Good morning! I am writing a plugin for Camunda Modeler which adds a ‘code editor’ for script tasks. I would like to add a simple ‘output’ field which executes the code just for debugging purposes (like console.logs), but CSP is (well, rightfully) blocking it.
Is there a way to bypass it and evaluate the script in a safe environment?
Thats a really nice idea!
Sadly I’m not sure about how you might fix the problem, but i’d love to see how the plugin comes along!
Script editor sounds like an amazing extension .
Could you provide some more insights in what you’re trying to achieve that is being blocked by CSP? If you provide us with a minimal proof of concept that fails, we can look into a resolution.
Electron provides dedicated APIs to execute custom JavaScript in an isolated, safe environment. See this blog for example. If necessary we could consider exposing such APIs within the editor.
Hi Nikku
Sure! Let’s say I write some code in my editor for a script task.
I made a simple executor function which does just this:
export default function executeCode(code) {
try {
(new Function(code))();
} catch (error) {
console.error(error);
}
}
Maybe it’s also preprocessed by babel, I’m still deciding it. Anyway, what I do is just writing the code with some console.logs (which I capture overriding the console calls) , click on a ‘run’ button which calls this executeCode function and I receive this log error.
console.js:40 EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’”.
at new Function (<anonymous>) at executeCode (executor.js:16) at HTMLAnchorElement.run.onclick (CodeEditor.js:182)
console.error @ console.js:40
Side note: GitHub - igorsimko/camunda-script-editor-plugin: CodeMirror script editor for Camunda modeler
Thank you for the link, the thing is I already am at this point, I created my own script editor plugin with CodeMirror too and it is working. What I need to do is a way to execute the code in a safe environment inside Camunda Modeler.
Probably exposing the Electron dedicated API webContents.executeJavaScriptInIsolatedWorld should do the trick.
Please let me know.
Thank you very much.
Good evening! I just published on github our code editor. Please feel free to look at the code, I am still stuck on CSP error.
Let me know your considerations, I’d really appreciate your opinion.
Great job. Much needed pattern.
This is really great! Thanks for contributing!
Hi @daimadoshi85
I wanted to give it a try. Do I have to build the plugin myself - or is it enough to clone it in the plugins folder?
I ask because just cloning did not work:
There is a zip released on github. Download it and please make sure to unzip the folder to camunda-modeler/resources/plugins folder.
Else, you can clone the project, run npm install && npm run all and copy the cloned folder to the folder I wrote above.
@daimadoshi85 thanks - I can now start the plugin.
However if I push the the RUN button I get the following exception:
That’s correct about now, It’s, well…why I made this topic
Running a script does not work now, because it’s blocked from CSP policy. I just kept it to show the exception to Camunda developers.
Ah ok - would be great if you could add an how to use / limitations chapter to your Github README (also an example with the context would be also appreciated ).
Thanks for the cool plugin - this will help a lot - I will definitely try it out!
I did a quick try using JS-Interpreter with the latest acorn release and that did not break CSP. Of course, it’s probably a far cry from browser JS engine and possibly not even equal with Nashorn. Might need polyfills.
For the purposes I meant to achieve, it could be one possible solution. Thank you! I’ll certainly give it a try!
I don’t know if acorn-version make any difference. Version 0.8.0 seems to be the first one to include acorn_csp-build, which works in the sandbox. The latest versions work by default. JS-interpreter’s interpreter.js required a few changes: 1) importing acorn into its namespace var acorn = require("acorn");
2) exporting the module module.exports = Interpreter;
3) fix it to not to try dynamically require Node’s vm-module (it can fallback to other methods).
Can you use a similar pattern as this project GitHub - bpmn-io/dmn-testing-plugin: Camunda Modeler plugin that allows testing of a DMN decision.. And pass your scripts into a jar execution?
Looking at Script editor plugin - #16 by datakurre this seems to be the way to go.
We’ll not be able to follow up on the isolated execution thing any time soon. But given you persue the JS-interpreter route whenever we offer something, this may be a droping replacement.
Honestly speaking, an interpreted execution could have additional benefits, such as being able to debug and/or capture errors in a controlled environment.