feat(#306): module whitelisting support

packages/bruno-js/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@usebruno/js",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "license": "MIT",
   "main": "src/index.js",
   "files": [

packages/bruno-js/src/runtime/script-runtime.js

@@ -8,6 +8,7 @@ const zlib = require('zlib');
 const url = require('url');
 const punycode = require('punycode');
 const fs = require('fs');
+const { get } = require('lodash');
 const Bru = require('../bru');
 const BrunoRequest = require('../bruno-request');
 const BrunoResponse = require('../bruno-response');
@@ -38,10 +39,23 @@ class ScriptRuntime {
     collectionPath,
     onConsoleLog,
     processEnvVars,
-    allowScriptFilesystemAccess
+    scriptingConfig
   ) {
     const bru = new Bru(envVariables, collectionVariables, processEnvVars, collectionPath);
     const req = new BrunoRequest(request);
+    const allowScriptFilesystemAccess = get(scriptingConfig, 'filesystemAccess.allow', false);
+    const moduleWhitelist = get(scriptingConfig, 'moduleWhitelist', []);
+
+    const whitelistedModules = {};
+
+    for (let module of moduleWhitelist) {
+      try {
+        whitelistedModules[module] = require(module);
+      } catch (e) {
+        // Ignore
+        console.warn(e);
+      }
+    }
 
     const context = {
       bru,
@@ -89,6 +103,7 @@ class ScriptRuntime {
           chai,
           'node-fetch': fetch,
           'crypto-js': CryptoJS,
+          ...whitelistedModules,
           fs: allowScriptFilesystemAccess ? fs : undefined
         }
       }
@@ -111,11 +126,24 @@ class ScriptRuntime {
     collectionPath,
     onConsoleLog,
     processEnvVars,
-    allowScriptFilesystemAccess
+    scriptingConfig
   ) {
     const bru = new Bru(envVariables, collectionVariables, processEnvVars, collectionPath);
     const req = new BrunoRequest(request);
     const res = new BrunoResponse(response);
+    const allowScriptFilesystemAccess = get(scriptingConfig, 'filesystemAccess.allow', false);
+    const moduleWhitelist = get(scriptingConfig, 'moduleWhitelist', []);
+
+    const whitelistedModules = {};
+
+    for (let module of moduleWhitelist) {
+      try {
+        whitelistedModules[module] = require(module);
+      } catch (e) {
+        // Ignore
+        console.warn(e);
+      }
+    }
 
     const context = {
       bru,
@@ -163,6 +191,7 @@ class ScriptRuntime {
           axios,
           'node-fetch': fetch,
           'crypto-js': CryptoJS,
+          ...whitelistedModules,
           fs: allowScriptFilesystemAccess ? fs : undefined
         }
       }

packages/bruno-js/src/runtime/test-runtime.js

@@ -9,6 +9,7 @@ const zlib = require('zlib');
 const url = require('url');
 const punycode = require('punycode');
 const fs = require('fs');
+const { get } = require('lodash');
 const Bru = require('../bru');
 const BrunoRequest = require('../bruno-request');
 const BrunoResponse = require('../bruno-response');
@@ -38,11 +39,24 @@ class TestRuntime {
     collectionPath,
     onConsoleLog,
     processEnvVars,
-    allowScriptFilesystemAccess
+    scriptingConfig
   ) {
     const bru = new Bru(envVariables, collectionVariables, processEnvVars, collectionPath);
     const req = new BrunoRequest(request);
     const res = new BrunoResponse(response);
+    const allowScriptFilesystemAccess = get(scriptingConfig, 'filesystemAccess.allow', false);
+    const moduleWhitelist = get(scriptingConfig, 'moduleWhitelist', []);
+
+    const whitelistedModules = {};
+
+    for (let module of moduleWhitelist) {
+      try {
+        whitelistedModules[module] = require(module);
+      } catch (e) {
+        // Ignore
+        console.warn(e);
+      }
+    }
 
     const __brunoTestResults = new TestResults();
     const test = Test(__brunoTestResults, chai);
@@ -106,6 +120,7 @@ class TestRuntime {
           nanoid,
           chai,
           'crypto-js': CryptoJS,
+          ...whitelistedModules,
           fs: allowScriptFilesystemAccess ? fs : undefined
         }
       }