Merge branch 'release/5.1.1'

CHANGELOG.yaml

@@ -1,3 +1,11 @@
+5.1.1:
+  date: 2024-08-01
+  fixed bugs:
+    - GH-1023 Prevented invalid Events from being executed
+  chores:
+    - Allowed access to `pm.vault` only when `vaultSecrets` is set
+    - Updated dependencies
+
 5.1.0:
   date: 2024-07-29
   new features:

lib/sandbox/execute.js

@@ -117,14 +117,18 @@ module.exports = function (bridge, glob) {
             skipRequestEventName = EXECUTION_SKIP_REQUEST_EVENT_BASE + id,
 
             // extract the code from event
-            code = _.isFunction(event.script && event.script.toSource) && ((code) => {
+            code = ((code) => {
+                if (typeof code !== 'string') {
+                    return;
+                }
+
                 // wrap it in an async function to support top-level await
                 const asyncCode = `;(async()=>{;
                     ${code}
                 ;})().then(__exitscope).catch(__exitscope);`;
 
                 return isNonLegacySandbox(code) ? `${getNonLegacyCodeMarker()}${asyncCode}` : asyncCode;
-            })(event.script.toSource()),
+            })(event.script?.toSource()),
 
             // create the execution object
             execution = new Execution(id, event, context, { ...options, initializeExecution }),
@@ -250,6 +254,11 @@ module.exports = function (bridge, glob) {
             disabledAPIs.push('require');
         }
 
+        // @todo: throw helpful error message if script access to vault is disabled
+        if (!context.vaultSecrets) {
+            disabledAPIs.push('vault');
+        }
+
         // send control to the function that executes the context and prepares the scope
         executeContext(scope, code, execution,
             // if a console is sent, we use it. otherwise this also prevents erroneous referencing to any console