Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow it to work on edge (e.g. cloudflare workers) #2491

Open
ValeryG opened this issue Aug 22, 2024 · 5 comments
Open

Allow it to work on edge (e.g. cloudflare workers) #2491

ValeryG opened this issue Aug 22, 2024 · 5 comments
Labels
compatibility

Comments

@ValeryG
Copy link

ValeryG commented Aug 22, 2024

There is already an issue for this , #2318, but it is closed. Suggestion there is not working when ajv is XX-layers down like eg: async-parser -> @stoplight/spectral->ajv and dynamic schema is validated, there is not visible to generate and pass validation function all the way down.

The version of Ajv you are using
latest

The environment you have the problem with
cloudflare worker

Your code (please make it as small as possible to reproduce the issue)
standard example from async-parser Example

Works in every browser and node env, except of cloudflare worker.

Results and error messages in your platform

 Code generation from strings disallowed for this context

      at new Function (<anonymous>)
      at m.f

If there is no way to drop new Function usage in general, maybe it could be made conditional? let's say if option.workerSafe is passed as true, do something worker safe instead of new function?
@jasoniangreen
Copy link
Collaborator

I see, so the use of AJV within other projects preclude those projects from being used in cloudflare. I wonder if it would be possible for those projects to pre-build any schema based validations functions so that their code can be run on cloudflare? It won't always be possible but not out of the question depending on the usage.

I say this because given how AJV works I can't think of a way to avoid using new Function. Also worth noting, just in case it was a concern, that while new Function is considered unsafe and not allowed on cloudflare, the way that AJV uses it is very safe and has been verified by many experts. Anything passed to new Function has had to go through the typesafe codegen package which protects against any injection attacks etc.

Anyway, I am open to ideas but afaik we couldn't stop using new Function.

@adamdehaven
Copy link

I wonder if it would be possible for those projects to pre-build any schema based validations functions so that their code can be run on cloudflare?

No, since the source files are fetched at runtime, there’s bo way to pre-build.

@jasoniangreen
Copy link
Collaborator

I see. Well I will leave this open. If anyone has any ideas on how to work around this or any proposals, we can discuss it.

@Justineo
Copy link

Justineo commented Sep 11, 2024
edited
Loading

As Cloudflare doesn't allow eval or new Function for security reasons, it may someday support ShadowRealm API if it gets approved by TC39 (it's currently in Stage 2.7 and Bun already supported it). At that time ajv should be able to migrate to the new API to make it work on edge runtimes.

@jasoniangreen
Copy link
Collaborator

Thanks for the info @Justineo, I will keep an eye out for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compatibility
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Justineo @adamdehaven @jasoniangreen @ValeryG