🔒 Use isolated-vm

packages/bot-engine/blocks/integrations/webhook/resumeWebhookExecution.ts

@@ -11,7 +11,7 @@ import { SessionState } from '@typebot.io/schemas/features/chat/sessionState'
 import { ExecuteIntegrationResponse } from '../../../types'
 import { parseVariables } from '@typebot.io/variables/parseVariables'
 import { updateVariablesInSession } from '@typebot.io/variables/updateVariablesInSession'
-import vm from 'vm'
+import { createHttpReqResponseMappingRunner } from '@typebot.io/variables/codeRunners'
 
 type Props = {
   state: SessionState
@@ -50,19 +50,21 @@ export const resumeWebhookExecution = ({
           }
     )
 
+  let run: (varMapping: string) => unknown
+  if (block.options?.responseVariableMapping) {
+    run = createHttpReqResponseMappingRunner(response)
+  }
   const newVariables = block.options?.responseVariableMapping?.reduce<
     VariableWithUnknowValue[]
   >((newVariables, varMapping) => {
-    if (!varMapping?.bodyPath || !varMapping.variableId) return newVariables
+    if (!varMapping?.bodyPath || !varMapping.variableId || !run)
+      return newVariables
     const existingVariable = typebot.variables.find(byId(varMapping.variableId))
     if (!existingVariable) return newVariables
-    const sandbox = vm.createContext({
-      data: response,
-    })
+
     try {
-      const value: unknown = vm.runInContext(
-        `data.${parseVariables(typebot.variables)(varMapping?.bodyPath)}`,
-        sandbox
+      const value: unknown = run(
+        parseVariables(typebot.variables)(varMapping?.bodyPath)
       )
       return [...newVariables, { ...existingVariable, value }]
     } catch (err) {

packages/bot-engine/blocks/logic/setVariable/executeSetVariable.ts

@@ -8,7 +8,6 @@ import {
 import { byId, isEmpty } from '@typebot.io/lib'
 import { ExecuteLogicResponse } from '../../../types'
 import { parseScriptToExecuteClientSideAction } from '../script/executeScript'
-import { parseGuessedValueType } from '@typebot.io/variables/parseGuessedValueType'
 import { parseVariables } from '@typebot.io/variables/parseVariables'
 import { updateVariablesInSession } from '@typebot.io/variables/updateVariablesInSession'
 import { createId } from '@paralleldrive/cuid2'
@@ -19,7 +18,7 @@ import {
 } from '@typebot.io/logic/computeResultTranscript'
 import prisma from '@typebot.io/lib/prisma'
 import { sessionOnlySetVariableOptions } from '@typebot.io/schemas/features/blocks/logic/setVariable/constants'
-import vm from 'vm'
+import { createCodeRunner } from '@typebot.io/variables/codeRunners'
 
 export const executeSetVariable = async (
   state: SessionState,
@@ -97,17 +96,11 @@ const evaluateSetVariableExpression =
     if (isSingleVariable) return parseVariables(variables)(str)
     // To avoid octal number evaluation
     if (!isNaN(str as unknown as number) && /0[^.].+/.test(str)) return str
-    const evaluating = parseVariables(variables, { fieldToParse: 'id' })(
-      `(function() {${str.includes('return ') ? str : 'return ' + str}})()`
-    )
     try {
-      const sandbox = vm.createContext({
-        ...Object.fromEntries(
-          variables.map((v) => [v.id, parseGuessedValueType(v.value)])
-        ),
-        fetch,
-      })
-      return vm.runInContext(evaluating, sandbox)
+      const body = parseVariables(variables, { fieldToParse: 'id' })(str)
+      return createCodeRunner({ variables })(
+        body.includes('return ') ? body : `return ${body}`
+      )
     } catch (err) {
       return parseVariables(variables)(str)
     }

packages/bot-engine/package.json

@@ -32,7 +32,8 @@
     "nodemailer": "6.9.8",
     "openai": "4.47.1",
     "qs": "6.11.2",
-    "stripe": "12.13.0"
+    "stripe": "12.13.0",
+    "isolated-vm": "4.7.2"
   },
   "devDependencies": {
     "@typebot.io/forge": "workspace:*",