-
Notifications
You must be signed in to change notification settings - Fork 26.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(middleware): false positive dynamic code detection at build time (#…
…36955) ## What's in there? Partially fixes vercel/edge-functions#82 Relates to #36715 Our webpack plugin for middleware leverages static analysis to detect Dyanamic code evaluation in user `_middleware.js` file (and depedencies). Since edge function runtime do not allow them, the build is aborted. The use of `Function.bind` is considered invalid, while it is legit. A customer using `@aws-sdk/client-s3` reported it. This PR fixes it. Please note that this check is too strict: some dynamic code may be in the bundle (despite treeshaking), but may never be used (because of code branches). Since this point is under discussion, this PR adds tests covering some false positives (`@apollo/react-hook`, `qs` and `has`), but does not change the behavior (consider them as errors). ## Notes to reviewer I looked for test facilities allowing to download the required 3rd party modules. `createNext()` in production context made my day, but showed two issues: - `cliOutput` is not cleaned in between tests. While clearance during `stop()` would be annoying, I hope that clearance during `start()` is better. - if `start()` fails while building, the created instance can never be stopped. This is because we don't clear `childProcess` after `build`. ## Bug - [x] Related issues linked using `fixes #number` - [x] Integration tests added - [ ] Errors have helpful link attached, see `contributing.md` ## Feature - [ ] Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. - [ ] Related issues linked using `fixes #number` - [ ] Integration tests added - [ ] Documentation added - [ ] Telemetry added. In case of a feature if it's used or not. - [ ] Errors have helpful link attached, see `contributing.md` ## Documentation / Examples - [x] Make sure the linting passes by running `yarn lint`
- Loading branch information
Showing
3 changed files
with
120 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
test/production/middleware-with-dynamic-code/index.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
import { createNext } from 'e2e-utils' | ||
import { NextInstance } from 'test/lib/next-modes/base' | ||
|
||
describe('Middleware with Dynamic code invokations', () => { | ||
let next: NextInstance | ||
|
||
beforeAll(async () => { | ||
next = await createNext({ | ||
files: { | ||
'lib/utils.js': '', | ||
'pages/_middleware.js': ` | ||
import '../lib/utils' | ||
export default function middleware() { | ||
return new Response() | ||
} | ||
`, | ||
}, | ||
dependencies: { | ||
'@apollo/react-hooks': '3.1.5', | ||
'@aws-sdk/client-s3': 'latest', | ||
'apollo-client': 'latest', | ||
graphql: 'latest', | ||
'graphql-tag': 'latest', | ||
has: 'latest', | ||
qs: 'latest', | ||
}, | ||
}) | ||
await next.stop() | ||
}) | ||
|
||
afterAll(() => next.destroy()) | ||
|
||
it('detects dynamic code nested in @apollo/react-hooks', async () => { | ||
await next.patchFile( | ||
'lib/utils.js', | ||
` | ||
import { useQuery } from '@apollo/react-hooks' | ||
import gql from 'graphql-tag' | ||
export default function useGreeting() { | ||
return useQuery( | ||
gql\` | ||
query getGreeting($language: String!) { | ||
greeting(language: $language) { | ||
message | ||
} | ||
} | ||
\`, | ||
{ variables: { language: 'english' } } | ||
) | ||
} | ||
` | ||
) | ||
await expect(next.start()).rejects.toThrow() | ||
expect(next.cliOutput).toContain(` | ||
./node_modules/ts-invariant/lib/invariant.esm.js | ||
Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`) | ||
}) | ||
|
||
it('detects dynamic code nested in has', async () => { | ||
await next.patchFile( | ||
'lib/utils.js', | ||
` | ||
import has from 'has' | ||
has(Object.prototype, 'hasOwnProperty') | ||
` | ||
) | ||
await expect(next.start()).rejects.toThrow() | ||
expect(next.cliOutput).toContain(` | ||
./node_modules/function-bind/implementation.js | ||
Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`) | ||
expect(next.cliOutput).toContain(` | ||
./node_modules/has/src/index.js | ||
Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`) | ||
}) | ||
|
||
it('detects dynamic code nested in qs', async () => { | ||
await next.patchFile( | ||
'lib/utils.js', | ||
` | ||
import qs from 'qs' | ||
qs.parse('a=c') | ||
` | ||
) | ||
await expect(next.start()).rejects.toThrow() | ||
expect(next.cliOutput).toContain(` | ||
./node_modules/get-intrinsic/index.js | ||
Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`) | ||
}) | ||
|
||
it('does not detects dynamic code nested in @aws-sdk/client-s3 (legit Function.bind)', async () => { | ||
await next.patchFile( | ||
'lib/utils.js', | ||
` | ||
import { S3Client, AbortMultipartUploadCommand } from '@aws-sdk/client-s3' | ||
new S3Client().send(new AbortMultipartUploadCommand({})) | ||
` | ||
) | ||
await expect(next.start()).rejects.toThrow() | ||
expect(next.cliOutput).not.toContain( | ||
`./node_modules/@aws-sdk/smithy-client/dist-es/lazy-json.js` | ||
) | ||
expect(next.cliOutput).not.toContain( | ||
`Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware` | ||
) | ||
}) | ||
}) |