Merge branch 'release/4.6.1'

CHANGELOG.yaml

@@ -1,3 +1,11 @@
+4.6.1:
+  date: 2024-04-01
+  fixed bugs:
+    - GH-986 Fixed the types for `pm.execution.setNextRequest`
+    - GH-990 Sanitized the global scope by deleting the timers properties
+  chores:
+    - Updated dependencies
+
 4.6.0:
   date: 2024-03-13
   fixed bugs:

lib/sandbox/cookie-store.js

@@ -75,7 +75,7 @@ STORE_METHODS.forEach(function (method) {
         // This timeout ensures that the event is processed asynchronously
         // without blocking the rest of the script execution.
         // Refer: https://github.com/postmanlabs/postman-app-support/issues/11064
-        setTimeout(() => {
+        this.timers.wrapped.setTimeout(() => {
             // finally, dispatch event over the bridge
             this.emitter.dispatch(eventName, eventId, EVENT_STORE_ACTION, method, args);
         });

lib/sandbox/index.js

@@ -19,6 +19,9 @@
  */
 /* global bridge */
 
+// Setup Timerz before we delete the global timers
+require('./timers');
+
 // Although we execute the user code in a well-defined scope using the uniscope
 // module but still to cutoff the reference to the globally available properties
 // we sanitize the global scope by deleting the forbidden properties in this UVM
@@ -35,9 +38,7 @@
             'require', 'eval', 'console',
             // 3. allow uvm internals because these will be cleared by uvm itself at the end.
             // make sure any new property added in uvm firmware is allowed here as well.
-            'bridge', '__uvm_emit', '__uvm_dispatch', '__uvm_addEventListener',
-            // 4.allow all the timer methods
-            'setTimeout', 'clearTimeout', 'setInterval', 'clearInterval', 'setImmediate', 'clearImmediate'
+            'bridge', '__uvm_emit', '__uvm_dispatch', '__uvm_addEventListener'
         ]),
         deleteProperty = function (key) {
             // directly delete the property without setting it to `null` or `undefined`
@@ -78,7 +79,7 @@ require('./purse');
 // setup the ping-pong and execute routines
 bridge.on('ping', require('./ping').listener('pong'));
 
-// initialise execution
+// initialize execution
 require('./execute')(bridge, {
     console: (typeof console !== 'undefined' ? console : null),
     window: (typeof window !== 'undefined' ? window : null)

lib/sandbox/pmapi.js

@@ -298,6 +298,7 @@ function Postman (execution, onRequest, onSkipRequest, onAssertion, cookieStore,
              * running the collection. Passing `null` stops the collection run
              * after the current request is executed.
              *
+             * @instance
              * @param {string|null} request - name of the request to run next
              */
             setNextRequest: function setNextRequest (request) {

lib/sandbox/timers.js

@@ -1,5 +1,5 @@
 /**
- * @fileoverview This file contains the module that is required to enable specialised timers that have better control
+ * @fileOverview This file contains the module that is required to enable specialized timers that have better control
  * on a global level.
  *
  * @todo - the architecture of this sucks even if this "works".
@@ -13,15 +13,15 @@ const /**
     FUNCTION = 'function',
 
     /**
-     * The set of timer function names. We use this array to define common behaviour of all setters and clearer timer
+     * The set of timer function names. We use this array to define common behavior of all setters and clearer timer
      * functions
      *
      * @constant {Array.<String>}
      */
     timerFunctionNames = ['Timeout', 'Interval', 'Immediate', 'Event'],
 
     /**
-     * This object defines a set of timer function names that are trigerred a number of times instead of a single time.
+     * This object defines a set of timer function names that are triggered a number of times instead of a single time.
      * Such timers, when placed in generic rules, needs special attention.
      *
      * @constant {Array.<Boolean>}
@@ -54,7 +54,7 @@ const /**
      *
      * @note This is a very important piece of code from compatibility standpoint.
      * The global timers need to be returned as a function that does not hold reference to the scope
-     * and does not retain references to scope. Aditionally, the invocation of the timer function is
+     * and does not retain references to scope. Additionally, the invocation of the timer function is
      * done without changing the scope to avoid Illegal Invocation errors.
      *
      * `timerFunctionNames` returns the suffixes of all timer operations that needs a
@@ -82,13 +82,17 @@ const /**
             isGlobalClearAvailable = (new Function(`return typeof clear${name} === 'function'`))();
 
         if (isGlobalSetterAvailable) {
-            // eslint-disable-next-line no-new-func
-            timers[('set' + name)] = (new Function(`return function (fn, ms) { return set${name}(fn, ms); }`))();
+            timers[`set${name}`] = (
+                // eslint-disable-next-line no-new-func
+                new Function('_setFn', `return function set${name} (fn, ms) { return _setFn(fn, ms); }`)
+            )(this[`set${name}`]);
         }
 
         if (isGlobalClearAvailable) {
-            // eslint-disable-next-line no-new-func
-            timers[('clear' + name)] = (new Function(`return function (id) { return clear${name}(id); }`))();
+            timers[`clear${name}`] = (
+                // eslint-disable-next-line no-new-func
+                new Function('_clearFn', `return function clear${name} (id) { return _clearFn(id); }`)
+            )(this[`clear${name}`]);
         }
 
         return timers;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "postman-sandbox",
-  "version": "4.6.0",
+  "version": "4.6.1",
   "description": "Sandbox for Postman Scripts to run in Node.js or browser",
   "author": "Postman Inc.",
   "license": "Apache-2.0",
@@ -89,7 +89,7 @@
     "shelljs": "^0.8.5",
     "sinon": "^12.0.1",
     "sinon-chai": "^3.7.0",
-    "terser": "^5.29.1",
+    "terser": "^5.30.0",
     "tsd-jsdoc": "^2.5.0",
     "tv4": "1.3.0",
     "uniscope": "2.2.0",

test/unit/sandbox-sanity.test.js

@@ -86,7 +86,6 @@ describe('sandbox', function () {
                 var ignoredProps = [
                     'TEMPORARY', 'PERSISTENT', // DedicatedWorkerGlobalScope constants (in Browser)
                     'require', 'eval', 'console', // uniscope ignored
-                    'setTimeout', 'clearTimeout', 'setInterval', 'clearInterval', 'setImmediate', 'clearImmediate'
                 ]
                 var propNames = [];
 

types/index.d.ts

@@ -1,4 +1,4 @@
-// Type definitions for postman-sandbox 4.5.0
+// Type definitions for postman-sandbox 4.5.1
 // Project: https://github.com/postmanlabs/postman-sandbox
 // Definitions by: PostmanLabs
 // Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
@@ -254,16 +254,6 @@ declare interface Visualizer {
     clear(): void;
 }
 
-declare namespace Execution {
-    /**
-     * Sets the next request to be run after the current request, when
-     * running the collection. Passing `null` stops the collection run
-     * after the current request is executed.
-     * @param request - name of the request to run next
-     */
-    function setNextRequest(request: string | null): void;
-}
-
 declare interface Execution {
     request: any;
     response: any;
@@ -275,6 +265,13 @@ declare interface Execution {
      * The path of the current request.
      */
     location: ExecutionLocation;
+    /**
+     * Sets the next request to be run after the current request, when
+     * running the collection. Passing `null` stops the collection run
+     * after the current request is executed.
+     * @param request - name of the request to run next
+     */
+    setNextRequest(request: string | null): void;
 }
 
 declare interface ExecutionLocation extends Array {

types/sandbox/prerequest.d.ts

@@ -1,4 +1,4 @@
-// Type definitions for postman-sandbox 4.5.0
+// Type definitions for postman-sandbox 4.5.1
 // Project: https://github.com/postmanlabs/postman-sandbox
 // Definitions by: PostmanLabs
 // Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
@@ -113,16 +113,6 @@ declare interface Visualizer {
     clear(): void;
 }
 
-declare namespace Execution {
-    /**
-     * Sets the next request to be run after the current request, when
-     * running the collection. Passing `null` stops the collection run
-     * after the current request is executed.
-     * @param request - name of the request to run next
-     */
-    function setNextRequest(request: string | null): void;
-}
-
 declare interface Execution {
     /**
      * Stops the current request and its scripts from executing.
@@ -133,6 +123,13 @@ declare interface Execution {
      * The path of the current request.
      */
     location: ExecutionLocation;
+    /**
+     * Sets the next request to be run after the current request, when
+     * running the collection. Passing `null` stops the collection run
+     * after the current request is executed.
+     * @param request - name of the request to run next
+     */
+    setNextRequest(request: string | null): void;
 }
 
 declare interface ExecutionLocation extends Array {

types/sandbox/test.d.ts

@@ -1,4 +1,4 @@
-// Type definitions for postman-sandbox 4.5.0
+// Type definitions for postman-sandbox 4.5.1
 // Project: https://github.com/postmanlabs/postman-sandbox
 // Definitions by: PostmanLabs
 // Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
@@ -119,21 +119,18 @@ declare interface Visualizer {
     clear(): void;
 }
 
-declare namespace Execution {
+declare interface Execution {
+    /**
+     * The path of the current request.
+     */
+    location: ExecutionLocation;
     /**
      * Sets the next request to be run after the current request, when
      * running the collection. Passing `null` stops the collection run
      * after the current request is executed.
      * @param request - name of the request to run next
      */
-    function setNextRequest(request: string | null): void;
-}
-
-declare interface Execution {
-    /**
-     * The path of the current request.
-     */
-    location: ExecutionLocation;
+    setNextRequest(request: string | null): void;
 }
 
 declare interface ExecutionLocation extends Array {