From 628412f8c18f1bcf753585bde36f9ebeeba96aee Mon Sep 17 00:00:00 2001
From: dejang <garret2k2@gmail.com>
Date: Wed, 4 Sep 2019 17:27:58 +0300
Subject: [PATCH 1/2] allow configurable Realm transforms to overwrite defaults

---
 src/evaluators.js   |  5 +++--
 src/main.js         |  5 +++++
 src/sourceParser.js | 25 +++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/evaluators.js b/src/evaluators.js
index 26b707a..7c09e15 100644
--- a/src/evaluators.js
+++ b/src/evaluators.js
@@ -87,11 +87,12 @@ export function createSafeEvaluatorFactory(
     const localTransforms = options.transforms || [];
     const realmTransforms = transforms || [];
 
-    const mandatoryTransforms = [rejectDangerousSourcesTransform];
+    const defaultTransforms =
+      realmTransforms.length > 0 ? [] : [rejectDangerousSourcesTransform];
     const allTransforms = [
       ...localTransforms,
       ...realmTransforms,
-      ...mandatoryTransforms
+      ...defaultTransforms
     ];
 
     // We use the the concise method syntax to create an eval without a
diff --git a/src/main.js b/src/main.js
index 605b9ea..9555142 100644
--- a/src/main.js
+++ b/src/main.js
@@ -1 +1,6 @@
 export { default } from './realm';
+export {
+  rejectSomeDirectEvalExpressionsTransform,
+  rejectHtmlCommentsTransform,
+  rejectImportExpressionsTransform
+} from './sourceParser';
diff --git a/src/sourceParser.js b/src/sourceParser.js
index 7ed3d02..1ba0326 100644
--- a/src/sourceParser.js
+++ b/src/sourceParser.js
@@ -28,6 +28,14 @@ function rejectHtmlComments(s) {
   }
 }
 
+// Export a rewriter transform.
+export const rejectHtmlCommentsTransform = {
+  rewrite(rs) {
+    rejectHtmlComments(rs.src);
+    return rs;
+  }
+};
+
 // The proposed dynamic import expression is the only syntax currently
 // proposed, that can appear in non-module JavaScript code, that
 // enables direct access to the outside world that cannot be
@@ -62,6 +70,14 @@ function rejectImportExpressions(s) {
   }
 }
 
+// Export a rewriter transform.
+export const rejectImportExpressionsTransform = {
+  rewrite(rs) {
+    rejectImportExpressions(rs.src);
+    return rs;
+  }
+};
+
 // The shim cannot correctly emulate a direct eval as explained at
 // https://github.com/Agoric/realms-shim/issues/12
 // Without rejecting apparent direct eval syntax, we would
@@ -91,6 +107,15 @@ function rejectSomeDirectEvalExpressions(s) {
   }
 }
 
+// Export a rewriter transform.
+export const rejectSomeDirectEvalExpressionsTransform = {
+  rewrite(rs) {
+    rejectSomeDirectEvalExpressions(rs.src);
+    return rs;
+  }
+};
+
+
 export function rejectDangerousSources(s) {
   rejectHtmlComments(s);
   rejectImportExpressions(s);

From 850ff7a469989353b811e91f0b91b8644c195731 Mon Sep 17 00:00:00 2001
From: Dejan <dgitin@salesforce.com>
Date: Wed, 4 Sep 2019 10:06:27 -0700
Subject: [PATCH 2/2] add options  rejectImportExpression, rejectHtmlComments,
 rejectSomeDirectEvalExpressions

---
 src/evaluators.js   | 24 ++++++++++++++++++++----
 src/main.js         |  5 -----
 src/sourceParser.js |  1 -
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/evaluators.js b/src/evaluators.js
index 7c09e15..c38681c 100644
--- a/src/evaluators.js
+++ b/src/evaluators.js
@@ -15,7 +15,11 @@ import {
 } from './commons';
 import { getOptimizableGlobals } from './optimizer';
 import { createScopeHandler } from './scopeHandler';
-import { rejectDangerousSourcesTransform } from './sourceParser';
+import {
+  rejectImportExpressionsTransform,
+  rejectHtmlCommentsTransform,
+  rejectSomeDirectEvalExpressionsTransform
+} from './sourceParser';
 import { assert, throwTantrum } from './utilities';
 
 function buildOptimizer(constants) {
@@ -87,12 +91,24 @@ export function createSafeEvaluatorFactory(
     const localTransforms = options.transforms || [];
     const realmTransforms = transforms || [];
 
-    const defaultTransforms =
-      realmTransforms.length > 0 ? [] : [rejectDangerousSourcesTransform];
+    const mandatoryTransforms = [
+      { rejectImportExpressions: rejectImportExpressionsTransform },
+      { rejectHtmlComments: rejectHtmlCommentsTransform },
+      {
+        rejectSomeDirectEvalExpressions: rejectSomeDirectEvalExpressionsTransform
+      }
+    ].reduce((acc, v) => {
+      const prop = Object.keys(v)[0];
+      if (options[prop] !== false) {
+        acc.push(v[prop]);
+      }
+      return acc;
+    }, []);
+
     const allTransforms = [
       ...localTransforms,
       ...realmTransforms,
-      ...defaultTransforms
+      ...mandatoryTransforms
     ];
 
     // We use the the concise method syntax to create an eval without a
diff --git a/src/main.js b/src/main.js
index 9555142..605b9ea 100644
--- a/src/main.js
+++ b/src/main.js
@@ -1,6 +1 @@
 export { default } from './realm';
-export {
-  rejectSomeDirectEvalExpressionsTransform,
-  rejectHtmlCommentsTransform,
-  rejectImportExpressionsTransform
-} from './sourceParser';
diff --git a/src/sourceParser.js b/src/sourceParser.js
index 1ba0326..401fa81 100644
--- a/src/sourceParser.js
+++ b/src/sourceParser.js
@@ -115,7 +115,6 @@ export const rejectSomeDirectEvalExpressionsTransform = {
   }
 };
 
-
 export function rejectDangerousSources(s) {
   rejectHtmlComments(s);
   rejectImportExpressions(s);