🔒️ Restrict client code execution on imported bot

Author: baptisteArno

apps/builder/src/features/blocks/logic/script/components/ScriptSettings.tsx

@@ -5,6 +5,7 @@ import { MoreInfoTooltip } from "@typebot.io/ui/components/MoreInfoTooltip";
 import { Switch } from "@typebot.io/ui/components/Switch";
 import { CodeEditor } from "@/components/inputs/CodeEditor";
 import { DebouncedTextInput } from "@/components/inputs/DebouncedTextInput";
+import { UnsafeScriptAlert } from "./UnsafeScriptAlert";
 
 type Props = {
   options: ScriptBlock["options"];
@@ -21,6 +22,8 @@ export const ScriptSettings = ({ options, onOptionsChange }: Props) => {
   const updateClientExecution = (isExecutedOnClient: boolean) =>
     onOptionsChange({ ...options, isExecutedOnClient });
 
+  const updateIsUnsafe = () => onOptionsChange({ ...options, isUnsafe: false });
+
   return (
     <div className="flex flex-col gap-4">
       <Field.Root>
@@ -46,6 +49,9 @@ export const ScriptSettings = ({ options, onOptionsChange }: Props) => {
           </MoreInfoTooltip>
         </Field.Label>
       </Field.Root>
+      {options?.isUnsafe === true && options?.isExecutedOnClient !== false && (
+        <UnsafeScriptAlert onTrustClick={updateIsUnsafe} />
+      )}
       <CodeEditor
         defaultValue={options?.content}
         lang="javascript"

apps/builder/src/features/blocks/logic/script/components/UnsafeScriptAlert.tsx

@@ -0,0 +1,24 @@
+import { Alert } from "@typebot.io/ui/components/Alert";
+import { Button } from "@typebot.io/ui/components/Button";
+import { TriangleAlertIcon } from "@typebot.io/ui/icons/TriangleAlertIcon";
+
+export const UnsafeScriptAlert = ({
+  onTrustClick,
+}: {
+  onTrustClick: () => void;
+}) => (
+  <Alert.Root variant="warning">
+    <TriangleAlertIcon />
+    <Alert.Description className="flex flex-col gap-2">
+      <p>
+        For security reasons, since this bot was imported from a potential
+        untrusted source, we have disabled some access on bot preview. Only
+        enable this option if you understand what the code is doing and you know
+        what you are doing, otherwise it could be a security risk.
+      </p>
+      <Button variant="outline" onClick={onTrustClick}>
+        I trust this code
+      </Button>
+    </Alert.Description>
+  </Alert.Root>
+);

apps/builder/src/features/blocks/logic/setVariable/components/SetVariableSettings.tsx

@@ -25,6 +25,7 @@ import { DebouncedTextInput } from "@/components/inputs/DebouncedTextInput";
 import { VariablesCombobox } from "@/components/inputs/VariablesCombobox";
 import { WhatsAppLogo } from "@/components/logos/WhatsAppLogo";
 import { useTypebot } from "@/features/editor/providers/TypebotProvider";
+import { UnsafeScriptAlert } from "../../script/components/UnsafeScriptAlert";
 
 type Props = {
   options: SetVariableBlock["options"];
@@ -217,74 +218,79 @@ const SetVariableValue = ({
     });
   };
 
+  const updateIsUnsafe = () => onOptionsChange({ ...options, isUnsafe: false });
+
   switch (options?.type) {
     case "Custom":
     case undefined:
       return (
-        <>
-          <Field.Root className="flex-row items-center">
-            <Switch
-              checked={
-                options?.isExecutedOnClient ??
-                defaultSetVariableOptions.isExecutedOnClient
-              }
-              onCheckedChange={updateClientExecution}
-            />
-            <Field.Label>
-              Execute on client{" "}
-              <MoreInfoTooltip>
-                Check this if you need access to client-only variables like
-                `window` or `document`.
-              </MoreInfoTooltip>
-            </Field.Label>
-          </Field.Root>
-          <div className="flex flex-col gap-2">
-            <RadioGroup
-              onValueChange={(value) => updateIsCode(value as "Text" | "Code")}
-              defaultValue={
-                (options?.isCode ?? defaultSetVariableOptions.isCode)
-                  ? "Code"
-                  : "Text"
-              }
-            >
-              <Label className="hover:bg-gray-2/50 rounded-md p-2 border flex-1 flex justify-center">
-                <Radio value="Text" className="hidden" />
-                Text
-              </Label>
-              <Label className="hover:bg-gray-2/50 rounded-md p-2 border flex-1 flex justify-center">
-                <Radio value="Code" className="hidden" />
-                Code
-              </Label>
-            </RadioGroup>
-            {options?.isCode ? (
-              <div className="flex flex-col gap-2">
-                <DebouncedTextInput
-                  placeholder="Code description"
-                  defaultValue={options?.expressionDescription}
-                  onValueChange={updateExpressionDescription}
-                />
-                <CodeEditor
-                  defaultValue={options?.expressionToEvaluate ?? ""}
-                  onChange={updateExpression}
-                  lang="javascript"
-                  withLineNumbers={true}
-                />
-                <Field.Root>
-                  <Field.Label>Save error</Field.Label>
-                  <VariablesCombobox
-                    initialVariableId={options.saveErrorInVariableId}
-                    onSelectVariable={updateSaveErrorInVariableId}
-                  />
-                </Field.Root>
-              </div>
-            ) : (
-              <DebouncedTextareaWithVariablesButton
+        <div className="flex flex-col gap-2">
+          <RadioGroup
+            onValueChange={(value) => updateIsCode(value as "Text" | "Code")}
+            defaultValue={
+              (options?.isCode ?? defaultSetVariableOptions.isCode)
+                ? "Code"
+                : "Text"
+            }
+          >
+            <Label className="hover:bg-gray-2/50 rounded-md p-2 border flex-1 flex justify-center">
+              <Radio value="Text" className="hidden" />
+              Text
+            </Label>
+            <Label className="hover:bg-gray-2/50 rounded-md p-2 border flex-1 flex justify-center">
+              <Radio value="Code" className="hidden" />
+              Code
+            </Label>
+          </RadioGroup>
+          {options?.isCode ? (
+            <div className="flex flex-col gap-2">
+              <DebouncedTextInput
+                placeholder="Code description"
+                defaultValue={options?.expressionDescription}
+                onValueChange={updateExpressionDescription}
+              />
+              <CodeEditor
                 defaultValue={options?.expressionToEvaluate ?? ""}
-                onValueChange={updateExpression}
+                onChange={updateExpression}
+                lang="javascript"
+                withLineNumbers={true}
               />
-            )}
-          </div>
-        </>
+              <Field.Root className="flex-row items-center">
+                <Switch
+                  checked={
+                    options?.isExecutedOnClient ??
+                    defaultSetVariableOptions.isExecutedOnClient
+                  }
+                  onCheckedChange={updateClientExecution}
+                />
+                <Field.Label>
+                  Execute on client{" "}
+                  <MoreInfoTooltip>
+                    Check this if you need access to client-only variables like
+                    `window` or `document`.
+                  </MoreInfoTooltip>
+                </Field.Label>
+              </Field.Root>
+              {options?.isUnsafe === true &&
+                options?.isExecutedOnClient === true &&
+                options.isCode && (
+                  <UnsafeScriptAlert onTrustClick={updateIsUnsafe} />
+                )}
+              <Field.Root>
+                <Field.Label>Save error</Field.Label>
+                <VariablesCombobox
+                  initialVariableId={options.saveErrorInVariableId}
+                  onSelectVariable={updateSaveErrorInVariableId}
+                />
+              </Field.Root>
+            </div>
+          ) : (
+            <DebouncedTextareaWithVariablesButton
+              defaultValue={options?.expressionToEvaluate ?? ""}
+              onValueChange={updateExpression}
+            />
+          )}
+        </div>
       );
     case "Pop":
     case "Shift":

apps/builder/src/features/templates/components/CreateNewTypebotButtons.tsx

@@ -57,7 +57,7 @@ export const CreateNewTypebotButtons = () => {
 
   const handleCreateSubmit = async (
     typebot?: Typebot,
-    fromTemplate?: string,
+    args?: { enableSafetyFlags?: boolean; fromTemplate?: string },
   ) => {
     if (!user || !workspace) return;
     const folderId = router.query.folderId?.toString() ?? null;
@@ -68,7 +68,8 @@ export const CreateNewTypebotButtons = () => {
           ...typebot,
           folderId,
         },
-        fromTemplate,
+        fromTemplate: args?.fromTemplate,
+        enableSafetyFlags: args?.enableSafetyFlags,
       });
     else
       createTypebot({

apps/builder/src/features/templates/components/ImportTypebotFromFileButton.tsx

@@ -9,7 +9,7 @@ import type { ChangeEvent } from "react";
 import { toast } from "@/lib/toast";
 
 type Props = {
-  onNewTypebot: (typebot: Typebot) => void;
+  onNewTypebot: (typebot: Typebot, args: { enableSafetyFlags: true }) => void;
 } & ButtonProps;
 
 export const ImportTypebotFromFileButton = ({
@@ -24,12 +24,15 @@ export const ImportTypebotFromFileButton = ({
     const fileContent = await readFile(file);
     try {
       const typebot = JSON.parse(fileContent);
-      onNewTypebot({
-        ...typebot,
-        events: typebot.events ?? null,
-        icon: typebot.icon ?? null,
-        name: typebot.name ?? "My typebot",
-      } as Typebot);
+      onNewTypebot(
+        {
+          ...typebot,
+          events: typebot.events ?? null,
+          icon: typebot.icon ?? null,
+          name: typebot.name ?? "My typebot",
+        } as Typebot,
+        { enableSafetyFlags: true },
+      );
     } catch (err) {
       console.error(err);
       toast(await parseUnknownClientError({ err }));

apps/builder/src/features/templates/components/TemplatesDialog.tsx

@@ -14,7 +14,7 @@ import type { TemplateProps } from "../types";
 type Props = {
   isOpen: boolean;
   onClose: () => void;
-  onTypebotChoose: (typebot: Typebot, fromTemplate: string) => void;
+  onTypebotChoose: (typebot: Typebot, args: { fromTemplate: string }) => void;
   isLoading: boolean;
 };
 
@@ -60,7 +60,7 @@ export const TemplatesDialog = ({
 
   const onUseThisTemplateClick = async () => {
     if (!typebot) return;
-    onTypebotChoose(typebot, selectedTemplate.name);
+    onTypebotChoose(typebot, { fromTemplate: selectedTemplate.name });
   };
 
   return (

apps/builder/src/features/typebot/api/createTypebot.ts

@@ -84,7 +84,7 @@ export const createTypebot = authenticatedProcedure
     }
 
     const groups = (
-      typebot.groups ? await sanitizeGroups(workspace)(typebot.groups) : []
+      typebot.groups ? await sanitizeGroups(typebot.groups, { workspace }) : []
     ) as TypebotV6["groups"];
     const newTypebot = await prisma.typebot.create({
       data: {

apps/builder/src/features/typebot/api/importTypebot.ts

@@ -109,6 +109,7 @@ export const importTypebot = authenticatedProcedure
         ),
       typebot: importingTypebotSchema,
       fromTemplate: z.string().optional(),
+      enableSafetyFlags: z.boolean().optional(),
     }),
   )
   .output(
@@ -118,7 +119,7 @@ export const importTypebot = authenticatedProcedure
   )
   .mutation(
     async ({
-      input: { typebot, workspaceId, fromTemplate },
+      input: { typebot, workspaceId, fromTemplate, enableSafetyFlags },
       ctx: { user },
     }) => {
       const workspace = await prisma.workspace.findUnique({
@@ -146,7 +147,10 @@ export const importTypebot = authenticatedProcedure
 
       const groups = (
         duplicatingBot.groups
-          ? await sanitizeGroups(workspace)(duplicatingBot.groups)
+          ? await sanitizeGroups(duplicatingBot.groups, {
+              workspace,
+              enableSafetyFlags,
+            })
           : []
       ) as TypebotV6["groups"];
 

apps/builder/src/features/typebot/api/updateTypebot.ts

@@ -166,7 +166,9 @@ export const updateTypebot = authenticatedProcedure
       }
 
       const groups = typebot.groups
-        ? await sanitizeGroups(existingTypebot.workspace)(typebot.groups)
+        ? await sanitizeGroups(typebot.groups, {
+            workspace: existingTypebot.workspace,
+          })
         : undefined;
 
       const newTypebot = await prisma.typebot.update({