literals = ['', 0, true, /a/, [], {}, () => {}]
+  for (let literal of literals) {
+    deepFreeze(Object.getPrototypeOf(literal))
+  }
+  secured = true
+}
+
+function deepFreeze (obj) {
+  if ((typeof obj === 'object' || typeof obj === 'function') && obj !== null && !Object.isFrozen(obj)) {
+    Object.freeze(obj)
+    Object.freeze(obj.constructor)
+    deepFreeze(Object.getPrototypeOf(obj))
+  }
+}
+
+function getGlobalObject () {
+  if (typeof global === 'object' && global.global === global) return global
+  if (typeof self === 'object' && self.self === self) return self // eslint-disable-line
+  if (typeof window === 'object' && window.window === window) return window
+  throw new Error('global object could not be detected')
 }