Improve security by isolating code execution more
This commit enhances application security against potential attacks by isolating dependencies that access the host system (like file operations) from the renderer process. It narrows the exposed functionality to script execution only, adding an extra security layer. The changes allow secure and scalable API exposure, preparing for future functionalities such as desktop notifications for script errors (#264), improved script execution handling (#296), and creating restore points (#50) in a secure and repeatable way. Changes include: - Inject `CodeRunner` into Vue components via dependency injection. - Move `CodeRunner` to the application layer as an abstraction for better domain-driven design alignment. - Refactor `SystemOperations` and related interfaces, removing the `I` prefix. - Update architecture documentation for clarity. - Update return types in `NodeSystemOperations` to match the Node APIs. - Improve `WindowVariablesProvider` integration tests for better error context. - Centralize type checks with common functions like `isArray` and `isNumber`. - Change `CodeRunner` to use `os` parameter, ensuring correct window variable injection. - Streamline API exposure to the renderer process: - Automatically bind function contexts to prevent loss of original context. - Implement a way to create facades (wrapper/proxy objects) for increased security.
This commit is contained in:
undergroundwires
@@ -1,4 +1,5 @@
|
||||
import type { DocumentableData, DocumentationData } from '@/application/collections/';
|
||||
import { isString, isArray } from '@/TypeHelpers';
|
||||
|
||||
export function parseDocs(documentable: DocumentableData): readonly string[] {
|
||||
const { docs } = documentable;
|
||||
@@ -14,11 +15,9 @@ function addDocs(
|
||||
docs: DocumentationData,
|
||||
container: DocumentationContainer,
|
||||
): DocumentationContainer {
|
||||
if (docs instanceof Array) {
|
||||
if (docs.length > 0) {
|
||||
container.addParts(docs);
|
||||
}
|
||||
} else if (typeof docs === 'string') {
|
||||
if (isArray(docs)) {
|
||||
docs.forEach((doc) => container.addPart(doc));
|
||||
} else if (isString(docs)) {
|
||||
container.addPart(docs);
|
||||
} else {
|
||||
throwInvalidType();
|
||||
@@ -29,27 +28,21 @@ function addDocs(
|
||||
class DocumentationContainer {
|
||||
private readonly parts = new Array<string>();
|
||||
|
||||
public addPart(documentation: string) {
|
||||
public addPart(documentation: unknown): void {
|
||||
if (!documentation) {
|
||||
throw Error('missing documentation');
|
||||
}
|
||||
if (typeof documentation !== 'string') {
|
||||
if (!isString(documentation)) {
|
||||
throwInvalidType();
|
||||
}
|
||||
this.parts.push(documentation);
|
||||
}
|
||||
|
||||
public addParts(parts: readonly string[]) {
|
||||
for (const part of parts) {
|
||||
this.addPart(part);
|
||||
}
|
||||
}
|
||||
|
||||
public getAll(): ReadonlyArray<string> {
|
||||
return this.parts;
|
||||
}
|
||||
}
|
||||
|
||||
function throwInvalidType() {
|
||||
function throwInvalidType(): never {
|
||||
throw new Error('docs field (documentation) must be an array of strings');
|
||||
}
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
import { isString } from '@/TypeHelpers';
|
||||
import { INodeDataErrorContext, NodeDataError } from './NodeDataError';
|
||||
import { NodeData } from './NodeData';
|
||||
|
||||
@@ -13,7 +14,7 @@ export class NodeValidator {
|
||||
'missing name',
|
||||
)
|
||||
.assert(
|
||||
() => typeof nameValue === 'string',
|
||||
() => isString(nameValue),
|
||||
`Name (${JSON.stringify(nameValue)}) is not a string but ${typeof nameValue}.`,
|
||||
);
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import type { FunctionCallData, FunctionCallsData, FunctionCallParametersData } from '@/application/collections/';
|
||||
import { isArray, isPlainObject } from '@/TypeHelpers';
|
||||
import { FunctionCall } from './FunctionCall';
|
||||
import { FunctionCallArgumentCollection } from './Argument/FunctionCallArgumentCollection';
|
||||
import { FunctionCallArgument } from './Argument/FunctionCallArgument';
|
||||
@@ -10,13 +11,13 @@ export function parseFunctionCalls(calls: FunctionCallsData): FunctionCall[] {
|
||||
}
|
||||
|
||||
function getCallSequence(calls: FunctionCallsData): FunctionCallData[] {
|
||||
if (typeof calls !== 'object') {
|
||||
throw new Error('called function(s) must be an object');
|
||||
if (!isPlainObject(calls) && !isArray(calls)) {
|
||||
throw new Error('called function(s) must be an object or array');
|
||||
}
|
||||
if (calls instanceof Array) {
|
||||
if (isArray(calls)) {
|
||||
return calls as FunctionCallData[];
|
||||
}
|
||||
const singleCall = calls;
|
||||
const singleCall = calls as FunctionCallData;
|
||||
return [singleCall];
|
||||
}
|
||||
|
||||
|
||||
@@ -6,6 +6,7 @@ import { CodeValidator } from '@/application/Parser/Script/Validation/CodeValida
|
||||
import { NoEmptyLines } from '@/application/Parser/Script/Validation/Rules/NoEmptyLines';
|
||||
import { NoDuplicatedLines } from '@/application/Parser/Script/Validation/Rules/NoDuplicatedLines';
|
||||
import { ICodeValidator } from '@/application/Parser/Script/Validation/ICodeValidator';
|
||||
import { isArray, isNullOrUndefined, isPlainObject } from '@/TypeHelpers';
|
||||
import { createFunctionWithInlineCode, createCallerFunction } from './SharedFunction';
|
||||
import { SharedFunctionCollection } from './SharedFunctionCollection';
|
||||
import { ISharedFunctionCollection } from './ISharedFunctionCollection';
|
||||
@@ -121,8 +122,11 @@ function ensureEitherCallOrCodeIsDefined(holders: readonly FunctionData[]) {
|
||||
}
|
||||
|
||||
function ensureExpectedParametersType(functions: readonly FunctionData[]) {
|
||||
const hasValidParameters = (
|
||||
func: FunctionData,
|
||||
) => isNullOrUndefined(func.parameters) || isArrayOfObjects(func.parameters);
|
||||
const unexpectedFunctions = functions
|
||||
.filter((func) => func.parameters && !isArrayOfObjects(func.parameters));
|
||||
.filter((func) => !hasValidParameters(func));
|
||||
if (unexpectedFunctions.length) {
|
||||
const errorMessage = `parameters must be an array of objects in function(s) ${printNames(unexpectedFunctions)}`;
|
||||
throw new Error(errorMessage);
|
||||
@@ -130,8 +134,7 @@ function ensureExpectedParametersType(functions: readonly FunctionData[]) {
|
||||
}
|
||||
|
||||
function isArrayOfObjects(value: unknown): boolean {
|
||||
return Array.isArray(value)
|
||||
&& value.every((item) => typeof item === 'object');
|
||||
return isArray(value) && value.every((item) => isPlainObject(item));
|
||||
}
|
||||
|
||||
function printNames(holders: readonly FunctionData[]) {
|
||||
|
||||
Reference in New Issue
Block a user