Skip to content
This repository has been archived by the owner on Jan 1, 2025. It is now read-only.

Commit

Permalink
Prepare release 3.9.7
Browse files Browse the repository at this point in the history
  • Loading branch information
XmiliaH committed Feb 10, 2022
1 parent 568934f commit b6581b4
Show file tree
Hide file tree
Showing 5 changed files with 41 additions and 2 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
v3.9.7 (2022-02-10)
-------------------
[fix] Allow relative require from base script
[fix] Fix issue with modules with exports clause in package json
[fix] Added missing whitelist check before custom require
[fix] Revert plain object toString behavior
[fix] Root path check improved

v3.9.6 (2022-02-08)
-------------------
[fix] Security fixes (XmiliaH)
Expand Down
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -377,6 +377,9 @@ vm2 ./script.js
## Known Issues

* It is not possible to define a class that extends a proxied class.
* Direct eval does not work.
* Logging sandbox arrays will repeat the array part in the properties.
* Source code transformations can result a different source string for a function.

## Deployment

Expand Down
8 changes: 7 additions & 1 deletion lib/resolver-compat.js
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,13 @@ function resolverFromOptions(vm, options, override, compiler) {
if (rootPaths) {
const checkedRootPaths = (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f => pa.resolve(f));
checkPath = (filename) => {
return checkedRootPaths.some(path => filename.startsWith(path));
return checkedRootPaths.some(path => {
if (!filename.startsWith(path)) return false;
const len = path.length;
if (filename.length === len) return true;
const sep = filename[len];
return sep === '/' || sep === pa.sep;
});
};
} else {
checkPath = () => true;
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"alcatraz",
"contextify"
],
"version": "3.9.6",
"version": "3.9.7",
"main": "index.js",
"sideEffects": false,
"repository": "github:patriksimek/vm2",
Expand Down
22 changes: 22 additions & 0 deletions test/nodevm.js
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,28 @@ describe('modules', () => {
assert.throws(() => vm.run("require('mocha')", __filename), /Cannot find module 'mocha'/);
});

it('root path checking', () => {
const vm = new NodeVM({
require: {
external: true,
root: `${__dirname}/node_modules/module`
},
});

assert.throws(() => vm.run("require('module2')", __filename), /Cannot find module 'module2'/);
});

it('relative require not allowed to enter node modules', () => {
const vm = new NodeVM({
require: {
external: ['mocha'],
root: `${__dirname}`
},
});

assert.throws(() => vm.run("require('./node_modules/module2')", __filename), /Cannot find module '\.\/node_modules\/module2'/);
});

it('arguments attack', () => {
let vm = new NodeVM;

Expand Down

0 comments on commit b6581b4

Please sign in to comment.