diff --git a/lib/__tests__/cloudworker.test.js b/lib/__tests__/cloudworker.test.js index e1b96b1..7491354 100644 --- a/lib/__tests__/cloudworker.test.js +++ b/lib/__tests__/cloudworker.test.js @@ -11,6 +11,11 @@ describe('cloudworker', () => { expect(() => { new Cloudworker(12) }).toThrow(new TypeError('worker script must be a string')) // eslint-disable-line no-new }) + test('throws on eval', async () => { + const bindings = { EvalError: EvalError } + expect(() => { new Cloudworker(`eval('true')`, { bindings }) }).toThrow(new EvalError('Code generation from strings disallowed for this context')) // eslint-disable-line no-new + }) + test('log does nothing if debug is false', async () => { const cw = new Cloudworker(simpleScript) global.console = {error: jest.fn(), log: jest.fn()} diff --git a/lib/__tests__/runtime.test.js b/lib/__tests__/runtime.test.js index 3de5317..1b7d7a2 100644 --- a/lib/__tests__/runtime.test.js +++ b/lib/__tests__/runtime.test.js @@ -100,8 +100,8 @@ describe('runtime', () => { test('instanceof from different realm works', () => { const dummyFactory = Symbol('dummy factory') const bindings = { - instanceOfObject: (obj) => { return obj instanceof Object }, - isArrayBufferView: (ab) => { return ArrayBuffer.isView(ab) }, + instanceOfObject (obj) { return obj instanceof Object }, + isArrayBufferView (ab) { return ArrayBuffer.isView(ab) }, } const context = new runtime.Context(() => {}, dummyFactory, bindings) @@ -111,4 +111,17 @@ describe('runtime', () => { expect(objTest).toEqual(true) expect(arrayBufferViewTest).toEqual(true) }) + + test('object binding can be disabled across realms', () => { + const dummyFactory = Symbol('dummy factory') + const bindings = { + VM_DEFAULT_REALM: true, + instanceOfObject (obj) { return obj instanceof Object }, + } + const context = new runtime.Context(() => {}, dummyFactory, bindings) + + const objTest = vm.runInNewContext('instanceOfObject(new Object())', context) + + expect(objTest).toEqual(false) + }) }) diff --git a/lib/runtime.js b/lib/runtime.js index cfb1e0f..24c5d64 100644 --- a/lib/runtime.js +++ b/lib/runtime.js @@ -30,65 +30,67 @@ class Context { this.atob = atob this.btoa = btoa - // These are necessary to use "instanceof" within a vm - this.Array = Array - this.ArrayBuffer = ArrayBuffer - this.Atomics = Atomics - this.BigInt = BigInt - this.BigInt64Array = BigInt64Array - this.BigUint64Array = BigUint64Array - this.Boolean = Boolean - this.DataView = DataView - this.Date = Date - this.Error = Error - this.EvalError = EvalError - this.Float32Array = Float32Array - this.Float64Array = Float64Array - this.Function = Function - this.Int8Array = Int8Array - this.Int16Array = Int16Array - this.Int32Array = Int32Array - this.Intl = Intl - this.JSON = JSON - this.Map = Map - this.Math = Math - this.NaN = NaN - this.Number = Number - this.Object = Object - this.Promise = Promise - this.Proxy = Proxy - this.RangeError = RangeError - this.ReferenceError = ReferenceError - this.Reflect = Reflect - this.RegExp = RegExp - this.Set = Set - this.SharedArrayBuffer = SharedArrayBuffer - this.String = String - this.Symbol = Symbol - this.SyntaxError = SyntaxError - this.TypeError = TypeError - this.URIError = URIError - this.Uint8Array = Uint8Array - this.Uint8ClampedArray = Uint8ClampedArray - this.Uint16Array = Uint16Array - this.Uint32Array = Uint32Array - this.WeakMap = WeakMap - this.WebAssembly = WebAssembly - this.console = console - this.constructor = constructor - this.decodeURI = decodeURI - this.decodeURIComponent = decodeURIComponent - this.encodeURI = encodeURI - this.encodeURIComponent = encodeURIComponent - this.escape = escape - this.globalThis = this - this.isFinite = isFinite - this.isNaN = isNaN - this.parseFloat = parseFloat - this.parseInt = parseInt - this.self = this - this.undefined = undefined - this.unescape = unescape + // These are necessary to use "instanceof" within a vm accross different realms + if (!bindings.VM_DEFAULT_REALM) { + this.Array = Array + this.ArrayBuffer = ArrayBuffer + this.Atomics = Atomics + this.BigInt = BigInt + this.BigInt64Array = BigInt64Array + this.BigUint64Array = BigUint64Array + this.Boolean = Boolean + this.DataView = DataView + this.Date = Date + this.Error = Error + this.EvalError = EvalError + this.Float32Array = Float32Array + this.Float64Array = Float64Array + this.Function = Function + this.Int8Array = Int8Array + this.Int16Array = Int16Array + this.Int32Array = Int32Array + this.Intl = Intl + this.JSON = JSON + this.Map = Map + this.Math = Math + this.NaN = NaN + this.Number = Number + this.Object = Object + this.Promise = Promise + this.Proxy = Proxy + this.RangeError = RangeError + this.ReferenceError = ReferenceError + this.Reflect = Reflect + this.RegExp = RegExp + this.Set = Set + this.SharedArrayBuffer = SharedArrayBuffer + this.String = String + this.Symbol = Symbol + this.SyntaxError = SyntaxError + this.TypeError = TypeError + this.URIError = URIError + this.Uint8Array = Uint8Array + this.Uint8ClampedArray = Uint8ClampedArray + this.Uint16Array = Uint16Array + this.Uint32Array = Uint32Array + this.WeakMap = WeakMap + this.WebAssembly = WebAssembly + this.console = console + this.constructor = constructor + this.decodeURI = decodeURI + this.decodeURIComponent = decodeURIComponent + this.encodeURI = encodeURI + this.encodeURIComponent = encodeURIComponent + this.escape = escape + this.globalThis = this + this.isFinite = isFinite + this.isNaN = isNaN + this.parseFloat = parseFloat + this.parseInt = parseInt + this.self = this + this.undefined = undefined + this.unescape = unescape + } Object.assign(this, bindings) }