Development

esbuild.mjs

@@ -312,7 +312,11 @@ const browserBuild = (entryPoints) =>
 		),
 	);
 
-await browserBuild(['./src/exports/browser.ts', './src/exports/worker.ts']);
+await browserBuild([
+	'./src/exports/bare.ts',
+	'./src/exports/browser.ts',
+	'./src/exports/worker.ts',
+]);
 
 options.define['__buildtimeSettings__.isolationStategyIframeSole'] = 'false';
 options.define['__buildtimeSettings__.isolationStategyIframeWorker'] = 'true';

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@exact-realty/lot",
-	"version": "0.0.17",
+	"version": "0.0.18",
 	"description": "Sandbox for isolating ECMAScript code",
 	"main": "dist/index.js",
 	"module": "./dist/index.mjs",
@@ -40,6 +40,20 @@
 				"default": "./dist/index.js"
 			}
 		},
+		"./bare": {
+			"amd": {
+				"types": "./dist/exports/bare.d.ts",
+				"default": "./dist/exports/bare.js"
+			},
+			"import": {
+				"types": "./dist/exports/bare.d.ts",
+				"default": "./dist/exports/bare.mjs"
+			},
+			"require": {
+				"types": "./dist/exports/bare.d.ts",
+				"default": "./dist/exports/bare.cjs"
+			}
+		},
 		"./browser": {
 			"amd": {
 				"types": "./dist/exports/browser.d.ts",
@@ -113,7 +127,7 @@
 	"scripts": {
 		"lint": "eslint . --ext .js,.jsx,.ts,.tsx,.json",
 		"lint:fix": "eslint . --ext .js,.jsx,.ts,.tsx,.json --fix",
-		"ts:declaration": "tsc --build --emitDeclarationOnly --declarationMap --declaration",
+		"ts:declaration": "tspc --build --emitDeclarationOnly --declarationMap --declaration",
 		"build": "npm run ts:declaration && node esbuild.mjs",
 		"test:unit": "nyc mocha src/**/*.spec.ts",
 		"test:e2e": "mocha test/**/*.spec.ts",
@@ -133,21 +147,23 @@
 	"devDependencies": {
 		"@exact-realty/esbuild-plugin-inline-js": "^1.1.4",
 		"@types/mocha": "^10.0.1",
-		"@types/selenium-webdriver": "^4.1.15",
-		"@typescript-eslint/eslint-plugin": "^6.4.0",
-		"@typescript-eslint/parser": "^6.4.0",
+		"@types/selenium-webdriver": "^4.1.17",
+		"@typescript-eslint/eslint-plugin": "^6.7.2",
+		"@typescript-eslint/parser": "^6.7.2",
 		"deno-types": "^1.25.0",
-		"esbuild": "^0.19.2",
-		"eslint": "^8.47.0",
+		"esbuild": "^0.19.3",
+		"eslint": "^8.50.0",
 		"eslint-config-prettier": "^9.0.0",
 		"eslint-plugin-prettier": "^5.0.0",
 		"google-closure-compiler": "^20230802.0.0",
 		"mocha": "^10.2.0",
 		"nyc": "^15.1.0",
-		"prettier": "^3.0.2",
+		"prettier": "^3.0.3",
 		"selenium-webdriver": "^4.10.0 <4.11.0 || >4.11.1",
 		"ts-node": "^10.9.1",
-		"typescript": "^5.1.6"
+		"ts-patch": "^3.0.2",
+		"typescript": "^5.2.2",
+		"typescript-transform-paths": "^3.4.6"
 	},
 	"engines": {
 		"npm": ">=8.0.0",

src/exports/bare.ts

@@ -0,0 +1,19 @@
+/* Copyright © 2023 Exact Realty Limited.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+export { default } from '~trusted/impl/bare/bareSandbox.js';
+// TODO: Fix issue with these exports in Google Closure Compiler
+// export { default as freezePrototypes } from '~untrusted/lib/freezePrototypes.js';
+// export { default as hardenGlobals } from '~untrusted/lib/hardenGlobals.js';

src/index.ts

@@ -13,6 +13,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-export { default as browserSandbox } from './trusted/impl/browser/browserSandbox.js';
-export { default as nodejsSandbox } from './trusted/impl/nodejs/nodejsSandbox.js';
-export { default as workerSandbox } from './trusted/impl/worker/workerSandbox.js';
+export { default as bareSandbox } from '~trusted/impl/bare/bareSandbox.js';
+export { default as browserSandbox } from '~trusted/impl/browser/browserSandbox.js';
+export { default as nodejsSandbox } from '~trusted/impl/nodejs/nodejsSandbox.js';
+export { default as workerSandbox } from '~trusted/impl/worker/workerSandbox.js';
+export { default as freezePrototypes } from '~untrusted/lib/freezePrototypes.js';
+export { default as hardenGlobals } from '~untrusted/lib/hardenGlobals.js';

src/trusted/impl/bare/bareSandbox.ts

@@ -0,0 +1,84 @@
+/* Copyright © 2023 Exact Realty Limited.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+import { ISandbox } from '~/types/index.js';
+import bareSandboxManager from '~/untrusted/impl/bare/bareSandboxManager.js';
+import setupSandboxListeners from '~trusted/lib/setupSandboxListeners.js';
+import createErrorEventListenerFactory from '~untrusted/lib/createErrorEventEventListenerFactory.js';
+import createMessageEventListenerFactory from '~untrusted/lib/createMessageEventListenerFactory.js';
+
+// TODO: wrap setTimeout and clearTimeout
+
+const bareSandbox: ISandbox = async (
+	script,
+	allowedGlobals,
+	externalMethods,
+	abort,
+) => {
+	if (!__buildtimeSettings__.bidirectionalMessaging && externalMethods) {
+		throw new TypeError(
+			'Invalid value for externalMethods. Bidirectional messaging is disabled',
+		);
+	}
+
+	const addEventListener = EventTarget.prototype.addEventListener;
+	const removeEventListener = EventTarget.prototype.removeEventListener;
+
+	const channel = new MessageChannel();
+
+	const postMessageIncoming = channel.port2.postMessage.bind(channel.port2);
+
+	const createMessageEventListener = createMessageEventListenerFactory(
+		addEventListener,
+		removeEventListener,
+		true,
+	);
+
+	const createErrorEventListener = createErrorEventListenerFactory(
+		addEventListener,
+		removeEventListener,
+		channel.port2,
+		postMessageIncoming,
+	);
+
+	const teardown = () => {
+		channel.port1.close();
+		channel.port2.close();
+	};
+
+	return setupSandboxListeners(
+		channel.port1,
+		true,
+		() => {
+			channel.port1.start();
+			channel.port2.start();
+
+			return bareSandboxManager(
+				channel.port2,
+				script,
+				!!abort,
+				allowedGlobals,
+				externalMethods && Object.keys(externalMethods),
+				createMessageEventListener,
+				createErrorEventListener,
+				teardown,
+			);
+		},
+		externalMethods,
+		abort,
+	);
+};
+
+export default bareSandbox;

src/trusted/impl/worker/workerSandbox.ts

@@ -72,7 +72,6 @@ const workerSandbox: ISandbox = async (
 				externalMethods && Object.keys(externalMethods),
 				createMessageEventListener,
 				createErrorEventListener,
-				postMessageIncoming,
 				options,
 				teardown,
 			);

src/untrusted/impl/bare/bareSandboxManager.ts

@@ -0,0 +1,101 @@
+/* Copyright © 2023 Exact Realty Limited.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+const functionConstructor = (() => {
+	return new Proxy(Function, {});
+})();
+
+import type createErrorEventListenerFactory from '~untrusted/lib/createErrorEventEventListenerFactory.js';
+import type createMessageEventListenerFactory from '~untrusted/lib/createMessageEventListenerFactory.js';
+import createSandboxedHandler from '~untrusted/lib/createSandboxedHandler.js';
+import { extractErrorInformation } from '~untrusted/lib/errorModem.js';
+import * as Logger from '~untrusted/lib/Logger.js';
+
+/**
+ * Manages the sandbox environment for an iframe, either setting it up or
+ * handling any encountered errors.
+ *
+ * @param messagePort - The port for sending/receiving messages.
+ * @param script - The script content to be executed inside the sandbox.
+ * @param revocable - Determines if the sandbox can be torn down.
+ * @param allowedGlobals - List of global properties/methods that should remain
+ * accessible.
+ * @param externalMethodsList - List of external methods available to the
+ * sandboxed environment.
+ * @param createMessageEventListener - A factory function to create a message
+ * event listener.
+ * @param createErrorEventListener - A factory function to create an error
+ * event listener.
+ * @param close - A function to close the sandbox environment and release
+ * resources
+ * @returns A promise that settles when the setup is complete or on error.
+ * @throws Will throw an error if there's an issue with setting up the iframe
+ */
+const bareSandboxManager = async (
+	messagePort: MessagePort,
+	script: string,
+	revocable: boolean,
+	allowedGlobals: string[] | undefined | null,
+	externalMethodsList: string[] | undefined | null,
+	createMessageEventListener: ReturnType<
+		typeof createMessageEventListenerFactory
+	>,
+	createErrorEventListener: ReturnType<
+		typeof createErrorEventListenerFactory
+	>,
+	close: { (): void },
+): Promise<void> => {
+	const postMessageOutgoing = messagePort.postMessage.bind(messagePort);
+
+	try {
+		Logger.info('Setting up bare sandbox');
+
+		const revokeRootMessageEventListener = createMessageEventListener(
+			messagePort,
+			createSandboxedHandler(
+				functionConstructor,
+				script,
+				allowedGlobals,
+				externalMethodsList,
+				postMessageOutgoing,
+				Boolean,
+				revocable
+					? () => {
+							revokeRootMessageEventListener();
+							revokeRootErrorEventListener();
+							close();
+					  }
+					: undefined,
+			),
+		);
+		const revokeRootErrorEventListener = createErrorEventListener();
+
+		Logger.info(
+			'Finished setting up bare sandbox. Sending SANDBOX_READY to parent.',
+		);
+
+		postMessageOutgoing([EMessageTypes.SANDBOX_READY]);
+	} catch (e) {
+		Logger.warn(
+			'Error setting up bare sandbox. Sending GLOBAL_ERROR to parent.',
+		);
+		postMessageOutgoing([
+			EMessageTypes.GLOBAL_ERROR,
+			extractErrorInformation(e),
+		]);
+	}
+};
+
+export default bareSandboxManager;

src/untrusted/impl/browser/iframeSandboxInner.ts

@@ -130,7 +130,6 @@ const iframeSandboxInner = async (
 					externalMethodsList,
 					createMessageEventListener,
 					createErrorEventListener,
-					postMessage,
 					options,
 				).then(postInit);
 			} catch (e) {

src/untrusted/impl/browser/iframeSoleSandboxManager.ts

@@ -13,6 +13,8 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+import singleUseFunctionConstructor from '~/untrusted/lib/singleUseFunctionConstructor.js';
+
 import type createErrorEventListenerFactory from '~untrusted/lib/createErrorEventEventListenerFactory.js';
 import type createMessageEventListenerFactory from '~untrusted/lib/createMessageEventListenerFactory.js';
 import createSandboxedHandler from '~untrusted/lib/createSandboxedHandler.js';
@@ -55,7 +57,7 @@ const iframeSoleSandboxManager = async (
 	>,
 	close: { (): void },
 ): Promise<void> => {
-	const postMessage = messagePort.postMessage.bind(messagePort);
+	const postMessageOutgoing = messagePort.postMessage.bind(messagePort);
 
 	try {
 		Logger.info('Setting up iframe fallback sandbox');
@@ -65,10 +67,11 @@ const iframeSoleSandboxManager = async (
 		const revokeRootMessageEventListener = createMessageEventListener(
 			messagePort,
 			createSandboxedHandler(
+				singleUseFunctionConstructor,
 				script,
 				allowedGlobals,
 				externalMethodsList,
-				postMessage,
+				postMessageOutgoing,
 				tightenCsp,
 				revocable
 					? () => {
@@ -85,12 +88,15 @@ const iframeSoleSandboxManager = async (
 			'Finished setting up iframe fallback sandbox. Sending SANDBOX_READY to parent.',
 		);
 
-		postMessage([EMessageTypes.SANDBOX_READY]);
+		postMessageOutgoing([EMessageTypes.SANDBOX_READY]);
 	} catch (e) {
 		Logger.warn(
 			'Error setting up iframe fallback sandbox. Sending GLOBAL_ERROR to parent.',
 		);
-		postMessage([EMessageTypes.GLOBAL_ERROR, extractErrorInformation(e)]);
+		postMessageOutgoing([
+			EMessageTypes.GLOBAL_ERROR,
+			extractErrorInformation(e),
+		]);
 	}
 };
 

src/untrusted/impl/nodejs/nodejsSandboxVm.inline.ts

@@ -306,7 +306,7 @@ const nodejsSandbox = (
 			'throw "Invalid call";' +
 			// If source includes /*@lint@*/, the constructor is called just for
 			// syntax validation
-			'if(c(lio,src,"/*@lint@*/")!==-1)return;' +
+			'if(c(lio,src,"/*@lint@*/")!==-1)return function(){};' +
 			'var tmp=ut;' +
 			'c=lio=ut=void 0;' +
 			'return tmp;' +

src/untrusted/impl/worker/workerSandboxInner.ts

@@ -13,6 +13,8 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+import singleUseFunctionConstructor from '~/untrusted/lib/singleUseFunctionConstructor.js';
+
 import { aIsArray } from '~untrusted/lib/utils.js';
 
 import createSandboxedHandler from '~untrusted/lib/createSandboxedHandler.js';
@@ -99,6 +101,7 @@ const workerSandboxInner = (
 
 		const revokeRootMessageEventListener = createMessageEventListener(
 			createSandboxedHandler(
+				singleUseFunctionConstructor,
 				script,
 				allowedGlobals,
 				externalMethodsList,