MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'remove-vm2-refs' of ssh://github.com/Budibase/budibase into remove-vm2-refs

This commit is contained in:
Adria Navarro 2024-02-19 20:01:05 +01:00
parent 282a3ee3b9 9b3df5fd9a
commit 93fd5a2da5
12 changed files with 180 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/server/package.json
View File

@ -13,8 +13,8 @@
"build": "node ./scripts/build.js", "build": "node ./scripts/build.js",
"postbuild": "copyfiles -f ../client/dist/budibase-client.js ../client/manifest.json client && copyfiles -f ../../yarn.lock ./dist/", "postbuild": "copyfiles -f ../client/dist/budibase-client.js ../client/manifest.json client && copyfiles -f ../../yarn.lock ./dist/",
"check:types": "tsc -p tsconfig.json --noEmit --paths null", "check:types": "tsc -p tsconfig.json --noEmit --paths null",
"build:isolated-vm-lib:string-templates": "esbuild --minify --bundle src/jsRunner/bundles/index-helpers.ts --outfile=src/jsRunner/bundles/index-helpers.ivm.bundle.js --platform=node --format=esm --external:handlebars", "build:isolated-vm-lib:string-templates": "esbuild --minify --bundle src/jsRunner/bundles/index-helpers.ts --outfile=src/jsRunner/bundles/index-helpers.ivm.bundle.js --platform=node --format=iife --external:handlebars --global-name=helpers",
"build:isolated-vm-lib:bson": "esbuild --minify --bundle src/jsRunner/bundles/bsonPackage.ts --outfile=src/jsRunner/bundles/bson.ivm.bundle.js --platform=node --format=esm", "build:isolated-vm-lib:bson": "esbuild --minify --bundle src/jsRunner/bundles/bsonPackage.ts --outfile=src/jsRunner/bundles/bson.ivm.bundle.js --platform=node --format=iife --global-name=bson",
"build:isolated-vm-libs": "yarn build:isolated-vm-lib:string-templates && yarn build:isolated-vm-lib:bson", "build:isolated-vm-libs": "yarn build:isolated-vm-lib:string-templates && yarn build:isolated-vm-lib:bson",
"build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput", "build:dev": "yarn prebuild && tsc --build --watch --preserveWatchOutput",
"debug": "yarn build && node --expose-gc --inspect=9222 dist/index.js", "debug": "yarn build && node --expose-gc --inspect=9222 dist/index.js",

27
packages/server/src/environment.ts
View File

@ -113,6 +113,7 @@ const environment = {
process.env[key] = value process.env[key] = value
// @ts-ignore // @ts-ignore
environment[key] = value environment[key] = value
cleanVariables()
}, },
isTest: coreEnv.isTest, isTest: coreEnv.isTest,
isJest: coreEnv.isJest, isJest: coreEnv.isJest,
@ -128,18 +129,22 @@ const environment = {
}, },
} }
// clean up any environment variable edge cases function cleanVariables() {
for (let [key, value] of Object.entries(environment)) { // clean up any environment variable edge cases
// handle the edge case of "0" to disable an environment variable for (let [key, value] of Object.entries(environment)) {
if (value === "0") { // handle the edge case of "0" to disable an environment variable
// @ts-ignore if (value === "0") {
environment[key] = 0 // @ts-ignore
} environment[key] = 0
// handle the edge case of "false" to disable an environment variable }
if (value === "false") { // handle the edge case of "false" to disable an environment variable
// @ts-ignore if (value === "false") {
environment[key] = 0 // @ts-ignore
environment[key] = 0
}
} }
} }
cleanVariables()
export default environment export default environment

14
packages/server/src/jsRunner/bundles/bson.ivm.bundle.js
View File

File diff suppressed because one or more lines are too long

6
packages/server/src/jsRunner/bundles/bsonPackage.ts
View File

@ -1,4 +1,2 @@
import { EJSON } from "bson" export const deserialize = require("bson").deserialize
export const toJson = require("bson").EJSON.deserialize
export { deserialize } from "bson"
export const toJson = EJSON.deserialize

2
packages/server/src/jsRunner/bundles/index-helpers.ivm.bundle.js
View File

File diff suppressed because one or more lines are too long

3
packages/server/src/jsRunner/bundles/index-helpers.ts
View File

@ -2,9 +2,8 @@ const {
getJsHelperList, getJsHelperList,
} = require("../../../../string-templates/src/helpers/list.js") } = require("../../../../string-templates/src/helpers/list.js")
const helpers = getJsHelperList()
export default { export default {
...helpers, ...getJsHelperList(),
// pointing stripProtocol to a unexisting function to be able to declare it on isolated-vm // pointing stripProtocol to a unexisting function to be able to declare it on isolated-vm
// @ts-ignore // @ts-ignore
// eslint-disable-next-line no-undef // eslint-disable-next-line no-undef

23
packages/server/src/jsRunner/bundles/index.ts
View File

@ -7,22 +7,19 @@ export const enum BundleType {
BSON = "bson", BSON = "bson",
} }
const bundleSourceCode = { const bundleSourceFile: Record<BundleType, string> = {
[BundleType.HELPERS]: "../bundles/index-helpers.ivm.bundle.js", [BundleType.HELPERS]: "./index-helpers.ivm.bundle.js",
[BundleType.BSON]: "../bundles/bson.ivm.bundle.js", [BundleType.BSON]: "./bson.ivm.bundle.js",
} }
const bundleSourceCode: Partial<Record<BundleType, string>> = {}
export function loadBundle(type: BundleType) { export function loadBundle(type: BundleType) {
if (environment.isJest()) { let sourceCode = bundleSourceCode[type]
return fs.readFileSync(require.resolve(bundleSourceCode[type]), "utf-8") if (sourceCode) {
return sourceCode
} }
switch (type) { sourceCode = fs.readFileSync(require.resolve(bundleSourceFile[type]), "utf-8")
case BundleType.HELPERS: bundleSourceCode[type] = sourceCode
return require("../bundles/index-helpers.ivm.bundle.js") return sourceCode
case BundleType.BSON:
return require("../bundles/bson.ivm.bundle.js")
default:
utils.unreachable(type)
}
} }

52
packages/server/src/jsRunner/index.ts
View File

@ -1,16 +1,50 @@
import vm from "vm"
import env from "../environment"
import { setJSRunner, setOnErrorLog } from "@budibase/string-templates"
import { logging } from "@budibase/backend-core"
import tracer from "dd-trace"
import { serializeError } from "serialize-error" import { serializeError } from "serialize-error"
import { BuiltInVM } from "./vm" import env from "../environment"
import {
JsErrorTimeout,
setJSRunner,
setOnErrorLog,
} from "@budibase/string-templates"
import { context, logging } from "@budibase/backend-core"
import tracer from "dd-trace"
import { BuiltInVM, IsolatedVM } from "./vm"
const USE_ISOLATED_VM = true
export function init() { export function init() {
setJSRunner((js: string, ctx: vm.Context) => { setJSRunner((js: string, ctx: Record<string, any>) => {
return tracer.trace("runJS", {}, span => { return tracer.trace("runJS", {}, span => {
const vm = new BuiltInVM(ctx, span) if (!USE_ISOLATED_VM) {
return vm.execute(js) const vm = new BuiltInVM(ctx, span)
return vm.execute(js)
}
try {
const bbCtx = context.getCurrentContext()!
let { vm } = bbCtx
if (!vm) {
// Can't copy the native helpers into the isolate. We just ignore them as they are handled properly from the helpersSource
const { helpers, ...ctxToPass } = ctx
vm = new IsolatedVM({
memoryLimit: env.JS_RUNNER_MEMORY_LIMIT,
invocationTimeout: env.JS_PER_INVOCATION_TIMEOUT_MS,
isolateAccumulatedTimeout: env.JS_PER_REQUEST_TIMEOUT_MS,
})
.withContext(ctxToPass)
.withHelpers()
bbCtx.vm = vm
}
return vm.execute(js)
} catch (error: any) {
if (error.message === "Script execution timed out.") {
throw new JsErrorTimeout()
}
throw error
}
}) })
}) })

72
packages/server/src/jsRunner/tests/jsRunner.spec.ts
View File

@ -1,22 +1,4 @@
// import { validate as isValidUUID } from "uuid" import { validate as isValidUUID } from "uuid"
jest.mock("@budibase/handlebars-helpers/lib/math", () => {
const actual = jest.requireActual("@budibase/handlebars-helpers/lib/math")
return {
...actual,
random: () => 10,
}
})
jest.mock("@budibase/handlebars-helpers/lib/uuid", () => {
const actual = jest.requireActual("@budibase/handlebars-helpers/lib/uuid")
return {
...actual,
uuid: () => "f34ebc66-93bd-4f7c-b79b-92b5569138bc",
}
})
import { processStringSync, encodeJSBinding } from "@budibase/string-templates" import { processStringSync, encodeJSBinding } from "@budibase/string-templates"
const { runJsHelpersTests } = require("@budibase/string-templates/test/utils") const { runJsHelpersTests } = require("@budibase/string-templates/test/utils")
@ -27,7 +9,7 @@ import TestConfiguration from "../../tests/utilities/TestConfiguration"
tk.freeze("2021-01-21T12:00:00") tk.freeze("2021-01-21T12:00:00")
describe("jsRunner", () => { describe("jsRunner (using isolated-vm)", () => {
const config = new TestConfiguration() const config = new TestConfiguration()
beforeAll(async () => { beforeAll(async () => {
@ -36,6 +18,10 @@ describe("jsRunner", () => {
await config.init() await config.init()
}) })
afterAll(() => {
config.end()
})
const processJS = (js: string, context?: object) => { const processJS = (js: string, context?: object) => {
return config.doInContext(config.getAppId(), async () => return config.doInContext(config.getAppId(), async () =>
processStringSync(encodeJSBinding(js), context || {}) processStringSync(encodeJSBinding(js), context || {})
@ -47,10 +33,14 @@ describe("jsRunner", () => {
expect(output).toBe(3) expect(output).toBe(3)
}) })
// TODO This should be reenabled when running on isolated-vm it("it can execute sloppy javascript", async () => {
it.skip("should prevent sandbox escape", async () => { const output = await processJS(`a=2;b=3;return a + b`)
expect(output).toBe(5)
})
it("should prevent sandbox escape", async () => {
const output = await processJS( const output = await processJS(
`return this.constructor.constructor("return process")()` `return this.constructor.constructor("return process.env")()`
) )
expect(output).toBe("Error while executing JS") expect(output).toBe("Error while executing JS")
}) })
@ -58,26 +48,26 @@ describe("jsRunner", () => {
describe("helpers", () => { describe("helpers", () => {
runJsHelpersTests({ runJsHelpersTests({
funcWrap: (func: any) => config.doInContext(config.getAppId(), func), funcWrap: (func: any) => config.doInContext(config.getAppId(), func),
// testsToSkip: ["random", "uuid"], testsToSkip: ["random", "uuid"],
}) })
// describe("uuid", () => { describe("uuid", () => {
// it("uuid helper returns a valid uuid", async () => { it("uuid helper returns a valid uuid", async () => {
// const result = await processJS("return helpers.uuid()") const result = await processJS("return helpers.uuid()")
// expect(result).toBeDefined() expect(result).toBeDefined()
// expect(isValidUUID(result)).toBe(true) expect(isValidUUID(result)).toBe(true)
// }) })
// }) })
// describe("random", () => { describe("random", () => {
// it("random helper returns a valid number", async () => { it("random helper returns a valid number", async () => {
// const min = 1 const min = 1
// const max = 8 const max = 8
// const result = await processJS(`return helpers.random(${min}, ${max})`) const result = await processJS(`return helpers.random(${min}, ${max})`)
// expect(result).toBeDefined() expect(result).toBeDefined()
// expect(result).toBeGreaterThanOrEqual(min) expect(result).toBeGreaterThanOrEqual(min)
// expect(result).toBeLessThanOrEqual(max) expect(result).toBeLessThanOrEqual(max)
// }) })
// }) })
}) })
}) })

120
packages/server/src/jsRunner/vm/isolated-vm.ts
View File

@ -7,6 +7,7 @@ import querystring from "querystring"
import { BundleType, loadBundle } from "../bundles" import { BundleType, loadBundle } from "../bundles"
import { VM } from "@budibase/types" import { VM } from "@budibase/types"
import environment from "../../environment"
class ExecutionTimeoutError extends Error { class ExecutionTimeoutError extends Error {
constructor(message: string) { constructor(message: string) {
@ -15,35 +16,6 @@ class ExecutionTimeoutError extends Error {
} }
} }
class ModuleHandler {
private modules: {
import: string
moduleKey: string
module: ivm.Module
}[] = []
private generateRandomKey = () => `i${crypto.randomUUID().replace(/-/g, "")}`
registerModule(module: ivm.Module, imports: string) {
this.modules.push({
moduleKey: this.generateRandomKey(),
import: imports,
module: module,
})
}
generateImports() {
return this.modules
.map(m => `import ${m.import} from "${m.moduleKey}"`)
.join(";")
}
getModule(key: string) {
const module = this.modules.find(m => m.moduleKey === key)
return module?.module
}
}
export class IsolatedVM implements VM { export class IsolatedVM implements VM {
private isolate: ivm.Isolate private isolate: ivm.Isolate
private vm: ivm.Context private vm: ivm.Context
@ -54,26 +26,29 @@ export class IsolatedVM implements VM {
// By default the wrapper returns itself // By default the wrapper returns itself
private codeWrapper: (code: string) => string = code => code private codeWrapper: (code: string) => string = code => code
private moduleHandler = new ModuleHandler()
private readonly resultKey = "results" private readonly resultKey = "results"
private runResultKey: string
constructor({ constructor({
memoryLimit, memoryLimit,
invocationTimeout, invocationTimeout,
isolateAccumulatedTimeout, isolateAccumulatedTimeout,
}: { }: {
memoryLimit: number memoryLimit?: number
invocationTimeout: number invocationTimeout?: number
isolateAccumulatedTimeout?: number isolateAccumulatedTimeout?: number
}) { } = {}) {
memoryLimit = memoryLimit || environment.JS_RUNNER_MEMORY_LIMIT
invocationTimeout = memoryLimit || 1000
this.isolate = new ivm.Isolate({ memoryLimit }) this.isolate = new ivm.Isolate({ memoryLimit })
this.vm = this.isolate.createContextSync() this.vm = this.isolate.createContextSync()
this.jail = this.vm.global this.jail = this.vm.global
this.jail.setSync("global", this.jail.derefInto()) this.jail.setSync("global", this.jail.derefInto())
this.runResultKey = crypto.randomUUID()
this.addToContext({ this.addToContext({
[this.resultKey]: { out: "" }, [this.resultKey]: { [this.runResultKey]: "" },
}) })
this.invocationTimeout = invocationTimeout this.invocationTimeout = invocationTimeout
@ -90,6 +65,10 @@ export class IsolatedVM implements VM {
escape: querystring.escape, escape: querystring.escape,
}) })
const cryptoModule = this.registerCallbacks({
randomUUID: crypto.randomUUID,
})
this.addToContext({ this.addToContext({
helpersStripProtocol: new ivm.Callback((str: string) => { helpersStripProtocol: new ivm.Callback((str: string) => {
var parsed = url.parse(str) as any var parsed = url.parse(str) as any
@ -98,34 +77,23 @@ export class IsolatedVM implements VM {
}), }),
}) })
const injectedRequire = `const require=function req(val) { const injectedRequire = `require=function req(val) {
switch (val) { switch (val) {
case "url": return ${urlModule}; case "url": return ${urlModule};
case "querystring": return ${querystringModule}; case "querystring": return ${querystringModule};
case "crypto": return ${cryptoModule};
} }
}` }`
const helpersSource = loadBundle(BundleType.HELPERS) const helpersSource = loadBundle(BundleType.HELPERS)
const helpersModule = this.isolate.compileModuleSync( const script = this.isolate.compileScriptSync(
`${injectedRequire};${helpersSource}` `${injectedRequire};${helpersSource};helpers=helpers.default`
) )
helpersModule.instantiateSync(this.vm, specifier => { script.runSync(this.vm, { timeout: this.invocationTimeout, release: false })
if (specifier === "crypto") { new Promise(() => {
const cryptoModule = this.registerCallbacks({ script.release()
randomUUID: crypto.randomUUID,
})
const module = this.isolate.compileModuleSync(
`export default ${cryptoModule}`
)
module.instantiateSync(this.vm, specifier => {
throw new Error(`No imports allowed. Required: ${specifier}`)
})
return module
}
throw new Error(`No imports allowed. Required: ${specifier}`)
}) })
this.moduleHandler.registerModule(helpersModule, "helpers")
return this return this
} }
@ -147,9 +115,9 @@ export class IsolatedVM implements VM {
// 4. Stringify the result in order to convert the result from BSON to json // 4. Stringify the result in order to convert the result from BSON to json
this.codeWrapper = code => this.codeWrapper = code =>
`(function(){ `(function(){
const data = deserialize(bsonData, { validation: { utf8: false } }).data; const data = bson.deserialize(bsonData, { validation: { utf8: false } }).data;
const result = ${code} const result = ${code}
return toJson(result); return bson.toJson(result);
})();` })();`
const bsonSource = loadBundle(BundleType.BSON) const bsonSource = loadBundle(BundleType.BSON)
@ -169,7 +137,7 @@ export class IsolatedVM implements VM {
}) })
// "Polyfilling" text decoder. `bson.deserialize` requires decoding. We are creating a bridge function so we don't need to inject the full library // "Polyfilling" text decoder. `bson.deserialize` requires decoding. We are creating a bridge function so we don't need to inject the full library
const textDecoderPolyfill = class TextDecoder { const textDecoderPolyfill = class TextDecoderMock {
constructorArgs constructorArgs
constructor(...constructorArgs: any) { constructor(...constructorArgs: any) {
@ -183,16 +151,18 @@ export class IsolatedVM implements VM {
functionArgs: input, functionArgs: input,
}) })
} }
}.toString() }
const bsonModule = this.isolate.compileModuleSync( .toString()
.replace(/TextDecoderMock/, "TextDecoder")
const script = this.isolate.compileScriptSync(
`${textDecoderPolyfill};${bsonSource}` `${textDecoderPolyfill};${bsonSource}`
) )
bsonModule.instantiateSync(this.vm, specifier => { script.runSync(this.vm, { timeout: this.invocationTimeout, release: false })
throw new Error(`No imports allowed. Required: ${specifier}`) new Promise(() => {
script.release()
}) })
this.moduleHandler.registerModule(bsonModule, "{deserialize, toJson}")
return this return this
} }
@ -206,25 +176,18 @@ export class IsolatedVM implements VM {
} }
} }
code = `${this.moduleHandler.generateImports()};results.out=${this.codeWrapper( code = `results['${this.runResultKey}']=${this.codeWrapper(code)}`
code
)};`
const script = this.isolate.compileModuleSync(code) const script = this.isolate.compileScriptSync(code)
script.instantiateSync(this.vm, specifier => { script.runSync(this.vm, { timeout: this.invocationTimeout, release: false })
const module = this.moduleHandler.getModule(specifier) new Promise(() => {
if (module) { script.release()
return module
}
throw new Error(`"${specifier}" import not allowed`)
}) })
script.evaluateSync({ timeout: this.invocationTimeout }) // We can't rely on the script run result as it will not work for non-transferable values
const result = this.getFromContext(this.resultKey) const result = this.getFromContext(this.resultKey)
return result.out return result[this.runResultKey]
} }
private registerCallbacks(functions: Record<string, any>) { private registerCallbacks(functions: Record<string, any>) {
@ -264,7 +227,10 @@ export class IsolatedVM implements VM {
private getFromContext(key: string) { private getFromContext(key: string) {
const ref = this.vm.global.getSync(key, { reference: true }) const ref = this.vm.global.getSync(key, { reference: true })
const result = ref.copySync() const result = ref.copySync()
ref.release()
new Promise(() => {
ref.release()
})
return result return result
} }
} }

29
packages/server/src/threads/query.ts
View File

@ -7,18 +7,20 @@ import {
QueryVariable, QueryVariable,
QueryResponse, QueryResponse,
} from "./definitions" } from "./definitions"
import { VM2 } from "../jsRunner/vm" import { IsolatedVM, VM2 } from "../jsRunner/vm"
import { getIntegration } from "../integrations" import { getIntegration } from "../integrations"
import { processStringSync } from "@budibase/string-templates" import { processStringSync } from "@budibase/string-templates"
import { context, cache, auth } from "@budibase/backend-core" import { context, cache, auth } from "@budibase/backend-core"
import { getGlobalIDFromUserMetadataID } from "../db/utils" import { getGlobalIDFromUserMetadataID } from "../db/utils"
import sdk from "../sdk" import sdk from "../sdk"
import { cloneDeep } from "lodash/fp" import { cloneDeep } from "lodash/fp"
import { Datasource, Query, SourceName } from "@budibase/types" import { Datasource, Query, SourceName, VM } from "@budibase/types"
import { isSQL } from "../integrations/utils" import { isSQL } from "../integrations/utils"
import { interpolateSQL } from "../integrations/queries/sql" import { interpolateSQL } from "../integrations/queries/sql"
const USE_ISOLATED_VM = true
class QueryRunner { class QueryRunner {
datasource: Datasource datasource: Datasource
queryVerb: string queryVerb: string
@ -127,10 +129,25 @@ class QueryRunner {
// transform as required // transform as required
if (transformer) { if (transformer) {
const runner = new VM2({ let runner: VM
data: rows, if (!USE_ISOLATED_VM) {
params: enrichedParameters, runner = new VM2({
}) data: rows,
params: enrichedParameters,
})
} else {
transformer = `(function(){\n${transformer}\n})();`
let isolatedVm = new IsolatedVM().withContext({
data: rows,
params: enrichedParameters,
})
if (datasource.source === SourceName.MONGODB) {
isolatedVm = isolatedVm.withParsingBson(rows)
}
runner = isolatedVm
}
rows = runner.execute(transformer) rows = runner.execute(transformer)
} }

3
scripts/build.js
View File

@ -49,7 +49,6 @@ function runBuild(entry, outfile) {
preserveSymlinks: true, preserveSymlinks: true,
loader: { loader: {
".svelte": "copy", ".svelte": "copy",
".ivm.bundle.js": "text",
}, },
metafile: true, metafile: true,
external: [ external: [
@ -70,7 +69,7 @@ function runBuild(entry, outfile) {
platform: "node", platform: "node",
outfile, outfile,
}).then(result => { }).then(result => {
glob(`${process.cwd()}/src/**/*.hbs`, {}, (err, files) => { glob(`${process.cwd()}/src/**/*.{hbs,ivm.bundle.js}`, {}, (err, files) => {
for (const file of files) { for (const file of files) {
fs.copyFileSync(file, `${process.cwd()}/dist/${path.basename(file)}`) fs.copyFileSync(file, `${process.cwd()}/dist/${path.basename(file)}`)
} }