Camunda-modeler: JSON Schema validation crashes in nightly build

Created on 31 Mar 2021  路  4Comments  路  Source: camunda/camunda-modeler

__Describe the Bug__

Beginning with the current nightly build (30-03-21) we got an error in the Error Log when opening a BPMN (Camunda) diagram.

[diagram_1.bpmn] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".


    at new Function (<anonymous>)
    at g.I (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/compile/index.js:120:25)
    at call (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/compile/resolve.js:54:18)
    at call (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/compile/index.js:189:20)
    at resolveRef (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/dotjs/ref.js:21:21)
    at code (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/dotjs/validate.js:277:36)
    at validate (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/dotjs/properties.js:201:25)
    at code (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/dotjs/validate.js:374:34)
    at validateGenerator (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/compile/index.js:88:21)
    at localCompile (webpack:///node_modules/@bpmn-io/json-schema-validator/node_modules/ajv/lib/compile/index.js:55:12) [ error ]
This error may be the result of a plug-in compatibility issue. [ info ]
Disable plug-ins (restarts the app) [ info ]

This is caused due to the fact we compile the Element Templates JSON Schema one time to validate element templates against it (cf. #2159). In production builds, this is indicated as a security issue: https://github.com/ajv-validator/ajv/issues/406

__Steps to Reproduce__

  1. Open a new BPMN diagram (Camunda Engine) with element templates
  2. Error is visible in the Log Panel

__Expected Behavior__

No Error is visible and the validator works as expected.

__Environment__

  • OS: macOS 10.15
  • Camunda Modeler Version: 4.7.0-nightly-20210330
bug

All 4 comments

One way of solving would be to pre-compile the validator: https://github.com/ajv-validator/ajv/blob/master/docs/standalone.md

This would also reduce the bundle size 馃憤

Since we use ajv@6, we would have to use https://github.com/ajv-validator/ajv-pack I guess (or try to migrate).

Was this page helpful?
0 / 5 - 0 ratings