Audit safe exec (#380)

Author: shanexi

web/apps/web/package.json

@@ -90,7 +90,8 @@
     "uuid": "^10.0.0",
     "zod": "^3.23.8",
     "zustand": "^4.5.4",
-    "zustand-computed-state": "^0.1.8"
+    "zustand-computed-state": "^0.1.8",
+    "isomorphic-dompurify": "^2.14.0"
   },
   "devDependencies": {
     "@shellagent/eslint-config": "workspace:*",

web/apps/web/src/components/app/node-form/widgets/highlight-input/variable-value-block/components/index.tsx

@@ -3,6 +3,7 @@
 import { useLexicalComposerContext } from '@lexical/react/LexicalComposerContext';
 import { $getNodeByKey, COMMAND_PRIORITY_EDITOR } from 'lexical';
 import { memo, useRef, useEffect } from 'react';
+import { sanitize } from 'isomorphic-dompurify';
 
 import { cn } from '@/utils/cn';
 
@@ -125,21 +126,23 @@ const VariableValueBlockComponent = ({
   };
 
   const renderParts = () => {
-    return parts
-      .map(part => {
-        if (part.type === PartType.TEXT) {
-          return part.content;
-        } else if (part.type === PartType.VARIABLE) {
-          return `<span
+    return sanitize(
+      parts
+        .map(part => {
+          if (part.type === PartType.TEXT) {
+            return part.content;
+          } else if (part.type === PartType.VARIABLE) {
+            return `<span
           data-origin-value="${part.content}"
           data-display="${part.display}"
           contenteditable="false"
           class="inline-block text-blue-700 cursor-text px-0.5"
         >${part.display}</span>`;
-        }
-        return '';
-      })
-      .join('');
+          }
+          return '';
+        })
+        .join(''),
+    );
   };
 
   return (

web/apps/web/src/components/app/plugins/comfyui/widgets/comfyui-editor.tsx

@@ -21,6 +21,7 @@ import {
 import { observer } from 'mobx-react-lite';
 import React, { useEffect, useRef } from 'react';
 import { Box, Flex } from 'react-system';
+import { sanitize } from 'isomorphic-dompurify';
 
 import {
   DEFAULT_MODAL_STYLES,
@@ -226,7 +227,9 @@ export const ComfyUIEditorModal = observer(() => {
           ]}>
           <div
             dangerouslySetInnerHTML={{
-              __html: model.messageDetail?.replaceAll('\n', '<br />') || '',
+              __html: sanitize(
+                model.messageDetail?.replaceAll('\n', '<br />') || '',
+              ),
             }}
           />
         </Modal>

web/apps/web/src/services/base.ts

@@ -128,11 +128,27 @@ export const customFetch = async <T>(
               { toastId: 'login-error' },
             );
             setTimeout(() => {
+              const currentUrl = window.location.href;
+              const isValidRedirectUrl = (() => {
+                try {
+                  const url = new URL(currentUrl);
+                  return (
+                    url.hostname.endsWith('myshell.fun') ||
+                    url.hostname.endsWith('myshell.ai') ||
+                    url.hostname.endsWith('myshell.life')
+                  );
+                } catch (e) {
+                  return false;
+                }
+              })();
+
+              const redirectUrl = isValidRedirectUrl
+                ? currentUrl
+                : 'https://myshell.ai';
+
               window.location.href = `${
                 process.env.NEXT_PUBLIC_LOGIN_URL
-              }?login=true&redirect=${decodeURIComponent(
-                window.location.href,
-              )}`;
+              }?login=true&redirect=${encodeURIComponent(redirectUrl)}`;
             }, 3000);
           }
 

web/packages/form-engine/package.json

@@ -30,6 +30,7 @@
     "react-dnd": "^16.0.1",
     "react-dnd-html5-backend": "^16.0.1",
     "react-error-boundary": "^4.0.13",
+    "sval": "^0.6.1",
     "tailwind-merge": "^2.5.2",
     "zod": "^3.23.8",
     "zustand": "^4.5.5"

web/packages/form-engine/src/utils/exec.spec.ts

@@ -0,0 +1,45 @@
+import { exec } from './exec';
+import Sval from 'sval';
+
+describe('exec', () => {
+  it('should return the result of the code', () => {
+    const result = exec(`$this.value === "image"`, {
+      $this: {
+        value: 'text',
+      },
+    });
+    expect(result).toBe(false);
+  });
+
+  it('exec sval ver', () => {
+    const result = exec(`$this.value === "image"`, {
+      $this: {
+        value: 'image',
+      },
+    });
+    expect(result).toBe(true);
+
+    const result2 = exec(`$this.value === "image"`, {
+      $this: {
+        value: 'text',
+      },
+    });
+    expect(result2).toBe(false);
+  });
+
+  it('sval', () => {
+    const interpreter = new Sval({
+      ecmaVer: 'latest',
+      sourceType: 'script',
+      sandBox: true,
+    });
+    const code = `
+globalThis.$this = {
+  value: "text"
+}
+exports.a = $this.value === "image"
+    `;
+    interpreter.run(code);
+    expect(interpreter.exports.a).toBe(false);
+  });
+});

web/packages/form-engine/src/utils/exec.ts

@@ -1,18 +1,29 @@
 import { TContext } from '../types';
+import Sval from 'sval';
 
-function exec(code: string, scope: TContext) {
-  try {
-    const str = `
-      var ${'____data'}  = arguments[0];
-      with(${'____data'}) {
-        return ${code}
-      } 
-    `;
+function safeExec(expression: string, scope: TContext) {
+  const interpreter = new Sval({
+    ecmaVer: 'latest',
+    sourceType: 'script',
+    sandBox: true,
+  });
 
-    return new Function(str)(scope);
-  } catch (e) {
-    console.log(e);
-  }
+  let globalThisAssignments = '';
+
+  Object.keys(scope).forEach(key => {
+    const value = scope[key];
+    globalThisAssignments += `globalThis[${JSON.stringify(
+      key,
+    )}] = ${JSON.stringify(value)};\n`;
+  });
+
+  const code = `
+${globalThisAssignments}
+exports.a = ${expression};`;
+
+  interpreter.run(code);
+
+  return interpreter.exports.a;
 }
 
-export { exec };
+export { safeExec as exec };

web/packages/form-engine/wallaby.js

@@ -0,0 +1,5 @@
+module.exports = function (wallaby) {
+  return {
+    autoDetect: ['jest'],
+  };
+};