diff --git a/packages/string-templates/src/helpers/javascript.js b/packages/string-templates/src/helpers/javascript.js index 301833fd34..2c2802c64c 100644 --- a/packages/string-templates/src/helpers/javascript.js +++ b/packages/string-templates/src/helpers/javascript.js @@ -27,19 +27,39 @@ const getContextValue = (path, context) => { return data } +// Node polyfill for base64 encoding +const btoa = plainText => { + return Buffer.from(plainText, "utf-8").toString("base64") +} + +// Node polyfill for base64 decoding +const atob = base64 => { + return Buffer.from(base64, "base64").toString("utf-8") +} + // Evaluates JS code against a certain context module.exports.processJS = (handlebars, context) => { + // Do not evaluate JS in a node environment + if (typeof window === "undefined") { + return "JS bindings are not executed in a Node environment" + } + try { // Wrap JS in a function and immediately invoke it. // This is required to allow the final `return` statement to be valid. const js = `function run(){${atob(handlebars)}};run();` // Our $ context function gets a value from context - const sandboxContext = { $: path => getContextValue(path, context) } + const sandboxContext = { + $: path => getContextValue(path, context), + alert: undefined, + setInterval: undefined, + setTimeout: undefined, + } // Create a sandbox with out context and run the JS vm.createContext(sandboxContext) - return vm.runInNewContext(js, sandboxContext) + return vm.runInNewContext(js, sandboxContext, { timeout: 1000 }) } catch (error) { return "Error while executing JS" } diff --git a/packages/string-templates/test/javascript.spec.js b/packages/string-templates/test/javascript.spec.js new file mode 100644 index 0000000000..07cc72c298 --- /dev/null +++ b/packages/string-templates/test/javascript.spec.js @@ -0,0 +1,87 @@ +const { processStringSync, encodeJSBinding } = require("../src/index.cjs") + +const processJS = (js, context) => { + return processStringSync(encodeJSBinding(js), context) +} + +describe("Test the JavaScript helper in Node", () => { + it("should not execute JS in Node", () => { + const output = processJS(`return 1`) + expect(output).toBe("JS bindings are not executed in a Node environment") + }) +}) + +describe("Test the JavaScript helper", () => { + // JS bindings do not get evaluated on the server for safety. + // Since we want to run SJ for tests, we fake a window object to make + // it think that we're in the browser + beforeEach(() => { + window = {} + }) + + it("should execute a simple expression", () => { + const output = processJS(`return 1 + 2`) + expect(output).toBe("3") + }) + + it("should be able to use primitive bindings", () => { + const output = processJS(`return $("foo")`, { + foo: "bar", + }) + expect(output).toBe("bar") + }) + + it("should be able to use an object binding", () => { + const output = processJS(`return $("foo").bar`, { + foo: { + bar: "baz", + }, + }) + expect(output).toBe("baz") + }) + + it("should be able to use a complex object binding", () => { + const output = processJS(`return $("foo").bar[0].baz`, { + foo: { + bar: [ + { + baz: "shazbat", + }, + ], + }, + }) + expect(output).toBe("shazbat") + }) + + it("should be able to use a deep binding", () => { + const output = processJS(`return $("foo.bar.baz")`, { + foo: { + bar: { + baz: "shazbat", + }, + }, + }) + expect(output).toBe("shazbat") + }) + + it("should be able to use a deep array binding", () => { + const output = processJS(`return $("foo.0.bar")`, { + foo: [ + { + bar: "baz", + }, + ], + }) + expect(output).toBe("baz") + }) + + it("should handle errors", () => { + const output = processJS(`throw "Error"`) + expect(output).toBe("Error while executing JS") + }) + + it("should timeout after one second", () => { + const output = processJS(`while (true) {}`) + expect(output).toBe("Error while executing JS") + }) +})