Release 3.9.8 (#408)

Finalize release 3.9.8

Author: XmiliaH

.eslintrc.js

@@ -1,19 +1,19 @@
 module.exports = {
-    env: {
-        es6: true,
-        node: true
-    },
-    extends: [
-        'integromat'
-    ],
-    parserOptions: {
-        "ecmaVersion": 2017,
-        "ecmaFeatures": {
-            "globalReturn": true
-        }
-    },
-    globals: {
-    },
-    rules: {
-    }
-};
+	env: {
+		es6: true,
+		node: true
+	},
+	extends: [
+		'integromat'
+	],
+	parserOptions: {
+		'ecmaVersion': 2017,
+		'ecmaFeatures': {
+			'globalReturn': true
+		}
+	},
+	globals: {
+	},
+	rules: {
+	}
+};

.github/workflows/node-test.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [8, 10, 12, 14, 16]
+        node-version: [8, 10, 12, 14, 16, 17]
     steps:
       - uses: actions/checkout@v2
       - name: Use Node.js ${{ matrix.node-version }}

CHANGELOG.md

@@ -1,12 +1,12 @@
-v3.9.8 (TBD)
+v3.9.8 (2022-92-16)
 -------------------
-[fix] Add function typecheck for arguments, caller, and callee property check (GeoffRen)  
+[fix] Add function type check for arguments, caller, and callee property check (GeoffRen)  
 [fix] Fix find best extension handler  
 
 v3.9.7 (2022-02-10)
 -------------------
 [fix] Allow relative require from base script  
-[fix] Fix issue with modules with exports clause in package json  
+[fix] Fix issue with modules with exports clause in package JSON  
 [fix] Added missing whitelist check before custom require  
 [fix] Revert plain object toString behavior  
 [fix] Root path check improved  

index.d.ts

@@ -4,11 +4,12 @@ import {EventEmitter} from 'events';
  *  Require options for a VM
  */
 export interface VMRequire {
-  /** Array of allowed builtin modules, accepts ["*"] for all (default: none) */
+  /** Array of allowed built-in modules, accepts ["*"] for all. Using "*" increases the attack surface and potential
+   * new modules allow to escape the sandbox. (default: none) */
   builtin?: string[];
   /*
    * `host` (default) to require modules in host and proxy them to sandbox. `sandbox` to load, compile and
-   * require modules in sandbox. Builtin modules except `events` always required in host and proxied to sandbox
+   * require modules in sandbox. Built-in modules except `events` always required in host and proxied to sandbox
    */
   context?: "host" | "sandbox";
   /** `true`, an array of allowed external modules or an object with external options (default: `false`) */
@@ -17,7 +18,7 @@ export interface VMRequire {
   import?: string[];
   /** Restricted path(s) where local modules can be required (default: every path). */
   root?: string | string[];
-  /** Collection of mock modules (both external or builtin). */
+  /** Collection of mock modules (both external or built-in). */
   mock?: any;
   /* An additional lookup function in case a module wasn't found in one of the traditional node lookup paths. */
   resolve?: (moduleName: string, parentDirname: string) => string | undefined;
@@ -36,7 +37,7 @@ type CompilerFunction = (code: string, filename: string) => string;
  */
 export interface VMOptions {
   /**
-   * `javascript` (default) or `coffeescript` or custom compiler function (which receives the code, and it's filepath).
+   * `javascript` (default) or `coffeescript` or custom compiler function (which receives the code, and it's file path).
    *  The library expects you to have coffee-script pre-installed if the compiler is set to `coffeescript`.
    */
   compiler?: "javascript" | "coffeescript" | CompilerFunction;
@@ -48,7 +49,7 @@ export interface VMOptions {
    */
   timeout?: number;
   /**
-   * If set to `false` any calls to eval or function constructors (`Function`, `GeneratorFunction`, etc) will throw an
+   * If set to `false` any calls to eval or function constructors (`Function`, `GeneratorFunction`, etc.) will throw an
    * `EvalError` (default: `true`).
    */
   eval?: boolean;
@@ -58,7 +59,7 @@ export interface VMOptions {
   wasm?: boolean;
   /**
    * If set to `true` any attempt to run code using async will throw a `VMError` (default: `false`).
-   * @deprecated Use ``allowAsync` instead
+   * @deprecated Use `allowAsync` instead.
    */
   fixAsync?: boolean;
 
@@ -76,7 +77,8 @@ export interface NodeVMOptions extends VMOptions {
   console?: "inherit" | "redirect" | "off";
   /** `true` or an object to enable `require` options (default: `false`). */
   require?: true | VMRequire;
-  /** `true` to enable VMs nesting (default: `false`). */
+  /** **WARNING**: This should be disabled. It allows to create a NodeVM form within the sandbox which could return any host module.
+   * `true` to enable VMs nesting (default: `false`). */
   nesting?: boolean;
   /** `commonjs` (default) to wrap script into CommonJS wrapper, `none` to retrieve value returned by the script. */
   wrapper?: "commonjs" | "none";
@@ -119,6 +121,8 @@ export class VM {
   getGlobal(name: string): any;
   /** Freezes the object inside VM making it read-only. Not available for primitive values. */
   freeze(object: any, name?: string): any;
+  /** Freezes the object inside VM making it read-only. Not available for primitive values. */
+  readonly(object: any): any;
   /** Protects the object inside VM making impossible to set functions as it's properties. Not available for primitive values */
   protect(object: any, name?: string): any;
 }
@@ -135,7 +139,7 @@ export class NodeVM extends EventEmitter implements VM {
    /**
    * Create NodeVM and run code inside it.
    *
-   * @param {string} script Javascript code.
+   * @param {string} script JavaScript code.
    * @param {string} [filename] File name (used in stack traces only).
    * @param {Object} [options] VM options.
    */

lib/nodevm.js

@@ -262,7 +262,8 @@ class NodeVM extends VM {
 		const {
 			Module,
 			jsonParse,
-			createRequireForModule
+			createRequireForModule,
+			requireImpl
 		} = closure(HOST, {
 			__proto__: null,
 			argv,
@@ -278,11 +279,12 @@ class NodeVM extends VM {
 			_Module: {__proto__: null, value: Module},
 			_jsonParse: {__proto__: null, value: jsonParse},
 			_createRequireForModule: {__proto__: null, value: createRequireForModule},
+			_requireImpl: {__proto__: null, value: requireImpl},
 			_cacheRequireModule: {__proto__: null, value: null, writable: true}
 		});
 
 
-		resolver.init(this, ()=>true);
+		resolver.init(this);
 
 		// prepare global sandbox
 		if (sandbox) {
@@ -331,10 +333,12 @@ class NodeVM extends VM {
 		const path = this._resolver.pathResolve('.');
 		let mod = this._cacheRequireModule;
 		if (!mod || mod.path !== path) {
-			mod = new (this._Module)(this._resolver.pathConcat(path, '/vm.js'), path);
+			const filename = this._resolver.pathConcat(path, '/vm.js');
+			mod = new (this._Module)(filename, path);
+			this._resolver.registerModule(mod, filename, path, null, false);
 			this._cacheRequireModule = mod;
 		}
-		return mod.require(module);
+		return this._requireImpl(mod, module, true);
 	}
 
 	/**

lib/setup-node-sandbox.js

@@ -459,5 +459,6 @@ return {
 	__proto__: null,
 	Module,
 	jsonParse: JSON.parse,
-	createRequireForModule
+	createRequireForModule,
+	requireImpl
 };

lib/transformer.js

@@ -1,6 +1,7 @@
 
 const {parse: acornParse} = require('acorn');
 const {full: acornWalkFull} = require('acorn-walk');
+const {compileFunction} = require('vm');
 
 const INTERNAL_STATE_NAME = 'VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL';
 
@@ -26,21 +27,28 @@ function transformer(args, body, isAsync, isGenerator) {
 		code += '\n})';
 	}
 
-	const ast = acornParse(code, {
-		__proto__: null,
-		ecmaVersion: 2020,
-		allowAwaitOutsideFunction: args === null && isAsync,
-		allowReturnOutsideFunction: args === null
-	});
+	let ast;
+	try {
+		ast = acornParse(code, {
+			__proto__: null,
+			ecmaVersion: 2020,
+			allowAwaitOutsideFunction: args === null && isAsync,
+			allowReturnOutsideFunction: args === null
+		});
+	} catch (e) {
+		// Try to generate a nicer error message.
+		compileFunction(code);
+		throw e;
+	}
 
 	if (args !== null) {
 		const pBody = assertType(ast, 'Program').body;
-		if (pBody.length !== 1) throw new Error('Invalid arguments');
+		if (pBody.length !== 1) throw new SyntaxError('Single function literal required');
 		const expr = pBody[0];
-		if (expr.type !== 'ExpressionStatement') throw new Error('Invalid arguments');
+		if (expr.type !== 'ExpressionStatement') throw new SyntaxError('Single function literal required');
 		const func = expr.expression;
-		if (func.type !== 'FunctionExpression') throw new Error('Invalid arguments');
-		if (func.body.start !== argsOffset + 3) throw new Error('Invalid arguments');
+		if (func.type !== 'FunctionExpression') throw new SyntaxError('Single function literal required');
+		if (func.body.start !== argsOffset + 3) throw new SyntaxError('Unexpected end of arg string');
 	}
 
 	const insertions = [];
@@ -79,7 +87,7 @@ function transformer(args, body, isAsync, isGenerator) {
 			});
 		} else if (type === 'Identifier') {
 			if (node.name === INTERNAL_STATE_NAME) {
-				throw new Error('Use of internal vm2 state variable');
+				throw new SyntaxError('Use of internal vm2 state variable');
 			}
 		} else if (type === 'ImportExpression') {
 			insertions.push({