From 4426f84e2df5ab291785d97286bc9956a9ffc3f3 Mon Sep 17 00:00:00 2001 From: Andrew Kingston Date: Wed, 14 Feb 2024 16:57:59 +0000 Subject: [PATCH 1/9] Use constants for icon info rather than component definitions --- .../FieldSetting.svelte | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/packages/builder/src/components/design/settings/controls/GridColumnConfiguration/FieldSetting.svelte b/packages/builder/src/components/design/settings/controls/GridColumnConfiguration/FieldSetting.svelte index 3f2afbfe8d..668f2f7d59 100644 --- a/packages/builder/src/components/design/settings/controls/GridColumnConfiguration/FieldSetting.svelte +++ b/packages/builder/src/components/design/settings/controls/GridColumnConfiguration/FieldSetting.svelte @@ -1,15 +1,25 @@
@@ -42,7 +45,7 @@ on:change >
- + {item.field}
From 0c66f2d3995643694612532e8c0479de33cb9751 Mon Sep 17 00:00:00 2001 From: Andrew Kingston Date: Thu, 15 Feb 2024 09:17:58 +0000 Subject: [PATCH 2/9] Bump account portal --- packages/account-portal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/account-portal b/packages/account-portal index 1ba8414bed..8c446c4ba3 160000 --- a/packages/account-portal +++ b/packages/account-portal @@ -1 +1 @@ -Subproject commit 1ba8414bed14439512153cf851086146a80560f5 +Subproject commit 8c446c4ba385592127fa31755d3b64467b291882 From 04b7fda08b63a5c7d120154240b82c4f4ab9cc8c Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Mon, 19 Feb 2024 15:47:52 +0100 Subject: [PATCH 3/9] Move vm code --- packages/server/src/jsRunner/vm/builtin-vm.ts | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 packages/server/src/jsRunner/vm/builtin-vm.ts diff --git a/packages/server/src/jsRunner/vm/builtin-vm.ts b/packages/server/src/jsRunner/vm/builtin-vm.ts new file mode 100644 index 0000000000..c439603acd --- /dev/null +++ b/packages/server/src/jsRunner/vm/builtin-vm.ts @@ -0,0 +1,75 @@ +import vm from "vm" +import env from "../../environment" +import { setOnErrorLog } from "@budibase/string-templates" +import { context, logging, timers } from "@budibase/backend-core" +import tracer from "dd-trace" +import { serializeError } from "serialize-error" +import { VM } from "@budibase/types" + +type TrackerFn = (f: () => T) => T + +export class BuiltInVM implements VM { + private ctx: vm.Context + + constructor(ctx: vm.Context) { + this.ctx = ctx + + if (env.LOG_JS_ERRORS) { + setOnErrorLog((error: Error) => { + logging.logWarn(JSON.stringify(serializeError(error))) + }) + } + } + + execute(code: string) { + return tracer.trace("runJS", {}, span => { + const perRequestLimit = env.JS_PER_REQUEST_TIMEOUT_MS + let track: TrackerFn = f => f() + if (perRequestLimit) { + const bbCtx = tracer.trace("runJS.getCurrentContext", {}, span => + context.getCurrentContext() + ) + if (bbCtx) { + if (!bbCtx.jsExecutionTracker) { + span?.addTags({ + createdExecutionTracker: true, + }) + bbCtx.jsExecutionTracker = tracer.trace( + "runJS.createExecutionTimeTracker", + {}, + span => timers.ExecutionTimeTracker.withLimit(perRequestLimit) + ) + } + span?.addTags({ + js: { + limitMS: bbCtx.jsExecutionTracker.limitMs, + elapsedMS: bbCtx.jsExecutionTracker.elapsedMS, + }, + }) + // We call checkLimit() here to prevent paying the cost of creating + // a new VM context below when we don't need to. + tracer.trace("runJS.checkLimitAndBind", {}, span => { + bbCtx.jsExecutionTracker!.checkLimit() + track = bbCtx.jsExecutionTracker!.track.bind( + bbCtx.jsExecutionTracker + ) + }) + } + } + + this.ctx = { + ...this.ctx, + alert: undefined, + setInterval: undefined, + setTimeout: undefined, + } + + vm.createContext(this.ctx) + return track(() => + vm.runInNewContext(code, this.ctx, { + timeout: env.JS_PER_INVOCATION_TIMEOUT_MS, + }) + ) + }) + } +} From a84474bd62032e67c74acf2bc0162c710c949da3 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Mon, 19 Feb 2024 15:49:38 +0100 Subject: [PATCH 4/9] Export --- packages/server/src/jsRunner/vm/index.ts | 272 +----------------- .../server/src/jsRunner/vm/isolated-vm.ts | 270 +++++++++++++++++ 2 files changed, 272 insertions(+), 270 deletions(-) create mode 100644 packages/server/src/jsRunner/vm/isolated-vm.ts diff --git a/packages/server/src/jsRunner/vm/index.ts b/packages/server/src/jsRunner/vm/index.ts index ab26f3f6d1..cc50a5eeaa 100644 --- a/packages/server/src/jsRunner/vm/index.ts +++ b/packages/server/src/jsRunner/vm/index.ts @@ -1,270 +1,2 @@ -import ivm from "isolated-vm" -import bson from "bson" - -import url from "url" -import crypto from "crypto" -import querystring from "querystring" - -import { BundleType, loadBundle } from "../bundles" -import { VM } from "@budibase/types" - -class ExecutionTimeoutError extends Error { - constructor(message: string) { - super(message) - this.name = "ExecutionTimeoutError" - } -} - -class ModuleHandler { - private modules: { - import: string - moduleKey: string - module: ivm.Module - }[] = [] - - private generateRandomKey = () => `i${crypto.randomUUID().replace(/-/g, "")}` - - registerModule(module: ivm.Module, imports: string) { - this.modules.push({ - moduleKey: this.generateRandomKey(), - import: imports, - module: module, - }) - } - - generateImports() { - return this.modules - .map(m => `import ${m.import} from "${m.moduleKey}"`) - .join(";") - } - - getModule(key: string) { - const module = this.modules.find(m => m.moduleKey === key) - return module?.module - } -} - -export class IsolatedVM implements VM { - private isolate: ivm.Isolate - private vm: ivm.Context - private jail: ivm.Reference - private invocationTimeout: number - private isolateAccumulatedTimeout?: number - - // By default the wrapper returns itself - private codeWrapper: (code: string) => string = code => code - - private moduleHandler = new ModuleHandler() - - private readonly resultKey = "results" - - constructor({ - memoryLimit, - invocationTimeout, - isolateAccumulatedTimeout, - }: { - memoryLimit: number - invocationTimeout: number - isolateAccumulatedTimeout?: number - }) { - this.isolate = new ivm.Isolate({ memoryLimit }) - this.vm = this.isolate.createContextSync() - this.jail = this.vm.global - this.jail.setSync("global", this.jail.derefInto()) - - this.addToContext({ - [this.resultKey]: { out: "" }, - }) - - this.invocationTimeout = invocationTimeout - this.isolateAccumulatedTimeout = isolateAccumulatedTimeout - } - - withHelpers() { - const urlModule = this.registerCallbacks({ - resolve: url.resolve, - parse: url.parse, - }) - - const querystringModule = this.registerCallbacks({ - escape: querystring.escape, - }) - - this.addToContext({ - helpersStripProtocol: new ivm.Callback((str: string) => { - var parsed = url.parse(str) as any - parsed.protocol = "" - return parsed.format() - }), - }) - - const injectedRequire = `const require=function req(val) { - switch (val) { - case "url": return ${urlModule}; - case "querystring": return ${querystringModule}; - } - }` - const helpersSource = loadBundle(BundleType.HELPERS) - const helpersModule = this.isolate.compileModuleSync( - `${injectedRequire};${helpersSource}` - ) - - helpersModule.instantiateSync(this.vm, specifier => { - if (specifier === "crypto") { - const cryptoModule = this.registerCallbacks({ - randomUUID: crypto.randomUUID, - }) - const module = this.isolate.compileModuleSync( - `export default ${cryptoModule}` - ) - module.instantiateSync(this.vm, specifier => { - throw new Error(`No imports allowed. Required: ${specifier}`) - }) - return module - } - throw new Error(`No imports allowed. Required: ${specifier}`) - }) - - this.moduleHandler.registerModule(helpersModule, "helpers") - return this - } - - withContext(context: Record) { - this.addToContext(context) - - return this - } - - withParsingBson(data: any) { - this.addToContext({ - bsonData: bson.BSON.serialize({ data }), - }) - - // If we need to parse bson, we follow the next steps: - // 1. Serialise the data from potential BSON to buffer before passing it to the isolate - // 2. Deserialise the data within the isolate, to get the original data - // 3. Process script - // 4. Stringify the result in order to convert the result from BSON to json - this.codeWrapper = code => - `(function(){ - const data = deserialize(bsonData, { validation: { utf8: false } }).data; - const result = ${code} - return toJson(result); - })();` - - const bsonSource = loadBundle(BundleType.BSON) - - this.addToContext({ - textDecoderCb: new ivm.Callback( - (args: { - constructorArgs: any - functionArgs: Parameters["decode"]> - }) => { - const result = new TextDecoder(...args.constructorArgs).decode( - ...args.functionArgs - ) - return result - } - ), - }) - - // "Polyfilling" text decoder. `bson.deserialize` requires decoding. We are creating a bridge function so we don't need to inject the full library - const textDecoderPolyfill = class TextDecoder { - constructorArgs - - constructor(...constructorArgs: any) { - this.constructorArgs = constructorArgs - } - - decode(...input: any) { - // @ts-ignore - return textDecoderCb({ - constructorArgs: this.constructorArgs, - functionArgs: input, - }) - } - }.toString() - const bsonModule = this.isolate.compileModuleSync( - `${textDecoderPolyfill};${bsonSource}` - ) - bsonModule.instantiateSync(this.vm, specifier => { - throw new Error(`No imports allowed. Required: ${specifier}`) - }) - - this.moduleHandler.registerModule(bsonModule, "{deserialize, toJson}") - - return this - } - - execute(code: string): any { - if (this.isolateAccumulatedTimeout) { - const cpuMs = Number(this.isolate.cpuTime) / 1e6 - if (cpuMs > this.isolateAccumulatedTimeout) { - throw new ExecutionTimeoutError( - `CPU time limit exceeded (${cpuMs}ms > ${this.isolateAccumulatedTimeout}ms)` - ) - } - } - - code = `${this.moduleHandler.generateImports()};results.out=${this.codeWrapper( - code - )};` - - const script = this.isolate.compileModuleSync(code) - - script.instantiateSync(this.vm, specifier => { - const module = this.moduleHandler.getModule(specifier) - if (module) { - return module - } - - throw new Error(`"${specifier}" import not allowed`) - }) - - script.evaluateSync({ timeout: this.invocationTimeout }) - - const result = this.getFromContext(this.resultKey) - return result.out - } - - private registerCallbacks(functions: Record) { - const libId = crypto.randomUUID().replace(/-/g, "") - - const x: Record = {} - for (const [funcName, func] of Object.entries(functions)) { - const key = `f${libId}${funcName}cb` - x[funcName] = key - - this.addToContext({ - [key]: new ivm.Callback((...params: any[]) => (func as any)(...params)), - }) - } - - const mod = - `{` + - Object.entries(x) - .map(([key, func]) => `${key}: ${func}`) - .join() + - "}" - return mod - } - - private addToContext(context: Record) { - for (let key in context) { - const value = context[key] - this.jail.setSync( - key, - typeof value === "function" - ? value - : new ivm.ExternalCopy(value).copyInto({ release: true }) - ) - } - } - - private getFromContext(key: string) { - const ref = this.vm.global.getSync(key, { reference: true }) - const result = ref.copySync() - ref.release() - return result - } -} +export * from "./isolated-vm" +export * from "./builtin-vm" diff --git a/packages/server/src/jsRunner/vm/isolated-vm.ts b/packages/server/src/jsRunner/vm/isolated-vm.ts new file mode 100644 index 0000000000..ab26f3f6d1 --- /dev/null +++ b/packages/server/src/jsRunner/vm/isolated-vm.ts @@ -0,0 +1,270 @@ +import ivm from "isolated-vm" +import bson from "bson" + +import url from "url" +import crypto from "crypto" +import querystring from "querystring" + +import { BundleType, loadBundle } from "../bundles" +import { VM } from "@budibase/types" + +class ExecutionTimeoutError extends Error { + constructor(message: string) { + super(message) + this.name = "ExecutionTimeoutError" + } +} + +class ModuleHandler { + private modules: { + import: string + moduleKey: string + module: ivm.Module + }[] = [] + + private generateRandomKey = () => `i${crypto.randomUUID().replace(/-/g, "")}` + + registerModule(module: ivm.Module, imports: string) { + this.modules.push({ + moduleKey: this.generateRandomKey(), + import: imports, + module: module, + }) + } + + generateImports() { + return this.modules + .map(m => `import ${m.import} from "${m.moduleKey}"`) + .join(";") + } + + getModule(key: string) { + const module = this.modules.find(m => m.moduleKey === key) + return module?.module + } +} + +export class IsolatedVM implements VM { + private isolate: ivm.Isolate + private vm: ivm.Context + private jail: ivm.Reference + private invocationTimeout: number + private isolateAccumulatedTimeout?: number + + // By default the wrapper returns itself + private codeWrapper: (code: string) => string = code => code + + private moduleHandler = new ModuleHandler() + + private readonly resultKey = "results" + + constructor({ + memoryLimit, + invocationTimeout, + isolateAccumulatedTimeout, + }: { + memoryLimit: number + invocationTimeout: number + isolateAccumulatedTimeout?: number + }) { + this.isolate = new ivm.Isolate({ memoryLimit }) + this.vm = this.isolate.createContextSync() + this.jail = this.vm.global + this.jail.setSync("global", this.jail.derefInto()) + + this.addToContext({ + [this.resultKey]: { out: "" }, + }) + + this.invocationTimeout = invocationTimeout + this.isolateAccumulatedTimeout = isolateAccumulatedTimeout + } + + withHelpers() { + const urlModule = this.registerCallbacks({ + resolve: url.resolve, + parse: url.parse, + }) + + const querystringModule = this.registerCallbacks({ + escape: querystring.escape, + }) + + this.addToContext({ + helpersStripProtocol: new ivm.Callback((str: string) => { + var parsed = url.parse(str) as any + parsed.protocol = "" + return parsed.format() + }), + }) + + const injectedRequire = `const require=function req(val) { + switch (val) { + case "url": return ${urlModule}; + case "querystring": return ${querystringModule}; + } + }` + const helpersSource = loadBundle(BundleType.HELPERS) + const helpersModule = this.isolate.compileModuleSync( + `${injectedRequire};${helpersSource}` + ) + + helpersModule.instantiateSync(this.vm, specifier => { + if (specifier === "crypto") { + const cryptoModule = this.registerCallbacks({ + randomUUID: crypto.randomUUID, + }) + const module = this.isolate.compileModuleSync( + `export default ${cryptoModule}` + ) + module.instantiateSync(this.vm, specifier => { + throw new Error(`No imports allowed. Required: ${specifier}`) + }) + return module + } + throw new Error(`No imports allowed. Required: ${specifier}`) + }) + + this.moduleHandler.registerModule(helpersModule, "helpers") + return this + } + + withContext(context: Record) { + this.addToContext(context) + + return this + } + + withParsingBson(data: any) { + this.addToContext({ + bsonData: bson.BSON.serialize({ data }), + }) + + // If we need to parse bson, we follow the next steps: + // 1. Serialise the data from potential BSON to buffer before passing it to the isolate + // 2. Deserialise the data within the isolate, to get the original data + // 3. Process script + // 4. Stringify the result in order to convert the result from BSON to json + this.codeWrapper = code => + `(function(){ + const data = deserialize(bsonData, { validation: { utf8: false } }).data; + const result = ${code} + return toJson(result); + })();` + + const bsonSource = loadBundle(BundleType.BSON) + + this.addToContext({ + textDecoderCb: new ivm.Callback( + (args: { + constructorArgs: any + functionArgs: Parameters["decode"]> + }) => { + const result = new TextDecoder(...args.constructorArgs).decode( + ...args.functionArgs + ) + return result + } + ), + }) + + // "Polyfilling" text decoder. `bson.deserialize` requires decoding. We are creating a bridge function so we don't need to inject the full library + const textDecoderPolyfill = class TextDecoder { + constructorArgs + + constructor(...constructorArgs: any) { + this.constructorArgs = constructorArgs + } + + decode(...input: any) { + // @ts-ignore + return textDecoderCb({ + constructorArgs: this.constructorArgs, + functionArgs: input, + }) + } + }.toString() + const bsonModule = this.isolate.compileModuleSync( + `${textDecoderPolyfill};${bsonSource}` + ) + bsonModule.instantiateSync(this.vm, specifier => { + throw new Error(`No imports allowed. Required: ${specifier}`) + }) + + this.moduleHandler.registerModule(bsonModule, "{deserialize, toJson}") + + return this + } + + execute(code: string): any { + if (this.isolateAccumulatedTimeout) { + const cpuMs = Number(this.isolate.cpuTime) / 1e6 + if (cpuMs > this.isolateAccumulatedTimeout) { + throw new ExecutionTimeoutError( + `CPU time limit exceeded (${cpuMs}ms > ${this.isolateAccumulatedTimeout}ms)` + ) + } + } + + code = `${this.moduleHandler.generateImports()};results.out=${this.codeWrapper( + code + )};` + + const script = this.isolate.compileModuleSync(code) + + script.instantiateSync(this.vm, specifier => { + const module = this.moduleHandler.getModule(specifier) + if (module) { + return module + } + + throw new Error(`"${specifier}" import not allowed`) + }) + + script.evaluateSync({ timeout: this.invocationTimeout }) + + const result = this.getFromContext(this.resultKey) + return result.out + } + + private registerCallbacks(functions: Record) { + const libId = crypto.randomUUID().replace(/-/g, "") + + const x: Record = {} + for (const [funcName, func] of Object.entries(functions)) { + const key = `f${libId}${funcName}cb` + x[funcName] = key + + this.addToContext({ + [key]: new ivm.Callback((...params: any[]) => (func as any)(...params)), + }) + } + + const mod = + `{` + + Object.entries(x) + .map(([key, func]) => `${key}: ${func}`) + .join() + + "}" + return mod + } + + private addToContext(context: Record) { + for (let key in context) { + const value = context[key] + this.jail.setSync( + key, + typeof value === "function" + ? value + : new ivm.ExternalCopy(value).copyInto({ release: true }) + ) + } + } + + private getFromContext(key: string) { + const ref = this.vm.global.getSync(key, { reference: true }) + const result = ref.copySync() + ref.release() + return result + } +} From 598ebccc2cabf1392b059f74658d20dd56094d55 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Mon, 19 Feb 2024 16:08:34 +0100 Subject: [PATCH 5/9] Use wrapper --- packages/server/src/jsRunner/index.ts | 54 +-------- packages/server/src/jsRunner/vm/builtin-vm.ts | 108 ++++++++---------- 2 files changed, 53 insertions(+), 109 deletions(-) diff --git a/packages/server/src/jsRunner/index.ts b/packages/server/src/jsRunner/index.ts index e39dab1313..c572c112c9 100644 --- a/packages/server/src/jsRunner/index.ts +++ b/packages/server/src/jsRunner/index.ts @@ -1,62 +1,16 @@ import vm from "vm" import env from "../environment" import { setJSRunner, setOnErrorLog } from "@budibase/string-templates" -import { context, logging, timers } from "@budibase/backend-core" +import { logging } from "@budibase/backend-core" import tracer from "dd-trace" import { serializeError } from "serialize-error" - -type TrackerFn = (f: () => T) => T +import { BuiltInVM } from "./vm" export function init() { setJSRunner((js: string, ctx: vm.Context) => { return tracer.trace("runJS", {}, span => { - const perRequestLimit = env.JS_PER_REQUEST_TIMEOUT_MS - let track: TrackerFn = f => f() - if (perRequestLimit) { - const bbCtx = tracer.trace("runJS.getCurrentContext", {}, span => - context.getCurrentContext() - ) - if (bbCtx) { - if (!bbCtx.jsExecutionTracker) { - span?.addTags({ - createdExecutionTracker: true, - }) - bbCtx.jsExecutionTracker = tracer.trace( - "runJS.createExecutionTimeTracker", - {}, - span => timers.ExecutionTimeTracker.withLimit(perRequestLimit) - ) - } - span?.addTags({ - js: { - limitMS: bbCtx.jsExecutionTracker.limitMs, - elapsedMS: bbCtx.jsExecutionTracker.elapsedMS, - }, - }) - // We call checkLimit() here to prevent paying the cost of creating - // a new VM context below when we don't need to. - tracer.trace("runJS.checkLimitAndBind", {}, span => { - bbCtx.jsExecutionTracker!.checkLimit() - track = bbCtx.jsExecutionTracker!.track.bind( - bbCtx.jsExecutionTracker - ) - }) - } - } - - ctx = { - ...ctx, - alert: undefined, - setInterval: undefined, - setTimeout: undefined, - } - - vm.createContext(ctx) - return track(() => - vm.runInNewContext(js, ctx, { - timeout: env.JS_PER_INVOCATION_TIMEOUT_MS, - }) - ) + const vm = new BuiltInVM(ctx, span) + return vm.execute(js) }) }) diff --git a/packages/server/src/jsRunner/vm/builtin-vm.ts b/packages/server/src/jsRunner/vm/builtin-vm.ts index c439603acd..b4c9f775f9 100644 --- a/packages/server/src/jsRunner/vm/builtin-vm.ts +++ b/packages/server/src/jsRunner/vm/builtin-vm.ts @@ -1,75 +1,65 @@ import vm from "vm" import env from "../../environment" -import { setOnErrorLog } from "@budibase/string-templates" -import { context, logging, timers } from "@budibase/backend-core" -import tracer from "dd-trace" -import { serializeError } from "serialize-error" +import { context, timers } from "@budibase/backend-core" +import tracer, { Span } from "dd-trace" import { VM } from "@budibase/types" type TrackerFn = (f: () => T) => T export class BuiltInVM implements VM { private ctx: vm.Context + private span?: Span - constructor(ctx: vm.Context) { + constructor(ctx: vm.Context, span?: Span) { this.ctx = ctx - - if (env.LOG_JS_ERRORS) { - setOnErrorLog((error: Error) => { - logging.logWarn(JSON.stringify(serializeError(error))) - }) - } + this.span = span } execute(code: string) { - return tracer.trace("runJS", {}, span => { - const perRequestLimit = env.JS_PER_REQUEST_TIMEOUT_MS - let track: TrackerFn = f => f() - if (perRequestLimit) { - const bbCtx = tracer.trace("runJS.getCurrentContext", {}, span => - context.getCurrentContext() - ) - if (bbCtx) { - if (!bbCtx.jsExecutionTracker) { - span?.addTags({ - createdExecutionTracker: true, - }) - bbCtx.jsExecutionTracker = tracer.trace( - "runJS.createExecutionTimeTracker", - {}, - span => timers.ExecutionTimeTracker.withLimit(perRequestLimit) - ) - } - span?.addTags({ - js: { - limitMS: bbCtx.jsExecutionTracker.limitMs, - elapsedMS: bbCtx.jsExecutionTracker.elapsedMS, - }, - }) - // We call checkLimit() here to prevent paying the cost of creating - // a new VM context below when we don't need to. - tracer.trace("runJS.checkLimitAndBind", {}, span => { - bbCtx.jsExecutionTracker!.checkLimit() - track = bbCtx.jsExecutionTracker!.track.bind( - bbCtx.jsExecutionTracker - ) - }) - } - } - - this.ctx = { - ...this.ctx, - alert: undefined, - setInterval: undefined, - setTimeout: undefined, - } - - vm.createContext(this.ctx) - return track(() => - vm.runInNewContext(code, this.ctx, { - timeout: env.JS_PER_INVOCATION_TIMEOUT_MS, - }) + const perRequestLimit = env.JS_PER_REQUEST_TIMEOUT_MS + let track: TrackerFn = f => f() + if (perRequestLimit) { + const bbCtx = tracer.trace("runJS.getCurrentContext", {}, span => + context.getCurrentContext() ) - }) + if (bbCtx) { + if (!bbCtx.jsExecutionTracker) { + this.span?.addTags({ + createdExecutionTracker: true, + }) + bbCtx.jsExecutionTracker = tracer.trace( + "runJS.createExecutionTimeTracker", + {}, + span => timers.ExecutionTimeTracker.withLimit(perRequestLimit) + ) + } + this.span?.addTags({ + js: { + limitMS: bbCtx.jsExecutionTracker.limitMs, + elapsedMS: bbCtx.jsExecutionTracker.elapsedMS, + }, + }) + // We call checkLimit() here to prevent paying the cost of creating + // a new VM context below when we don't need to. + tracer.trace("runJS.checkLimitAndBind", {}, span => { + bbCtx.jsExecutionTracker!.checkLimit() + track = bbCtx.jsExecutionTracker!.track.bind(bbCtx.jsExecutionTracker) + }) + } + } + + this.ctx = { + ...this.ctx, + alert: undefined, + setInterval: undefined, + setTimeout: undefined, + } + + vm.createContext(this.ctx) + return track(() => + vm.runInNewContext(code, this.ctx, { + timeout: env.JS_PER_INVOCATION_TIMEOUT_MS, + }) + ) } } From 4cabe612b1919645476649d3a5fb5045a45a7260 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Mon, 19 Feb 2024 16:14:01 +0100 Subject: [PATCH 6/9] Create vm2 wrapper --- packages/server/src/jsRunner/vm/index.ts | 1 + packages/server/src/jsRunner/vm/vm2.ts | 26 ++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 packages/server/src/jsRunner/vm/vm2.ts diff --git a/packages/server/src/jsRunner/vm/index.ts b/packages/server/src/jsRunner/vm/index.ts index cc50a5eeaa..01e0daa354 100644 --- a/packages/server/src/jsRunner/vm/index.ts +++ b/packages/server/src/jsRunner/vm/index.ts @@ -1,2 +1,3 @@ export * from "./isolated-vm" export * from "./builtin-vm" +export * from "./vm2" diff --git a/packages/server/src/jsRunner/vm/vm2.ts b/packages/server/src/jsRunner/vm/vm2.ts new file mode 100644 index 0000000000..6d05943d25 --- /dev/null +++ b/packages/server/src/jsRunner/vm/vm2.ts @@ -0,0 +1,26 @@ +import vm2 from "vm2" +import { VM } from "@budibase/types" + +const JS_TIMEOUT_MS = 1000 + +export class VM2 implements VM { + vm: vm2.VM + results: { out: string } + + constructor(context: any) { + this.vm = new vm2.VM({ + timeout: JS_TIMEOUT_MS, + }) + this.results = { out: "" } + this.vm.setGlobals(context) + this.vm.setGlobal("fetch", fetch) + this.vm.setGlobal("results", this.results) + } + + execute(script: string) { + const code = `let fn = () => {\n${script}\n}; results.out = fn();` + const vmScript = new vm2.VMScript(code) + this.vm.run(vmScript) + return this.results.out + } +} From 1367cf36360da1ac8dd9f202be54ebfc956f0250 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Mon, 19 Feb 2024 16:17:19 +0100 Subject: [PATCH 7/9] Use wrappers --- packages/server/src/api/controllers/script.ts | 7 +++-- packages/server/src/threads/query.ts | 8 ++--- packages/server/src/utilities/scriptRunner.ts | 29 ------------------- 3 files changed, 8 insertions(+), 36 deletions(-) delete mode 100644 packages/server/src/utilities/scriptRunner.ts diff --git a/packages/server/src/api/controllers/script.ts b/packages/server/src/api/controllers/script.ts index d5b99d0733..f00383615e 100644 --- a/packages/server/src/api/controllers/script.ts +++ b/packages/server/src/api/controllers/script.ts @@ -1,10 +1,11 @@ -import ScriptRunner from "../../utilities/scriptRunner" import { Ctx } from "@budibase/types" +import { VM2 } from "../../jsRunner/vm" export async function execute(ctx: Ctx) { const { script, context } = ctx.request.body - const runner = new ScriptRunner(script, context) - ctx.body = runner.execute() + const runner = new VM2(context) + const result = runner.execute(script) + ctx.body = result } export async function save(ctx: Ctx) { diff --git a/packages/server/src/threads/query.ts b/packages/server/src/threads/query.ts index 6b11ce4759..429d058ef7 100644 --- a/packages/server/src/threads/query.ts +++ b/packages/server/src/threads/query.ts @@ -7,7 +7,7 @@ import { QueryVariable, QueryResponse, } from "./definitions" -import ScriptRunner from "../utilities/scriptRunner" +import { VM2 } from "../jsRunner/vm" import { getIntegration } from "../integrations" import { processStringSync } from "@budibase/string-templates" import { context, cache, auth } from "@budibase/backend-core" @@ -26,7 +26,7 @@ class QueryRunner { fields: any parameters: any pagination: any - transformer: any + transformer: string cachedVariables: any[] ctx: any queryResponse: any @@ -127,11 +127,11 @@ class QueryRunner { // transform as required if (transformer) { - const runner = new ScriptRunner(transformer, { + const runner = new VM2({ data: rows, params: enrichedParameters, }) - rows = runner.execute() + rows = runner.execute(transformer) } // if the request fails we retry once, invalidating the cached value diff --git a/packages/server/src/utilities/scriptRunner.ts b/packages/server/src/utilities/scriptRunner.ts deleted file mode 100644 index fee0215d2e..0000000000 --- a/packages/server/src/utilities/scriptRunner.ts +++ /dev/null @@ -1,29 +0,0 @@ -import fetch from "node-fetch" -import { VM, VMScript } from "vm2" - -const JS_TIMEOUT_MS = 1000 - -class ScriptRunner { - vm: VM - results: { out: string } - script: VMScript - - constructor(script: string, context: any) { - const code = `let fn = () => {\n${script}\n}; results.out = fn();` - this.vm = new VM({ - timeout: JS_TIMEOUT_MS, - }) - this.results = { out: "" } - this.vm.setGlobals(context) - this.vm.setGlobal("fetch", fetch) - this.vm.setGlobal("results", this.results) - this.script = new VMScript(code) - } - - execute() { - this.vm.run(this.script) - return this.results.out - } -} - -export default ScriptRunner From d81ecbd7cf5e7f0b7d4628b6c15c7c40231d7d58 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Mon, 19 Feb 2024 16:40:32 +0100 Subject: [PATCH 8/9] Add environment --- packages/server/src/environment.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/server/src/environment.ts b/packages/server/src/environment.ts index 20142776b8..bc4b9eb35b 100644 --- a/packages/server/src/environment.ts +++ b/packages/server/src/environment.ts @@ -126,6 +126,10 @@ const environment = { getDefaults: () => { return DEFAULTS }, + useIsolatedVM: { + QUERY_TRANSFORMERS: !!process.env.QUERY_TRANSFORMERS_ISOLATEDVM, + JS_RUNNER: !!process.env.JS_RUNNER_ISOLATEDVM, + }, } // clean up any environment variable edge cases From 09dbc694fab39a24b15db2c3e3cb3f30b6fb6c49 Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Mon, 19 Feb 2024 17:01:27 +0100 Subject: [PATCH 9/9] Fix imports --- packages/server/src/threads/query.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/server/src/threads/query.ts b/packages/server/src/threads/query.ts index 11714c9c52..a8aa428b0a 100644 --- a/packages/server/src/threads/query.ts +++ b/packages/server/src/threads/query.ts @@ -18,7 +18,7 @@ import { Datasource, Query, SourceName, VM } from "@budibase/types" import { isSQL } from "../integrations/utils" import { interpolateSQL } from "../integrations/queries/sql" -import environment from "src/environment" +import environment from "../environment" class QueryRunner { datasource: Datasource