Issue 151: Issue with Js sanitizer

[busterace]

To solve the serious performance problem of regex injection way in JsSanitizer

In this MR, I use js libs to convert js code into AST and then inject code, and the performance is much better, pls review

ps: The injectJs folder project is used to generate the file inject.js

[busterace]

@mxro Pls review, Thanks

[mxro]

I think the best here is to remove this whole test - since it is not relevant any more - I will do so after merge, if there is nothing else I find that would need to be addressed before merge.

[mxro]

Wow, I love it, great work 🚀

I will merge to master and validate all is good there and report back here.

[mxro]

It looks like the time to run all the unit tests has increased by 200% - did you observe this when running locally as well?

[mxro]

npm audit brings up the following issue: GHSA-67hx-6x53-jw92

# npm audit report

babel-traverse  *
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
No fix available
node_modules/babel-traverse
  babel-plugin-transform-es2015-block-scoping  *
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-plugin-transform-es2015-block-scoping
  babel-template  *
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-template

3 critical severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Looks like it all comes from babel-traverse - can that be patched?

[mxro]

On my local (Windows) these tests are failing:

[ERROR] Failures: 
[ERROR]   TestScriptInterruptionAndCatch.test_engine_working_after_crash:94 expected:<class delight.nashornsandbox.exceptions.ScriptCPUAbuseException> but was:<class java.lang.RuntimeException>
[ERROR] Errors: 
[ERROR]   TestLimitCPU.test »  Unexpected exception, expected<delight.nashornsandbox.exceptions.ScriptCPUAbuseException> but was<java.lang.RuntimeException>
[ERROR]   TestLimitCPU.test_evil_script »  Unexpected exception, expected<delight.nashornsandbox.exceptions.ScriptCPUAbuseException> but was<java.lang.RuntimeException>
[ERROR]   TestLimitCPU.test_while_plus_iteration_bad_script »  Unexpected exception, expected<delight.nashornsandbox.exceptions.ScriptCPUAbuseException> but was<java.lang.RuntimeException>
[ERROR]   TestManyEvalsAndInjections.test:26 » Runtime java.lang.IllegalStateException: Executor thread not set 
after 50 ms?usually this means the sub-thread not started properly
[ERROR]   TestScriptInterruptionAndCatch.test_catch »  Unexpected exception, expected<delight.nashornsandbox.exceptions.ScriptCPUAbuseException> but was<java.lang.RuntimeException>
[ERROR]   TestScriptInterruptionAndCatch.test_catch_compiled »  Unexpected exception, expected<delight.nashornsandbox.exceptions.ScriptCPUAbuseException> but was<java.lang.RuntimeException>
[ERROR]   TestSwitch.test:42 » Runtime java.lang.IllegalStateException: Executor thread not set after 50 ms?usually this means the sub-thread not started properly
[ERROR]   TestSwitch.test_graal:75 » Runtime java.lang.IllegalStateException: Executor thread not set after 50 ms?usually this means the sub-thread not started properly
[INFO]
[ERROR] Tests run: 91, Failures: 1, Errors: 8, Skipped: 1

Could also have something to do with the performance, so maybe a good place to have a look regarding the performance.

[mxro]

All your changes are in master, but before I release to Maven central, would like to address as per comments above:

1. Understanding the performance impacts across the whole test suite
2. Patching critical npm vulnerability

Would be great if you could have a look at these, since otherwise may take me a while to get to it. For any changes, would be great if you could raise a new PR. I also added a workflow to build and test the JavaScript you can run as well in your fork!

[busterace]

@mxro
Sure, I will check it.

[busterace]

At least there is no difference in the execution time of JsSanitizerTest between Issue-151 branch and the master before merge in my local.

Let me see if there is another reason.

[busterace]

@mxro fixed in #158, pls review