mirror of
https://github.com/usebruno/bruno.git
synced 2026-06-22 12:15:38 +00:00
ff87eb23ee
* fix(node-vm): scripting context and module resolution issues Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(node-vm): use vm.createContext for true isolation and fix prototype mismatches - Replace vm.compileFunction with vm.createContext + runInContext for true isolation - Remove ECMAScript built-ins from safeGlobals (VM provides its own versions) - This fixes prototype chain mismatches that broke libraries like @faker-js/faker - Add sanitized process object (allows env, blocks exit/kill) - Add global/globalThis pointing to isolated context (not host) - Extract safe globals to constants.js for maintainability - Remove typed-arrays mixin (VM provides TypedArrays) - Add comprehensive isolation tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(node-vm): remove process, add Error types and TypedArrays mixin, add jose test - Remove process object from script context (security hardening) - Remove createSanitizedProcess function from constants.js - Add Error types to safeGlobals for instanceof checks with host errors - Add TypedArrays mixin for host API compatibility (TextEncoder, crypto, Buffer) - Add jose library and test for JWT sign/verify functionality - Update tests to reflect process removal Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(node-vm): handle circular dependencies and failed module caching - Pre-populate module cache before execution to support circular requires - Cache moduleObj instead of moduleObj.exports to handle module.exports reassignment - Remove failed modules from cache to allow retry - Add test for circular dependency handling Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(node-vm): spread all context properties in buildScriptContext Instead of explicitly listing each context property, spread all properties from the context input to support future additions. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(node-vm): add filtered process object to script context Expose a sanitized process object with only safe read-only properties (argv, version, arch, platform, pid, features) while keeping env empty for security. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * test(node-vm): add comprehensive tests for Node.js builtins Add 18 test files for Node.js builtin APIs in developer sandbox mode: - Buffer, URL, TextEncoder/TextDecoder, btoa/atob - Web Crypto API and node:crypto module - Timers (setTimeout, setInterval, setImmediate, queueMicrotask) - Fetch API (Request, Response, Headers, FormData, Blob) - Intl formatters, JSON, Events (Event, EventTarget, CustomEvent) - Node modules: fs, path, os, util, stream, zlib, querystring All tests skip in safe mode using bru.runner.skipRequest(). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(node-vm): address CodeRabbit review feedback - Block absolute paths from bypassing security by routing through loadLocalModule - Fix process tests to expect sanitized object instead of undefined - Fix cache test to verify module executes only once - Add tests for absolute path handling (block outside, allow within roots) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: lint issues * fix(node-vm): recontextualize host objects for cross-context deep equality Objects passed from the host context into the Node VM have different Object/Array constructors than objects created inside the VM. This breaks deep equality checks in libraries like AJV, where fast-deep-equal fails on `a.constructor !== b.constructor` for structurally identical objects. Add recontextualizeScript to utils.js that wraps getter methods (res.getBody, res.getHeaders, req.getBody, req.getHeaders, req.getPathParams, req.getTags, bru.getVar) to JSON round-trip returned objects inside the VM, giving them VM-native prototypes. Add external-lib-with-bru-req-res-objects package and tests to verify bru/req/res accessibility from npm modules. Update ajv.bru tests to validate res.getBody() against AJV schemas with enum on nested objects. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(node-vm): update spec to use saved mock refs after recontextualize The recontextualizeScript wraps res.getBody with a JSON round-trip function, replacing the jest mock on the context object. Save mock references before calling runScriptInNodeVm so assertions work. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(node-vm): shallow-copy mutable process properties in sandbox process.argv, process.versions, and process.features were passed by reference, allowing sandboxed scripts to mutate the host process. Shallow-copy these properties to prevent leaking mutable references. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(node-vm): use recursive clone in toVMNative instead of JSON round-trip JSON.stringify converts undefined to null in arrays, breaking tests like res.setBody([..., undefined, ...]). Replace with recursive clone that creates new VM-native objects/arrays while preserving undefined values. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(node-vm): generalize recontextualize to wrap all bru/req/res methods Instead of hardcoding specific method names, walk the prototype chain with Object.getOwnPropertyNames to discover and wrap all methods that return Objects/Arrays. Async methods (sendRequest, runRequest) get their resolved values wrapped. The res callable and res.body/res.headers are also recontextualized for direct access and query usage. Adds integration tests for VM-native prototype checks across res, req, bru APIs, res() callable queries, and bru.sendRequest patterns. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * revert(node-vm): remove recontextualizeScript and related tests The recontextualize approach of wrapping all bru/req/res methods to return VM-native objects is being reverted in favor of a different solution to the cross-context prototype mismatch issue. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(node-vm): expose full process object in developer sandbox via safeGlobals * test(node-vm): update process tests for full process object in developer sandbox * test(node-vm): update spec to verify process.nextTick availability --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
58 lines
1.5 KiB
Plaintext
58 lines
1.5 KiB
Plaintext
meta {
|
|
name: buffer
|
|
type: http
|
|
seq: 1
|
|
}
|
|
|
|
get {
|
|
url: {{host}}/ping
|
|
body: none
|
|
auth: none
|
|
}
|
|
|
|
script:pre-request {
|
|
// Skip in safe mode - these tests require developer sandbox
|
|
if (bru.isSafeMode()) {
|
|
bru.runner.skipRequest();
|
|
return;
|
|
}
|
|
}
|
|
|
|
tests {
|
|
test("Buffer.from and toString", function() {
|
|
const buf = Buffer.from('hello bruno', 'utf8');
|
|
expect(buf.toString()).to.equal('hello bruno');
|
|
expect(buf.toString('base64')).to.equal('aGVsbG8gYnJ1bm8=');
|
|
expect(buf.toString('hex')).to.equal('68656c6c6f206272756e6f');
|
|
expect(buf.length).to.equal(11);
|
|
});
|
|
|
|
test("Buffer.from with base64 and hex", function() {
|
|
expect(Buffer.from('aGVsbG8=', 'base64').toString()).to.equal('hello');
|
|
expect(Buffer.from('68656c6c6f', 'hex').toString()).to.equal('hello');
|
|
});
|
|
|
|
test("Buffer.alloc", function() {
|
|
const buf = Buffer.alloc(10, 0);
|
|
expect(buf.length).to.equal(10);
|
|
expect(buf[0]).to.equal(0);
|
|
});
|
|
|
|
test("Buffer.concat", function() {
|
|
const result = Buffer.concat([Buffer.from('hello '), Buffer.from('world')]);
|
|
expect(result.toString()).to.equal('hello world');
|
|
});
|
|
|
|
test("Buffer.isBuffer", function() {
|
|
expect(Buffer.isBuffer(Buffer.from('test'))).to.equal(true);
|
|
expect(Buffer.isBuffer('string')).to.equal(false);
|
|
expect(Buffer.isBuffer(new Uint8Array(4))).to.equal(false);
|
|
});
|
|
|
|
test("Buffer.subarray", function() {
|
|
const buf = Buffer.from('hello bruno');
|
|
expect(buf.subarray(0, 5).toString()).to.equal('hello');
|
|
expect(buf.subarray(6).toString()).to.equal('bruno');
|
|
});
|
|
}
|