Script editor plugin

Good morning! I am writing a plugin for Camunda Modeler which adds a ‘code editor’ for script tasks. I would like to add a simple ‘output’ field which executes the code just for debugging purposes (like console.logs), but CSP is (well, rightfully) blocking it.
Is there a way to bypass it and evaluate the script in a safe environment?

Thats a really nice idea!
Sadly I’m not sure about how you might fix the problem, but i’d love to see how the plugin comes along!

1 Like

Script editor sounds like an amazing extension :tada:.

Could you provide some more insights in what you’re trying to achieve that is being blocked by CSP? If you provide us with a minimal proof of concept that fails, we can look into a resolution.

Electron provides dedicated APIs to execute custom JavaScript in an isolated, safe environment. See this blog for example. If necessary we could consider exposing such APIs within the editor.

3 Likes

Hi Nikku :slight_smile:
Sure! Let’s say I write some code in my editor for a script task.
I made a simple executor function which does just this:

export default function executeCode(code) {
  try {
    (new Function(code))();
  } catch (error) {
    console.error(error);
  }
}

Maybe it’s also preprocessed by babel, I’m still deciding it. Anyway, what I do is just writing the code with some console.logs (which I capture overriding the console calls) , click on a ‘run’ button which calls this executeCode function and I receive this log error.

console.js:40 EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’”.

at new Function (<anonymous>)
at executeCode (executor.js:16)
at HTMLAnchorElement.run.onclick (CodeEditor.js:182)

console.error @ console.js:40

Side note: GitHub - igorsimko/camunda-script-editor-plugin: CodeMirror script editor for Camunda modeler

Thank you for the link, the thing is I already am at this point, I created my own script editor plugin with CodeMirror too and it is working. What I need to do is a way to execute the code in a safe environment inside Camunda Modeler.
Probably exposing the Electron dedicated API webContents.executeJavaScriptInIsolatedWorld should do the trick.
Please let me know.
Thank you very much.

Good evening! I just published on github our code editor. Please feel free to look at the code, I am still stuck on CSP error.
Let me know your considerations, I’d really appreciate your opinion.

2 Likes

Great job. Much needed pattern.

1 Like

This is really great! Thanks for contributing!

Hi @daimadoshi85
I wanted to give it a try. Do I have to build the plugin myself - or is it enough to clone it in the plugins folder?
I ask because just cloning did not work:
image

There is a zip released on github. Download it and please make sure to unzip the folder to camunda-modeler/resources/plugins folder.
Else, you can clone the project, run npm install && npm run all and copy the cloned folder to the folder I wrote above.

@daimadoshi85 thanks - I can now start the plugin.

However if I push the the RUN button I get the following exception:

That’s correct about now, It’s, well…why I made this topic :slight_smile:

Running a script does not work now, because it’s blocked from CSP policy. I just kept it to show the exception to Camunda developers.

Ah ok - would be great if you could add an how to use / limitations chapter to your Github README (also an example with the context would be also appreciated :wink: ).

Thanks for the cool plugin - this will help a lot - I will definitely try it out!

1 Like

I did a quick try using JS-Interpreter with the latest acorn release and that did not break CSP. Of course, it’s probably a far cry from browser JS engine and possibly not even equal with Nashorn. Might need polyfills. :thinking:

2 Likes

For the purposes I meant to achieve, it could be one possible solution. Thank you! I’ll certainly give it a try!

I don’t know if acorn-version make any difference. Version 0.8.0 seems to be the first one to include acorn_csp-build, which works in the sandbox. The latest versions work by default. JS-interpreter’s interpreter.js required a few changes: 1) importing acorn into its namespace var acorn = require("acorn"); 2) exporting the module module.exports = Interpreter; 3) fix it to not to try dynamically require Node’s vm-module (it can fallback to other methods).

1 Like

Can you use a similar pattern as this project GitHub - bpmn-io/dmn-testing-plugin: Camunda Modeler plugin that allows testing of a DMN decision.. And pass your scripts into a jar execution?

2 Likes

We are also facing the same issue.

Looking at Script editor plugin - #16 by datakurre this seems to be the way to go.

We’ll not be able to follow up on the isolated execution thing any time soon. But given you persue the JS-interpreter route whenever we offer something, this may be a droping replacement.

Honestly speaking, an interpreted execution could have additional benefits, such as being able to debug and/or capture errors in a controlled environment.