fix(middleware): false positive dynamic code detection at build time (#…

…36955)

## What's in there?

Partially fixes vercel/edge-functions#82
Relates to #36715 

Our webpack plugin for middleware leverages static analysis to detect Dyanamic code evaluation in user `_middleware.js` file (and depedencies). Since edge function runtime do not allow them, the build is aborted.

The use of `Function.bind` is considered invalid, while it is legit. A customer using `@aws-sdk/client-s3` reported it.
This PR fixes it.

Please note that this check is too strict: some dynamic code may be in the bundle (despite treeshaking), but may never be used (because of code branches). Since this point is under discussion, this PR adds tests covering some false positives (`@apollo/react-hook`, `qs` and `has`), but does not change the behavior (consider them as errors).

## Notes to reviewer

I looked for test facilities allowing to download the required 3rd party modules. `createNext()` in production context made my day, but showed two issues:
- `cliOutput` is not cleaned in between tests. While clearance during `stop()` would be annoying, I hope that clearance during `start()` is better.
- if `start()` fails while building, the created instance can never be stopped. This is because we don't clear `childProcess` after `build`. 

## Bug

- [x] Related issues linked using `fixes #number`
- [x] Integration tests added
- [ ] Errors have helpful link attached, see `contributing.md`

## Feature

- [ ] Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR.
- [ ] Related issues linked using `fixes #number`
- [ ] Integration tests added
- [ ] Documentation added
- [ ] Telemetry added. In case of a feature if it's used or not.
- [ ] Errors have helpful link attached, see `contributing.md`

## Documentation / Examples

- [x] Make sure the linting passes by running `yarn lint`

packages/next/build/webpack/plugins/middleware-plugin.ts

@@ -177,22 +177,20 @@ function getCodeAnalizer(params: {
 
     /**
      * A noop handler to skip analyzing some cases.
+     * Order matters: for it to work, it must be registered first
      */
-    const noop = () =>
+    const skip = () =>
       parser.state.module?.layer === 'middleware' ? true : undefined
 
-    hooks.call.for('eval').tap(NAME, handleWrapExpression)
-    hooks.call.for('global.eval').tap(NAME, handleWrapExpression)
-    hooks.call.for('Function').tap(NAME, handleWrapExpression)
-    hooks.call.for('global.Function').tap(NAME, handleWrapExpression)
-    hooks.new.for('Function').tap(NAME, handleWrapExpression)
-    hooks.new.for('global.Function').tap(NAME, handleWrapExpression)
-    hooks.expression.for('eval').tap(NAME, handleExpression)
-    hooks.expression.for('Function').tap(NAME, handleExpression)
-    hooks.expression.for('global.eval').tap(NAME, handleExpression)
-    hooks.expression.for('global.Function').tap(NAME, handleExpression)
-    hooks.expression.for('Function.prototype').tap(NAME, noop)
-    hooks.expression.for('global.Function.prototype').tap(NAME, noop)
+    for (const prefix of ['', 'global.']) {
+      hooks.expression.for(`${prefix}Function.prototype`).tap(NAME, skip)
+      hooks.expression.for(`${prefix}Function.bind`).tap(NAME, skip)
+      hooks.call.for(`${prefix}eval`).tap(NAME, handleWrapExpression)
+      hooks.call.for(`${prefix}Function`).tap(NAME, handleWrapExpression)
+      hooks.new.for(`${prefix}Function`).tap(NAME, handleWrapExpression)
+      hooks.expression.for(`${prefix}eval`).tap(NAME, handleExpression)
+      hooks.expression.for(`${prefix}Function`).tap(NAME, handleExpression)
+    }
     hooks.callMemberChain.for('process').tap(NAME, handleCallMemberChain)
     hooks.expressionMemberChain.for('process').tap(NAME, handleCallMemberChain)
   }

test/lib/next-modes/next-start.ts

@@ -39,6 +39,7 @@ export class NextStartInstance extends NextInstance {
     if (this.childProcess) {
       throw new Error('next already started')
     }
+    this._cliOutput = ''
     this.spawnOpts = {
       cwd: this.testDir,
       stdio: ['ignore', 'pipe', 'pipe'],
@@ -69,6 +70,7 @@ export class NextStartInstance extends NextInstance {
       )
       this.handleStdio(this.childProcess)
       this.childProcess.on('exit', (code, signal) => {
+        this.childProcess = null
         if (code || signal)
           reject(
             new Error(`next build failed with code/signal ${code || signal}`)

test/production/middleware-with-dynamic-code/index.test.ts

@@ -0,0 +1,107 @@
+import { createNext } from 'e2e-utils'
+import { NextInstance } from 'test/lib/next-modes/base'
+
+describe('Middleware with Dynamic code invokations', () => {
+  let next: NextInstance
+
+  beforeAll(async () => {
+    next = await createNext({
+      files: {
+        'lib/utils.js': '',
+        'pages/_middleware.js': `
+          import '../lib/utils'
+          export default function middleware() {
+            return new Response()
+          }
+        `,
+      },
+      dependencies: {
+        '@apollo/react-hooks': '3.1.5',
+        '@aws-sdk/client-s3': 'latest',
+        'apollo-client': 'latest',
+        graphql: 'latest',
+        'graphql-tag': 'latest',
+        has: 'latest',
+        qs: 'latest',
+      },
+    })
+    await next.stop()
+  })
+
+  afterAll(() => next.destroy())
+
+  it('detects dynamic code nested in @apollo/react-hooks', async () => {
+    await next.patchFile(
+      'lib/utils.js',
+      `
+        import { useQuery } from '@apollo/react-hooks'
+        import gql from 'graphql-tag'
+
+        export default function useGreeting() {
+          return useQuery(
+            gql\`
+              query getGreeting($language: String!) {
+                greeting(language: $language) {
+                  message
+                }
+              }
+            \`, 
+            { variables: { language: 'english' } }
+          )
+        }
+      `
+    )
+    await expect(next.start()).rejects.toThrow()
+    expect(next.cliOutput).toContain(`
+./node_modules/ts-invariant/lib/invariant.esm.js
+Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`)
+  })
+
+  it('detects dynamic code nested in has', async () => {
+    await next.patchFile(
+      'lib/utils.js',
+      `
+        import has from 'has'
+        has(Object.prototype, 'hasOwnProperty')
+      `
+    )
+    await expect(next.start()).rejects.toThrow()
+    expect(next.cliOutput).toContain(`
+./node_modules/function-bind/implementation.js
+Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`)
+    expect(next.cliOutput).toContain(`
+./node_modules/has/src/index.js
+Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`)
+  })
+
+  it('detects dynamic code nested in qs', async () => {
+    await next.patchFile(
+      'lib/utils.js',
+      `
+        import qs from 'qs'
+        qs.parse('a=c')
+      `
+    )
+    await expect(next.start()).rejects.toThrow()
+    expect(next.cliOutput).toContain(`
+./node_modules/get-intrinsic/index.js
+Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`)
+  })
+
+  it('does not detects dynamic code nested in @aws-sdk/client-s3 (legit Function.bind)', async () => {
+    await next.patchFile(
+      'lib/utils.js',
+      `
+        import { S3Client, AbortMultipartUploadCommand } from '@aws-sdk/client-s3'
+        new S3Client().send(new AbortMultipartUploadCommand({}))
+      `
+    )
+    await expect(next.start()).rejects.toThrow()
+    expect(next.cliOutput).not.toContain(
+      `./node_modules/@aws-sdk/smithy-client/dist-es/lazy-json.js`
+    )
+    expect(next.cliOutput).not.toContain(
+      `Dynamic Code Evaluation (e. g. 'eval', 'new Function') not allowed in Middleware pages/_middleware`
+    )
+  })
+})