Allow it to work on edge (e.g. cloudflare workers)

ajv-validator / ajv

The fastest JSON schema Validator. Supports JSON Schema draft-04/06/07/2019-09/2020-12 and JSON Type Definition (RFC8927)

https://ajv.js.org

MIT License

13.84k stars 877 forks source link

Allow it to work on edge (e.g. cloudflare workers) #2491

Open ValeryG opened 2 months ago

ValeryG commented 2 months ago

There is already an issue for this , https://github.com/ajv-validator/ajv/issues/2318, but it is closed. Suggestion there is not working when ajv is XX-layers down like eg: async-parser -> @stoplight/spectral->ajv and dynamic schema is validated, there is not visible to generate and pass validation function all the way down.

The version of Ajv you are using latest

The environment you have the problem with cloudflare worker

Your code (please make it as small as possible to reproduce the issue) standard example from async-parser Example

Works in every browser and node env, except of cloudflare worker.

Results and error messages in your platform

 Code generation from strings disallowed for this context

      at new Function (<anonymous>)
      at m.f

If there is no way to drop new Function usage in general, maybe it could be made conditional? let's say if option.workerSafe is passed as true, do something worker safe instead of new function?

jasoniangreen commented 2 months ago

I see, so the use of AJV within other projects preclude those projects from being used in cloudflare. I wonder if it would be possible for those projects to pre-build any schema based validations functions so that their code can be run on cloudflare? It won't always be possible but not out of the question depending on the usage.

I say this because given how AJV works I can't think of a way to avoid using new Function. Also worth noting, just in case it was a concern, that while new Function is considered unsafe and not allowed on cloudflare, the way that AJV uses it is very safe and has been verified by many experts. Anything passed to new Function has had to go through the typesafe codegen package which protects against any injection attacks etc.

Anyway, I am open to ideas but afaik we couldn't stop using new Function.

adamdehaven commented 2 months ago

I wonder if it would be possible for those projects to pre-build any schema based validations functions so that their code can be run on cloudflare?

No, since the source files are fetched at runtime, there’s bo way to pre-build.

jasoniangreen commented 2 months ago

I see. Well I will leave this open. If anyone has any ideas on how to work around this or any proposals, we can discuss it.

Justineo commented 1 month ago

As Cloudflare doesn't allow eval or new Function for security reasons, it may someday support ShadowRealm API if it gets approved by TC39 (it's currently in Stage 2.7 and Bun already supported it). At that time ajv should be able to migrate to the new API to make it work on edge runtimes.

jasoniangreen commented 1 month ago

Thanks for the info @Justineo, I will keep an eye out for that.