🔒 Use vm instead of Function in Node.js (#1509)

2024-05-14 14:17:40 +02:00
parent 1afa25a015
commit 75c44d61d5
6 changed files with 42 additions and 24 deletions
--- a/packages/bot-engine/blocks/integrations/webhook/resumeWebhookExecution.ts
+++ b/packages/bot-engine/blocks/integrations/webhook/resumeWebhookExecution.ts
@ -11,6 +11,7 @@ import { SessionState } from '@typebot.io/schemas/features/chat/sessionState'
 import { ExecuteIntegrationResponse } from '../../../types'
 import { parseVariables } from '@typebot.io/variables/parseVariables'
 import { updateVariablesInSession } from '@typebot.io/variables/updateVariablesInSession'
+import vm from 'vm'

 type Props = {
  state: SessionState
@ -55,12 +56,14 @@ export const resumeWebhookExecution = ({
    if (!varMapping?.bodyPath || !varMapping.variableId) return newVariables
    const existingVariable = typebot.variables.find(byId(varMapping.variableId))
    if (!existingVariable) return newVariables
-    const func = Function(
-      'data',
-      `return data.${parseVariables(typebot.variables)(varMapping?.bodyPath)}`
-    )
+    const sandbox = vm.createContext({
+      data: response.data,
+    })
    try {
-      const value: unknown = func(response)
+      const value: unknown = vm.runInContext(
+        parseVariables(typebot.variables)(varMapping?.bodyPath),
+        sandbox
+      )
      return [...newVariables, { ...existingVariable, value }]
    } catch (err) {
      return newVariables
--- a/packages/bot-engine/blocks/logic/setVariable/executeSetVariable.ts
+++ b/packages/bot-engine/blocks/logic/setVariable/executeSetVariable.ts
@ -7,6 +7,7 @@ import { parseVariables } from '@typebot.io/variables/parseVariables'
 import { updateVariablesInSession } from '@typebot.io/variables/updateVariablesInSession'
 import { createId } from '@paralleldrive/cuid2'
 import { utcToZonedTime, format as tzFormat } from 'date-fns-tz'
+import vm from 'vm'

 export const executeSetVariable = (
  state: SessionState,
@ -67,11 +68,16 @@ const evaluateSetVariableExpression =
    // To avoid octal number evaluation
    if (!isNaN(str as unknown as number) && /0[^.].+/.test(str)) return str
    const evaluating = parseVariables(variables, { fieldToParse: 'id' })(
-      str.includes('return ') ? str : `return ${str}`
+      `(function() {${str.includes('return ') ? str : 'return ' + str}})()`
    )
    try {
-      const func = Function(...variables.map((v) => v.id), evaluating)
-      return func(...variables.map((v) => parseGuessedValueType(v.value)))
+      const sandbox = vm.createContext({
+        ...Object.fromEntries(
+          variables.map((v) => [v.id, parseGuessedValueType(v.value)])
+        ),
+        fetch,
+      })
+      return vm.runInContext(evaluating, sandbox)
    } catch (err) {
      return parseVariables(variables)(str)
    }