@ai-sdk/provider-utils 4.0.17 → 4.0.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/dist/index.js +4 -4
  3. package/dist/index.js.map +1 -1
  4. package/dist/index.mjs +4 -4
  5. package/dist/index.mjs.map +1 -1
  6. package/package.json +1 -1
  7. package/src/secure-json-parse.ts +6 -2
package/CHANGELOG.md CHANGED
@@ -1,5 +1,11 @@
1
1
  # @ai-sdk/provider-utils
2
2
 
3
+ ## 4.0.18
4
+
5
+ ### Patch Changes
6
+
7
+ - 824b295: fix(provider-utils): prevent unicode escape bypass in secureJsonParse
8
+
3
9
  ## 4.0.17
4
10
 
5
11
  ### Patch Changes
package/dist/index.js CHANGED
@@ -574,7 +574,7 @@ function withUserAgentSuffix(headers, ...userAgentSuffixParts) {
574
574
  }
575
575
 
576
576
  // src/version.ts
577
- var VERSION = true ? "4.0.17" : "0.0.0-test";
577
+ var VERSION = true ? "4.0.18" : "0.0.0-test";
578
578
 
579
579
  // src/get-from-api.ts
580
580
  var getOriginalFetch = () => globalThis.fetch;
@@ -809,8 +809,8 @@ function mediaTypeToExtension(mediaType) {
809
809
  var import_provider9 = require("@ai-sdk/provider");
810
810
 
811
811
  // src/secure-json-parse.ts
812
- var suspectProtoRx = /"__proto__"\s*:/;
813
- var suspectConstructorRx = /"constructor"\s*:/;
812
+ var suspectProtoRx = /"(?:_|\\u005[Ff])(?:_|\\u005[Ff])(?:p|\\u0070)(?:r|\\u0072)(?:o|\\u006[Ff])(?:t|\\u0074)(?:o|\\u006[Ff])(?:_|\\u005[Ff])(?:_|\\u005[Ff])"\s*:/;
813
+ var suspectConstructorRx = /"(?:c|\\u0063)(?:o|\\u006[Ff])(?:n|\\u006[Ee])(?:s|\\u0073)(?:t|\\u0074)(?:r|\\u0072)(?:u|\\u0075)(?:c|\\u0063)(?:t|\\u0074)(?:o|\\u006[Ff])(?:r|\\u0072)"\s*:/;
814
814
  function _parse(text) {
815
815
  const obj = JSON.parse(text);
816
816
  if (obj === null || typeof obj !== "object") {
@@ -830,7 +830,7 @@ function filter(obj) {
830
830
  if (Object.prototype.hasOwnProperty.call(node, "__proto__")) {
831
831
  throw new SyntaxError("Object contains forbidden prototype property");
832
832
  }
833
- if (Object.prototype.hasOwnProperty.call(node, "constructor") && Object.prototype.hasOwnProperty.call(node.constructor, "prototype")) {
833
+ if (Object.prototype.hasOwnProperty.call(node, "constructor") && node.constructor !== null && typeof node.constructor === "object" && Object.prototype.hasOwnProperty.call(node.constructor, "prototype")) {
834
834
  throw new SyntaxError("Object contains forbidden prototype property");
835
835
  }
836
836
  for (const key in node) {