SSR migrated to Rust

2026-06-04 21:37:06 -04:00
parent ae684a36cb
commit 587be8c4ab
12 changed files with 2825 additions and 472 deletions
--- a/cores/mizan-rust-ssr/tests/fixture/.gitignore
+++ b/cores/mizan-rust-ssr/tests/fixture/.gitignore
@@ -0,0 +1,3 @@
+node_modules/
+package-lock.json
+bundle.js
--- a/cores/mizan-rust-ssr/tests/fixture/Hello.js
+++ b/cores/mizan-rust-ssr/tests/fixture/Hello.js
@@ -0,0 +1,7 @@
+import { createElement } from "react"
+
+// A trivial component: props in, element out. The keystone only needs to prove
+// a real React tree renders to HTML inside a bare JS context.
+export function Hello({ name }) {
+  return createElement("div", { id: "greeting" }, `Hello, ${name}!`)
+}
--- a/cores/mizan-rust-ssr/tests/fixture/entry.js
+++ b/cores/mizan-rust-ssr/tests/fixture/entry.js
@@ -0,0 +1,8 @@
+import { renderToStaticMarkup } from "react-dom/server.browser"
+import { createElement } from "react"
+import { Hello } from "./Hello.js"
+
+// The bundle exposes one global the embedded engine calls. No module system at
+// runtime — the engine receives a bare script that defines `renderApp`. This is
+// the production shape in miniature: build-time bundle, runtime eval.
+globalThis.renderApp = (props) => renderToStaticMarkup(createElement(Hello, props))
--- a/cores/mizan-rust-ssr/tests/fixture/package.json
+++ b/cores/mizan-rust-ssr/tests/fixture/package.json
@@ -0,0 +1,7 @@
+{
+  "dependencies": {
+    "esbuild": "^0.28.0",
+    "react": "^19.2.7",
+    "react-dom": "^19.2.7"
+  }
+}
--- a/cores/mizan-rust-ssr/tests/fixture/runner.cjs
+++ b/cores/mizan-rust-ssr/tests/fixture/runner.cjs
@@ -0,0 +1,29 @@
+// Proxy for the embedded-V8 runtime: a bare global context with no Node
+// builtins. Load the IIFE bundle (which assigns globalThis.renderApp) and call
+// it. What renders here renders in rusty_v8 — the engine swaps, the contract
+// (bundle defines a global render fn over a bare context) does not.
+const fs = require("fs")
+const vm = require("vm")
+
+const code = fs.readFileSync(__dirname + "/bundle.js", "utf8")
+
+// The minimal host globals React's bundle touches at init / sync render. The
+// rusty_v8 engine must provide the same set — this list is the spec for it.
+const sandbox = {
+  console, setTimeout, clearTimeout, queueMicrotask, MessageChannel, performance,
+  TextEncoder, TextDecoder,
+}
+sandbox.globalThis = sandbox
+
+vm.createContext(sandbox)
+vm.runInContext(code, sandbox)
+
+const html = sandbox.renderApp({ name: "World" })
+console.log("RENDERED:", html)
+
+const expected = '<div id="greeting">Hello, World!</div>'
+if (html !== expected) {
+  console.error("MISMATCH — expected:", expected)
+  process.exit(1)
+}
+console.log("OK — React bundle renders in a bare JS context (V8 proxy)")
--- a/cores/mizan-rust-ssr/tests/no_rsc.rs
+++ b/cores/mizan-rust-ssr/tests/no_rsc.rs
@@ -0,0 +1,54 @@
+//! Guard — Mizan SSR is hand-rolled (bare renderer + AFI data injection +
+//! injected kernel). No frontend adapter imports an SSR runtime / meta-framework
+//! (Next, Nuxt, SvelteKit) or a server-functions layer (RSC / Flight).
+//!
+//! React Server Components and the Flight serialization protocol carry
+//! CVE-2025-55182 ("React2Shell" — unauthenticated remote code execution,
+//! CVSS 10.0): the server deserializes a client-supplied Flight payload and an
+//! attacker reaches prototype-pollution → RCE.
+//!
+//! Mizan renders **synchronously from props** — data is fetched server-side
+//! through the AFI and passed in, never deserialized from a client payload — so
+//! it sits structurally outside that attack surface. This test keeps it there:
+//! it goes red the instant any RSC / Flight / streaming surface enters the
+//! authored SSR source or its dependencies. Absence is not enough; this is the
+//! forcing function that makes re-entry loud.
+
+/// Tokens that only appear when RSC / Flight / streaming rendering is in play.
+const FORBIDDEN: &[&str] = &[
+    // React Server Components / Flight — CVE-2025-55182 (pre-auth RCE, CVSS 10.0)
+    "react-server-dom",
+    "renderToReadableStream",
+    "renderToPipeableStream",
+    "createFromReadableStream",
+    "createFromFetch",
+    "use server",
+    // SSR runtimes / meta-frameworks — forbidden across every frontend adapter
+    "next/",
+    "nuxt",
+    "@sveltejs/kit",
+    "sveltekit",
+];
+
+const SCANNED: &[&str] = &[
+    concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/entry.js"),
+    concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/Hello.js"),
+    concat!(env!("CARGO_MANIFEST_DIR"), "/tests/fixture/package.json"),
+];
+
+#[test]
+fn ssr_has_no_rsc_or_flight_surface() {
+    for path in SCANNED {
+        let Ok(src) = std::fs::read_to_string(path) else {
+            continue; // a generated/optional file absent is fine; authored source is the point
+        };
+        for needle in FORBIDDEN {
+            assert!(
+                !src.contains(needle),
+                "RSC/Flight surface {needle:?} found in {path} — forbidden. \
+                 RSC carries CVE-2025-55182 (unauth RCE, CVSS 10.0); Mizan SSR is \
+                 classic renderToString-family only, rendered synchronously from props.",
+            );
+        }
+    }
+}