BREAKING CHANGE: [#0] Changes JavaScript evaluation to be disabled by default

Author: capricorn86

integration-test/package.json

@@ -10,7 +10,7 @@
 		"access": "restricted"
 	},
 	"scripts": {
-		"test": "cd ./test && ls | node --test && node ./browser-exception-observer/BrowserExceptionObserver.test.js",
+		"test": "cd ./test && ls | node --disallow-code-generation-from-strings --test && node --disallow-code-generation-from-strings ./browser-exception-observer/BrowserExceptionObserver.test.js",
 		"test:debug": "cd ./test && ls | node --inspect-brk"
 	},
 	"devDependencies": {

integration-test/test/Browser.test.js

@@ -7,6 +7,7 @@ describe('Browser', () => {
 		const browser = new Browser({
 			settings: {
 				errorCapture: BrowserErrorCaptureEnum.processLevel,
+				enableJavaScriptEvaluation: true,
 
 				// Github.com has a timer that is very long (hours) and a timer loop that never ends.
 				timer: {
@@ -47,7 +48,8 @@ describe('Browser', () => {
 	it('Goes to "npmjs.com".', async () => {
 		const browser = new Browser({
 			settings: {
-				errorCapture: BrowserErrorCaptureEnum.processLevel
+				errorCapture: BrowserErrorCaptureEnum.processLevel,
+				enableJavaScriptEvaluation: true
 			}
 		});
 		const page = browser.newPage();

integration-test/test/WindowGlobals.test.js

@@ -4,7 +4,7 @@ import { describe, it } from 'node:test';
 
 describe('WindowGlobals', () => {
 	it('Functions should have the constructor global.Function.', () => {
-		const window = new Window();
+		const window = new Window({ settings: { enableJavaScriptEvaluation: true } });
 		let error = null;
 		window.addEventListener('error', (event) => (error = event.error));
 		window.document.write(`
@@ -18,7 +18,7 @@ describe('WindowGlobals', () => {
 	});
 
 	it('Object should have the constructor global.Object.', () => {
-		const window = new Window();
+		const window = new Window({ settings: { enableJavaScriptEvaluation: true } });
 		let error = null;
 		window.addEventListener('error', (event) => (error = event.error));
 		window.document.write(`
@@ -32,7 +32,7 @@ describe('WindowGlobals', () => {
 	});
 
 	it('Binds global methods to the Window context.', () => {
-		const window = new Window();
+		const window = new Window({ settings: { enableJavaScriptEvaluation: true } });
 		let error = null;
 		window.addEventListener('error', (event) => (error = event.error));
 		window.document.write(`

integration-test/test/browser-exception-observer/BrowserExceptionObserver.test.js

@@ -21,7 +21,10 @@ await describe('BrowserExceptionObserver', async () => {
 	await describe('observe()', async () => {
 		await it('Observes unhandled fetch rejections.', async () => {
 			const browser = new Browser({
-				settings: { errorCapture: BrowserErrorCaptureEnum.processLevel }
+				settings: {
+					errorCapture: BrowserErrorCaptureEnum.processLevel,
+					enableJavaScriptEvaluation: true
+				}
 			});
 			const page = browser.newPage();
 			const window = page.mainFrame.window;
@@ -58,7 +61,10 @@ await describe('BrowserExceptionObserver', async () => {
 
 		await it('Observes uncaught exceptions.', async () => {
 			const browser = new Browser({
-				settings: { errorCapture: BrowserErrorCaptureEnum.processLevel }
+				settings: {
+					errorCapture: BrowserErrorCaptureEnum.processLevel,
+					enableJavaScriptEvaluation: true
+				}
 			});
 			const page = browser.newPage();
 			const window = page.mainFrame.window;

packages/@happy-dom/server-renderer/src/ServerRenderer.ts

@@ -197,6 +197,7 @@ export default class ServerRenderer {
 					return;
 				}
 				const worker = new Worker(new URL('ServerRendererWorker.js', import.meta.url), {
+					execArgv: ['--disallow-code-generation-from-strings'],
 					workerData: {
 						configuration: configuration
 					}

packages/@happy-dom/server-renderer/src/config/DefaultServerRendererConfiguration.ts

@@ -5,7 +5,13 @@ import OS from 'os';
 import { BrowserErrorCaptureEnum } from 'happy-dom';
 
 export default <IServerRendererConfiguration>{
-	browser: { ...DefaultBrowserSettings, errorCapture: BrowserErrorCaptureEnum.processLevel },
+	browser: {
+		...DefaultBrowserSettings,
+		errorCapture: BrowserErrorCaptureEnum.processLevel,
+		// This is enabled by default as the entire point of this package is to server-render client side JavaScript.
+		// "--disallow-code-generation-from-strings" is enabled on workers to prevent escape of the VM context.
+		enableJavaScriptEvaluation: true
+	},
 	outputDirectory: './happy-dom/render',
 	logLevel: ServerRendererLogLevelEnum.info,
 	debug: false,

packages/@happy-dom/server-renderer/src/utilities/HelpPrinterRows.ts

@@ -126,12 +126,19 @@ export default [
 		'1'
 	],
 	[
-		'--browser.disableJavascriptEvaluation',
+		'--browser.disableJavaScriptEvaluation',
 		'',
 		'boolean',
 		'Disables JavaScript evaluation.',
 		'false'
 	],
+	[
+		'--browser.suppressCodeGenerationFromStringsWarning',
+		'',
+		'boolean',
+		'Suppresses the warning that is printed when code generation from strings is enabled at process level',
+		'false'
+	],
 	[
 		'--browser.disableJavaScriptFileLoading',
 		'',

packages/@happy-dom/server-renderer/src/utilities/ProcessArgumentsParser.ts

@@ -40,7 +40,9 @@ export default class ProcessArgumentsParser {
 				} else if (arg === '--help' || arg === '-h') {
 					config.help = true;
 				} else if (arg === '--browser.disableJavaScriptEvaluation') {
-					config.browser.disableJavaScriptEvaluation = true;
+					config.browser.enableJavaScriptEvaluation = false;
+				} else if (arg === '--browser.suppressCodeGenerationFromStringsWarning') {
+					config.browser.suppressCodeGenerationFromStringsWarning = true;
 				} else if (arg === '--browser.disableJavaScriptFileLoading') {
 					config.browser.disableJavaScriptFileLoading = true;
 				} else if (arg === '--browser.disableCSSFileLoading') {

packages/@happy-dom/server-renderer/test/MockedWorker.ts

@@ -2,13 +2,16 @@ import IServerRendererConfiguration from '../src/types/IServerRendererConfigurat
 import IServerRendererItem from '../src/types/IServerRendererItem';
 import IServerRendererResult from '../src/types/IServerRendererResult';
 
+type TEvent = 'message' | 'error' | 'exit';
+
 /**
- *
+ * Mocked worker.
  */
 export default class MockedWorker {
 	public static openWorkers: MockedWorker[] = [];
 	public static terminatedWorkers: MockedWorker[] = [];
 	public scriptPath: string;
+	public execArgv: string[] = [];
 	public workerData: {
 		configuration: IServerRendererConfiguration;
 	};
@@ -25,13 +28,16 @@ export default class MockedWorker {
 	public isTerminated: boolean = false;
 
 	/**
+	 * Constructor.
 	 *
-	 * @param scriptPath
-	 * @param options
-	 * @param options.workerData
+	 * @param scriptPath Script path.
+	 * @param options Options.
+	 * @param options.execArgv Exec arguments.
+	 * @param options.workerData Worker data.
 	 */
-	constructor(scriptPath: string, options: { workerData: any }) {
+	constructor(scriptPath: string, options: { execArgv: string[]; workerData: any }) {
 		this.scriptPath = scriptPath;
+		this.execArgv = options.execArgv;
 		this.workerData = options.workerData;
 		(<typeof MockedWorker>this.constructor).openWorkers.push(this);
 	}
@@ -41,7 +47,7 @@ export default class MockedWorker {
 	 * @param event
 	 * @param listener
 	 */
-	public on(event: string, listener: any): void {
+	public on(event: TEvent, listener: any): void {
 		this.listeners[event].push(listener);
 	}
 
@@ -50,7 +56,7 @@ export default class MockedWorker {
 	 * @param event
 	 * @param listener
 	 */
-	public off(event: string, listener: any): void {
+	public off(event: TEvent, listener: any): void {
 		const index = this.listeners[event].indexOf(listener);
 		this.listeners[event].splice(index, 1);
 	}

packages/@happy-dom/server-renderer/test/ServerRenderer.test.ts

@@ -58,6 +58,8 @@ describe('ServerRenderer', () => {
 					'file://' + Path.resolve(Path.join('src', 'ServerRendererWorker.js'))
 				);
 
+				expect(worker.execArgv).toEqual(['--disallow-code-generation-from-strings']);
+
 				expect(worker.workerData.configuration.cache.directory).toBe(
 					Path.resolve(Path.join('happy-dom', 'cache'))
 				);
@@ -214,6 +216,8 @@ describe('ServerRenderer', () => {
 					'file://' + Path.resolve(Path.join('src', 'ServerRendererWorker.js'))
 				);
 
+				expect(worker.execArgv).toEqual(['--disallow-code-generation-from-strings']);
+
 				expect(worker.workerData.configuration.cache.directory).toBe(
 					Path.resolve(Path.join('happy-dom', 'cache'))
 				);