added ECMA Code Sandbox connector Implementation

Author: zubairirfan96

packages/core/package.json

@@ -78,6 +78,7 @@
         "image-size": "^1.1.1",
         "ioredis": "^5.4.1",
         "isbinaryfile": "^5.0.2",
+        "isolated-vm": "^6.0.0",
         "joi": "^17.13.1",
         "js-yaml": "^4.1.0",
         "jsonrepair": "^3.8.0",

packages/core/src/Core/ConnectorsService.ts

@@ -18,6 +18,7 @@ import { ManagedVaultConnector } from '@sre/Security/ManagedVault.service/Manage
 import { LogConnector } from '@sre/IO/Log.service/LogConnector';
 import { ComponentConnector } from '@sre/AgentManager/Component.service/ComponentConnector';
 import { ModelsProviderConnector } from '@sre/LLMManager/ModelsProvider.service/ModelsProviderConnector';
+import { CodeConnector } from '@sre/ComputeManager/Code.service/CodeConnector';
 const console = Logger('ConnectorService');
 
 let ServiceRegistry: TServiceRegistry = {};
@@ -182,9 +183,8 @@ export class ConnectorService {
         return ConnectorService.getInstance<RouterConnector>(TConnectorService.Router, name);
     }
 
-
-    static getCodeConnector(name?: string): RouterConnector {
-        return ConnectorService.getInstance<RouterConnector>(TConnectorService.Code, name);
+    static getCodeConnector(name?: string): CodeConnector {
+        return ConnectorService.getInstance<CodeConnector>(TConnectorService.Code, name);
     }
 }
 

packages/core/src/helpers/ECMASandbox.helper.ts

@@ -0,0 +1,106 @@
+import ivm from 'isolated-vm';
+import https from 'https';
+
+function extractFetchUrls(str) {
+    const regex = /\/\/@fetch\((https?:\/\/[^\s]+)\)/g;
+    let match;
+    const urls = [];
+
+    while ((match = regex.exec(str)) !== null) {
+        urls.push(match[1]);
+    }
+
+    return urls;
+}
+function fetchCodeFromCDN(url) {
+    return new Promise((resolve, reject) => {
+        https
+            .get(url, (res) => {
+                let data = '';
+                res.on('data', (chunk) => (data += chunk));
+                res.on('end', () => resolve(data));
+            })
+            .on('error', reject);
+    });
+}
+
+async function setupIsolate() {
+    try {
+        const isolate = new ivm.Isolate({ memoryLimit: 128 });
+        const context = await isolate.createContext();
+        const jail = context.global;
+        await jail.set('global', jail.derefInto());
+
+        // Define a SafeBuffer object
+        const ___internal = {
+            b64decode: (str) => Buffer.from(str, 'base64').toString('utf8'),
+            b64encode: (str) => Buffer.from(str, 'utf8').toString('base64'),
+        };
+
+        //const closureStr =
+        const keys = Object.keys(___internal);
+        const functions = keys.map((key) => ___internal[key]);
+        const closure = `
+    globalThis.___internal = {
+        ${keys.map((key, i) => `${key}: $${i}`).join(',\n')}
+    }`;
+
+        await context.evalClosure(closure, functions);
+
+        return { isolate, context, jail };
+    } catch (error) {
+        console.error(error);
+        throw error;
+    }
+}
+
+export async function runJs(code: string) {
+    try {
+        if (!code) {
+            throw new Error('No code provided');
+        }
+
+        if (!code.endsWith(';')) code += ';';
+
+        let scriptCode = '';
+        const { isolate, context, jail } = await setupIsolate();
+        const remoteUrls = await extractFetchUrls(code);
+        for (const url of remoteUrls) {
+            const remoteCode = await fetchCodeFromCDN(url);
+            context.eval(`${remoteCode}`);
+        }
+        const randomId = Math.random().toString(36).substring(2, 15);
+        const resId = `res${randomId}`;
+        scriptCode = `
+      var ${resId}; 
+      ${code};
+
+      ${resId} = JSON.stringify(_output); 
+      ${resId};
+    `;
+        const script: any = await isolate.compileScript(scriptCode).catch((err) => {
+            console.error(err);
+            return { error: 'Compile Error - ' + err.message };
+        });
+        if (script?.error) {
+            throw new Error(script.error);
+        }
+
+        const rawResult = await script.run(context).catch((err) => {
+            console.error(err);
+            return { error: 'Run Error - ' + err.message };
+        });
+        if (rawResult?.error) {
+            throw new Error(rawResult.error);
+        }
+
+        // Transfer the result out of the isolate and parse it
+        //const serializedResult = rawResult.copySync();
+        const Output = JSON.parse(rawResult);
+
+        return Output;
+    } catch (error) {
+        console.error(error);
+        throw new Error(error.message);
+    }
+}

packages/core/src/index.ts

@@ -56,6 +56,7 @@ export * from './Core/SystemEvents';
 export * from './helpers/AWSLambdaCode.helper';
 export * from './helpers/BinaryInput.helper';
 export * from './helpers/Conversation.helper';
+export * from './helpers/ECMASandbox.helper';
 export * from './helpers/JsonContent.helper';
 export * from './helpers/LocalCache.helper';
 export * from './helpers/Log.helper';
@@ -149,6 +150,7 @@ export * from './subsystems/AgentManager/AgentData.service/connectors/LocalAgent
 export * from './subsystems/AgentManager/AgentData.service/connectors/NullAgentData.class';
 export * from './subsystems/AgentManager/Component.service/connectors/LocalComponentConnector.class';
 export * from './subsystems/ComputeManager/Code.service/connectors/AWSLambdaCode.class';
+export * from './subsystems/ComputeManager/Code.service/connectors/ECMASandbox.class';
 export * from './subsystems/IO/Log.service/connectors/ConsoleLog.class';
 export * from './subsystems/IO/NKV.service/connectors/NKVLocalStorage.class';
 export * from './subsystems/IO/NKV.service/connectors/NKVRAM.class';

packages/core/src/subsystems/ComputeManager/Code.service/connectors/ECMASandbox.class.ts

@@ -0,0 +1,107 @@
+import { IAccessCandidate, TAccessLevel } from '@sre/types/ACL.types';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { CodeConfig, CodePreparationResult, CodeConnector, CodeInput, CodeDeployment, CodeExecutionResult } from '../CodeConnector';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { Logger } from '@sre/helpers/Log.helper';
+import axios from 'axios';
+import { runJs } from '@sre/helpers/ECMASandbox.helper';
+
+const console = Logger('ECMASandbox');
+export class ECMASandbox extends CodeConnector {
+    public name = 'ECMASandbox';
+    private sandboxUrl: string;
+
+    constructor(config: { sandboxUrl: string }) {
+        super(config);
+        this.sandboxUrl = config.sandboxUrl;
+    }
+    public async prepare(acRequest: AccessRequest, codeUID: string, input: CodeInput, config: CodeConfig): Promise<CodePreparationResult> {
+        return {
+            prepared: true,
+            errors: [],
+            warnings: [],
+        };
+    }
+
+    public async deploy(acRequest: AccessRequest, codeUID: string, input: CodeInput, config: CodeConfig): Promise<CodeDeployment> {
+        return {
+            id: codeUID,
+            runtime: config.runtime,
+            createdAt: new Date(),
+            status: 'Deployed',
+        };
+    }
+
+    public async execute(acRequest: AccessRequest, codeUID: string, inputs: Record<string, any>, config: CodeConfig): Promise<CodeExecutionResult> {
+        try {
+            if (!this.sandboxUrl) {
+                // run js code in isolated vm
+                console.debug('Running code in isolated vm');
+                const result = await runJs(inputs.code);
+                console.debug(`Code result: ${result}`);
+                return {
+                    output: result?.Output,
+                    executionTime: 0,
+                    success: true,
+                    errors: [],
+                };
+            } else {
+                console.debug('Running code in remote sandbox');
+                const result: any = await axios.post(this.sandboxUrl, { code: inputs.code }).catch((error) => ({ error }));
+                if (result.error) {
+
+                    const error = result.error?.response?.data || result.error?.message || result.error.toString() || 'Unknown error';
+                    console.error(`Error running code: ${JSON.stringify(error, null, 2)}`);
+                    return {
+                        output: undefined,
+                        executionTime: 0,
+                        success: false,
+                        errors: [error],
+                    };
+                } else {
+                    console.debug(`Code result: ${result?.data?.Output}`);
+                    return {
+                        output: result.data?.Output,
+                        executionTime: 0,
+                        success: true,
+                        errors: [],
+                    };
+                }
+            }
+        } catch (error) {
+            console.error(`Error running code: ${error}`);
+            return {
+                output: undefined,
+                executionTime: 0,
+                success: false,
+                errors: [error],
+            };
+        }
+    }
+    public async executeDeployment(acRequest: AccessRequest, codeUID: string, deploymentId: string, inputs: Record<string, any>, config: CodeConfig): Promise<CodeExecutionResult> {
+        const result = await this.execute(acRequest, codeUID, inputs, config);
+        return result;
+    }
+
+    public async listDeployments(acRequest: AccessRequest, codeUID: string, config: CodeConfig): Promise<CodeDeployment[]> {
+        return [];
+    }
+
+    public async getDeployment(acRequest: AccessRequest, codeUID: string, deploymentId: string, config: CodeConfig): Promise<CodeDeployment | null> {
+        return null;
+    }
+
+    public async deleteDeployment(acRequest: AccessRequest, codeUID: string, deploymentId: string): Promise<void> {
+        return;
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL> {
+        const acl = new ACL();
+
+        //give Read access everytime
+        //FIXME: !!!!!! IMPORTANT !!!!!!  this implementation have to be changed in order to reflect the security model of AWS Lambda
+        acl.addAccess(candidate.role, candidate.id, TAccessLevel.Read);
+
+        return acl;
+    }
+}

packages/core/src/subsystems/ComputeManager/Code.service/index.ts

@@ -3,9 +3,11 @@
 import { ConnectorService, ConnectorServiceProvider } from '@sre/Core/ConnectorsService';
 import { TConnectorService } from '@sre/types/SRE.types';
 import { AWSLambdaCode } from './connectors/AWSLambdaCode.class';
+import { ECMASandbox } from './connectors/ECMASandbox.class';
 
 export class CodeService extends ConnectorServiceProvider {
     public register() {
         ConnectorService.register(TConnectorService.Code, 'AWSLambda', AWSLambdaCode);
+        ConnectorService.register(TConnectorService.Code, 'ECMASandbox', ECMASandbox);
     }
 }

packages/core/tests/unit/core/ecma-sandbox.test.ts

@@ -0,0 +1,38 @@
+import { describe, expect, it } from 'vitest';
+import { setupSRE } from '../../utils/sre';
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { IAccessCandidate, TAccessRole } from 'index';
+
+setupSRE({
+    Code: {
+        Connector: 'ECMASandbox',
+        Settings: {
+            sandboxUrl: 'http://localhost:6100/run-js',
+        },
+    },
+    Log: {
+        Connector: 'ConsoleLog',
+    },
+});
+
+describe('ECMASandbox Tests', () => {
+    it(
+        'Runs a simple code and returns the output',
+        async () => {
+            const mockCandidate: IAccessCandidate = {
+                id: 'test-user',
+                role: TAccessRole.User,
+            };
+            
+            const codeConnector = ConnectorService.getCodeConnector('ECMASandbox');
+            const result = await codeConnector.agent(mockCandidate.id).execute(Date.now().toString(), {
+                code: 'let _output=undefined;\nconsole.log("Hello, world!");\n_output=1;',
+            }, {});
+
+            const output = result.output;
+
+            expect(output).toBe(1);
+        },
+    );
+
+});