Prepare release 3.9.7

XmiliaH · XmiliaH · commit b6581b4a9cf9 · 2022-02-10T16:01:38.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+v3.9.7 (2022-02-10)
+-------------------
+[fix] Allow relative require from base script
+[fix] Fix issue with modules with exports clause in package json
+[fix] Added missing whitelist check before custom require
+[fix] Revert plain object toString behavior
+[fix] Root path check improved
+
 v3.9.6 (2022-02-08)
 -------------------
 [fix] Security fixes (XmiliaH)  
diff --git a/README.md b/README.md
@@ -377,6 +377,9 @@ vm2 ./script.js
 ## Known Issues
 
 * It is not possible to define a class that extends a proxied class.
+* Direct eval does not work.
+* Logging sandbox arrays will repeat the array part in the properties.
+* Source code transformations can result a different source string for a function.
 
 ## Deployment
 
diff --git a/lib/resolver-compat.js b/lib/resolver-compat.js
@@ -293,7 +293,13 @@ function resolverFromOptions(vm, options, override, compiler) {
 	if (rootPaths) {
 		const checkedRootPaths = (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f => pa.resolve(f));
 		checkPath = (filename) => {
-			return checkedRootPaths.some(path => filename.startsWith(path));
+			return checkedRootPaths.some(path => {
+				if (!filename.startsWith(path)) return false;
+				const len = path.length;
+				if (filename.length === len) return true;
+				const sep = filename[len];
+				return sep === '/' || sep === pa.sep;
+			});
 		};
 	} else {
 		checkPath = () => true;
diff --git a/package.json b/package.json
@@ -13,7 +13,7 @@
     "alcatraz",
     "contextify"
   ],
-  "version": "3.9.6",
+  "version": "3.9.7",
   "main": "index.js",
   "sideEffects": false,
   "repository": "github:patriksimek/vm2",
diff --git a/test/nodevm.js b/test/nodevm.js
@@ -298,6 +298,28 @@ describe('modules', () => {
 		assert.throws(() => vm.run("require('mocha')", __filename), /Cannot find module 'mocha'/);
 	});
 
+	it('root path checking', () => {
+		const vm = new NodeVM({
+			require: {
+				external: true,
+				root: `${__dirname}/node_modules/module`
+			},
+		});
+
+		assert.throws(() => vm.run("require('module2')", __filename), /Cannot find module 'module2'/);
+	});
+
+	it('relative require not allowed to enter node modules', () => {
+		const vm = new NodeVM({
+			require: {
+				external: ['mocha'],
+				root: `${__dirname}`
+			},
+		});
+
+		assert.throws(() => vm.run("require('./node_modules/module2')", __filename), /Cannot find module '\.\/node_modules\/module2'/);
+	});
+
 	it('arguments attack', () => {
 		let vm = new NodeVM;
 
