Tests: Add security tests

Author: snatalenko

README.md

@@ -16,7 +16,8 @@ Declarative Mapper is a JSON data transformation and object mapping library for
 - [Overview](#overview)
   - [Reasoning](#reasoning)
   - [Quick Start Example](#quick-start-example)
-  - [Compatibility](#compatibility)
+- [Compatibility](#compatibility)
+- [Security](#security)
 - [Mapping Instructions](#mapping-instructions)
   - [Runtime Variables Quick Reference](#runtime-variables-quick-reference)
   - [Objects](#objects)
@@ -81,11 +82,18 @@ const mapper = createMapper({
 const results = sourceOrders.map(mapper); 
 ```
 
-### Compatibility
+## Compatibility
 
 - **Node.js:** 16+
 - **Browser:** best effort support; requires a `vm` polyfill
 
+## Security
+
+Similar mappings can be achieved with plain JavaScript, but this library is designed for a different case: user-controlled mapping templates executed on the server.
+
+Mappings stay simple for non-technical users, while technical users can still use JavaScript expressions.
+Instead of `eval`, expressions run in an isolated VM context with built-ins, mapping input, and explicit `extensions` only, which reduces JS injection risk.
+
 ## Mapping Instructions
 
 In mapping JSON, the left side is a key in the resulting object.

src/createMapper.ts

@@ -52,21 +52,21 @@ export default function createMapper<TSource extends object, TResult>(map: RootM
 		...options?.extensions
 	};
 
-	const context = vm.createContext(sandbox);
+	const ctx = vm.createContext(sandbox);
 
 	return (document: TSource): TResult | undefined => {
 
-		context.$input = document;
-		context.$result = undefined;
+		ctx.$input = document;
+		ctx.$result = undefined;
 
 		if (extensionNames) {
 			const conflictingKey = Object.keys(document).find(inputKey => extensionNames.includes(inputKey));
 			if (conflictingKey)
 				throw new TypeError(`Extension "${conflictingKey}" conflicts with a field name passed in input`);
 		}
 
-		script.runInContext(context);
+		script.runInContext(ctx);
 
-		return context.$result;
+		return ctx.$result;
 	};
 }

tests/unit/createMapper.test.ts

@@ -424,6 +424,50 @@ with ($createGlobalContext($input)) {
 		});
 	});
 
+	describe('security', () => {
+
+		it('does not expose process/global objects to mapping expressions', () => {
+
+			const mapper = createMapper({
+				directProcess: 'process',
+				globalThisProcess: 'globalThis?.process'
+			});
+
+			const result = mapper({});
+
+			expect(result).to.eql({
+				directProcess: undefined,
+				globalThisProcess: undefined
+			});
+		});
+
+		it('blocks constructor-based access to process', () => {
+
+			const mapper = createMapper({
+				value: '(() => { try { return [].filter.constructor("return process")().pid; } catch (e) { return "blocked"; } })()'
+			});
+
+			const result = mapper({});
+
+			expect(result).to.eql({
+				value: 'blocked'
+			});
+		});
+
+		it('blocks Function-based require access', () => {
+
+			const mapper = createMapper({
+				value: '(() => { try { return Function("return require(\\"fs\\")")(); } catch (e) { return "blocked"; } })()'
+			});
+
+			const result = mapper({});
+
+			expect(result).to.eql({
+				value: 'blocked'
+			});
+		});
+	});
+
 	describe('*', () => {
 
 		it('maps result from simple type', () => {