Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: migrate Node.js implementation for js-sandbox to isolated-vm #3973

Merged
merged 19 commits into from Apr 19, 2024
Merged

chore: migrate Node.js implementation for js-sandbox to isolated-vm #3973

merged 19 commits into from Apr 19, 2024

Conversation

jamesgeorge007
Copy link
Member

@jamesgeorge007 jamesgeorge007 commented Apr 12, 2024
edited

Description

This PR aims at migrating the sandbox implementation for Node.js from node:vm to isolated-vm.

Ref: GHSA-qmmm-73r2-f8xr

Closes HFE-475.

Changes

  • Add isolated-vm as a peer dependency (there were issues with not being able to require isolated-vm when it was made a direct dependency) to js-sandbox and mark it optional since it's specific to the Node.js implementation. Also, it is added as a direct dependency on the CLI.
  • Migrate the testing framework from Jest (support for ESM is experimental) to Vitest for js-sandbox.
  • Directory hierarchy updates for js-sandbox.
    • Arrange the source directories based on the platform (node, web) instead of the type of scripts (pre-request & test-runner) easily accommodating platform-specific utility functions. ~/src/utils.ts at the root compiling utility functions reused across platform implementations is renamed to ~/src/shared-utils to differentiate between platform-specific utils ~/src/node/utils.ts.
    • Remove the nested testing directory from the test suite and enforce a naming convention for the directories based on the scripting API namespace objects (env, expect, etc).
  • The value supplied to pw.expect(expectVal) is stringified with an additional property isStringifiedWithinIsolate if it's a non-primitive while transferring to the isolate context as required by isolated-vm. The value is parsed at the pw.expect method definition after checking for the above additional property to differentiate between stringification done while transferring to the isolate context and an original value. The newly introduced property is removed before consumption.
  • Spawn a new process if the Node.js version is 20 and above from the CLI supplying the --no-node-snapshot flag to node as required by isolated-vm, Ref and later proceed with the argument parsing phase.
  • Account for requests nested under folders within collections while validating against the versioned entity schema and translating to the latest version. Follow up of feat: add extended support for versioned entities in the CLI #3912.
  • Fix flaky tests in the CLI (update tests to refer to the echo.hoppscotch.io endpoint and prevent test failures if the auth endpoint resulted in a non 200 status code).
  • GH Action config updates
    • Bump dependent actions.
    • Fix a typo while referring to the Node.js version and ensure run tests on LTS.
    • Move the Setup node step above Setup pnpm.

Checks

  • My pull request adheres to the code style of this project
  • All the tests have passed

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 12, 2024
View reviewed changes
packages/hoppscotch-cli/src/__tests__/utils.ts
const command = `node ${CLI_PATH} ${args}`;

return new Promise((resolve) =>
exec(command, options, (error, stdout, stderr) =>

Check warning

Code scanning / CodeQL

Shell command built from environment values

This shell command depends on an uncontrolled [absolute path](1). This shell command depends on an uncontrolled [absolute path](2).
@jamesgeorge007 jamesgeorge007 force-pushed the sandbox-vulnerability-remediation branch from 4595ad6 to 7dd5848 Compare April 15, 2024 05:08
@jamesgeorge007 jamesgeorge007 changed the title chore: migrate js-sandbox to isolated-vm chore: migrate Node.js implementation for js-sandbox to isolated-vm Apr 15, 2024
@jamesgeorge007 jamesgeorge007 force-pushed the sandbox-vulnerability-remediation branch 7 times, most recently from c74603c to fe9232c Compare April 15, 2024 09:04
@jamesgeorge007 jamesgeorge007 force-pushed the sandbox-vulnerability-remediation branch from a1a860f to 5ef7751 Compare April 15, 2024 12:59
@jamesgeorge007 jamesgeorge007 marked this pull request as ready for review April 16, 2024 10:15
@jamesgeorge007 jamesgeorge007 changed the base branch from main to release/2024.3.1 April 16, 2024 17:38
@jamesgeorge007 jamesgeorge007 force-pushed the sandbox-vulnerability-remediation branch from 5ef7751 to 20e5954 Compare April 16, 2024 17:39
@jamesgeorge007 jamesgeorge007 force-pushed the sandbox-vulnerability-remediation branch 2 times, most recently from b20e0bb to 3523656 Compare April 17, 2024 13:41
@jamesgeorge007
chore: make isolated-vm a peer-dependency
7eca5ba
@jamesgeorge007
test: specify node as the command while invoking the CLI binary
0659182 
Since Windows doesn't respect the shebang line, we'd need to specify node as the command with the CLI binary while running tests
@jamesgeorge007
refactor: update js-sandbox directory hierarchy
3268220
@jamesgeorge007
test: update directory hierarchy
5ba17f0 
- Remove the `testing` directory and move the tests within it to root.
- Rename the `envs` directory to `env` to follow a consistent convention indicating the nested scripting API objects.
@jamesgeorge007
chore: cleanup
01515fd 
- Organize imports.
- Update CI config.
  - Bump dependent actions.
  - Fix a typo while referring to the Node.js version and run tests on LTS.
  - Move `Setup node` step above `Setup pnpm`.
- Bump CLI version.
@jamesgeorge007
test: fix flaky tests
3bd099c
@jamesgeorge007
chore: account for nested folders while validating requests
2f3ca3f
@jamesgeorge007
chore: compile shared utils for sandbox
62d4545 
Rename `~/src/utils.ts` to `~/src/shared-utils` to differentiate from platform-specific utility functions (`~/src/node/utils.ts`).
@jamesgeorge007
test: fix flaky tests
da356c7 
Add safeguards to prevent test failure if the endpoint results in a non `200` status code.
@jamesgeorge007
chore: ensure consistent file naming convention
8321fc8
@jamesgeorge007 jamesgeorge007 force-pushed the sandbox-vulnerability-remediation branch from c84c4d6 to 8321fc8 Compare April 19, 2024 09:24
AndrewBastin
AndrewBastin approved these changes Apr 19, 2024
View reviewed changes
Copy link
Member

@AndrewBastin AndrewBastin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm 💯

@AndrewBastin AndrewBastin merged commit 22c6eab into release/2024.3.1 Apr 19, 2024
1 check passed
@AndrewBastin AndrewBastin deleted the sandbox-vulnerability-remediation branch April 19, 2024 15:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrewBastin AndrewBastin AndrewBastin approved these changes

@liyasthomas liyasthomas Awaiting requested review from liyasthomas liyasthomas is a code owner

@amk-dev amk-dev Awaiting requested review from amk-dev

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jamesgeorge007 @AndrewBastin