|
| 1 | +/* |
| 2 | + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one |
| 3 | + * or more contributor license agreements. Licensed under the "Elastic License |
| 4 | + * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side |
| 5 | + * Public License v 1"; you may not use this file except in compliance with, at |
| 6 | + * your election, the "Elastic License 2.0", the "GNU Affero General Public |
| 7 | + * License v3.0 only", or the "Server Side Public License, v 1". |
| 8 | + */ |
| 9 | + |
| 10 | +/* |
| 11 | + * Disallow runtime code generation from strings in Jest tests. |
| 12 | + * |
| 13 | + * In production and dev mode, Kibana runs with the V8 flag |
| 14 | + * --disallow-code-generation-from-strings, which causes eval() and |
| 15 | + * new Function(string) to throw: |
| 16 | + * |
| 17 | + * "Code generation from strings disallowed for this context" |
| 18 | + * |
| 19 | + * We cannot use that V8 flag for Jest because Jest's own dependencies |
| 20 | + * (tmpl -> makeerror -> walker) call new Function() during startup. |
| 21 | + * Instead, this setup file replaces eval and Function with versions that |
| 22 | + * throw the same EvalError, scoped to the test sandbox only. |
| 23 | + * |
| 24 | + * Jest's own mock system (jest-mock) uses new Function() to create mock |
| 25 | + * functions that preserve the original function's name. These calls are |
| 26 | + * exempted by checking the call stack for known Jest internal callers. |
| 27 | + * |
| 28 | + * If your test is failing with this error, it means the code under test |
| 29 | + * uses eval() or new Function() — which would also fail in production. |
| 30 | + * Fix the underlying code rather than removing this restriction. |
| 31 | + * |
| 32 | + * See: packages/kbn-cli-dev-mode/src/using_server_process.ts (dev flag) |
| 33 | + * src/dev/build/tasks/bin/scripts/kibana (prod flag) |
| 34 | + * src/platform/packages/shared/kbn-security-hardening/ (hardening package) |
| 35 | + */ |
| 36 | + |
| 37 | +const ERROR_MESSAGE = 'Code generation from strings disallowed for this context'; |
| 38 | + |
| 39 | +// Zod v4 has a JIT compiler that uses new Function() for schema parsing. |
| 40 | +// Setting jitless on the backing store ensures Zod skips JIT regardless of |
| 41 | +// import order. Zod's own allowsEval probe is unreliable here because module |
| 42 | +// caching can cause it to run before our Function proxy is installed. |
| 43 | +global.__zod_globalConfig = Object.assign(global.__zod_globalConfig || {}, { jitless: true }); |
| 44 | + |
| 45 | +const ALLOWED_CALLERS = [ |
| 46 | + // ESLint's ajv plugin uses new Function() for schema parsing. Dev-only, this is OK. |
| 47 | + /eslint.*ajv/, |
| 48 | + // Jest's own mock system (jest-mock) uses new Function() to create mock. Dev-only, this is OK. |
| 49 | + /jest-mock/, |
| 50 | + // Jest's own runtime uses new Function() for code generation. Dev-only, this is OK. |
| 51 | + /jest-runtime/, |
| 52 | + // Jest's own snapshot system uses new Function() for code generation. Dev-only, this is OK. |
| 53 | + /jest-snapshot/, |
| 54 | + // Jest's own environment uses new Function() for code generation. Dev-only, this is OK. |
| 55 | + /jest-environment/, |
| 56 | + // kbn-handlebars tests intentionally exercise the eval-based Handlebars compiler |
| 57 | + // to verify parity with the safe AST-based replacement. The CSP probe |
| 58 | + // (kbnUnsafeEvalTest) is blocked separately above, so this exception only |
| 59 | + // affects the actual parity-test compilation calls. |
| 60 | + /kbn-handlebars/, |
| 61 | +]; |
| 62 | + |
| 63 | +// @kbn/handlebars probes for CSP unsafe-eval support by calling |
| 64 | +// new Function('kbnUnsafeEvalTest', 'return true;'). In Jest the jest-runtime |
| 65 | +// allow-list entry would let this probe succeed (jest-runtime is in the stack |
| 66 | +// during module loading), causing handlebars to pick the eval-based compiler |
| 67 | +// that later fails. Blocking the probe explicitly makes the Jest environment |
| 68 | +// match browser CSP behavior, routing to the safe compileAST path. |
| 69 | +const CSP_PROBE_MARKER = 'kbnUnsafeEvalTest'; |
| 70 | + |
| 71 | +function isCspProbe(args) { |
| 72 | + return args.length > 0 && args[0] === CSP_PROBE_MARKER; |
| 73 | +} |
| 74 | + |
| 75 | +function isCallerAllowed() { |
| 76 | + const stack = new Error().stack || ''; |
| 77 | + return ALLOWED_CALLERS.some((pattern) => pattern.test(stack)); |
| 78 | +} |
| 79 | + |
| 80 | +// eslint-disable-next-line no-eval -- intentionally replacing eval to block code generation |
| 81 | +global.eval = function () { |
| 82 | + throw new EvalError(ERROR_MESSAGE); |
| 83 | +}; |
| 84 | + |
| 85 | +const OriginalFunction = global.Function; |
| 86 | +const FunctionProxy = new Proxy(OriginalFunction, { |
| 87 | + apply(target, thisArg, args) { |
| 88 | + if (!isCspProbe(args) && isCallerAllowed()) { |
| 89 | + return Reflect.apply(target, thisArg, args); |
| 90 | + } |
| 91 | + throw new EvalError(ERROR_MESSAGE); |
| 92 | + }, |
| 93 | + construct(target, args, newTarget) { |
| 94 | + if (!isCspProbe(args) && isCallerAllowed()) { |
| 95 | + return Reflect.construct(target, args, newTarget); |
| 96 | + } |
| 97 | + throw new EvalError(ERROR_MESSAGE); |
| 98 | + }, |
| 99 | +}); |
| 100 | + |
| 101 | +Object.defineProperty(FunctionProxy, 'prototype', { |
| 102 | + value: OriginalFunction.prototype, |
| 103 | + writable: false, |
| 104 | +}); |
| 105 | + |
| 106 | +global.Function = FunctionProxy; |
0 commit comments