@cloudpss/ubjson 0.5.40 → 0.5.42

package/src/stream-helper/encoder.ts

@@ -2,6 +2,7 @@ import { constants } from '../helper/constants.js';
 import { encode, stringByteLength } from '../helper/string-encoder.js';
 import { EncoderBase } from '../base/encoder.js';
 import type { TypedArrayType } from '../helper/encode.js';
+import type { EncodeOptions } from '../options.js';
 
 const BLOCK_SIZE = 1024 * 64; // 64 KiB
 const MAX_SIZE = 1024 * 1024 * 32; // 32 MiB
@@ -30,8 +31,12 @@ function free(buf: Uint8Array): boolean {
 
 /** 流式编码 UBJSON */
 export class StreamEncoderHelper extends EncoderBase {
-    constructor(protected readonly onChunk: (chunk: Uint8Array) => void) {
+    constructor(
+        options: EncodeOptions | null | undefined,
+        protected readonly onChunk: (chunk: Uint8Array) => void,
+    ) {
         super();
+        this.sortObjectKeys = options?.sortObjectKeys ?? false;
         this.data = alloc(BLOCK_SIZE);
         this.view = new DataView(this.data.buffer);
     }

package/tests/.utils.js

@@ -2,6 +2,7 @@ import { resetEnv as resetDecoderEnv } from '../dist/helper/string-decoder.js';
 import { resetEnv as resetEncoderEnv } from '../dist/helper/string-encoder.js';
 import { resetEncoder } from '../dist/encoder.js';
 import '../dist/helper/constants.js';
+import '../dist/options.js';
 
 /**
  * 重设所有环境
@@ -33,5 +34,13 @@ export function toArray(...args) {
  * @returns {Uint8Array} Uint8Array
  */
 export function toBuffer(...args) {
-    return Uint8Array.from(args, (x) => (typeof x == 'number' ? x : x.charCodeAt(0)));
+    const data = [];
+    for (const x of args) {
+        if (typeof x == 'number') {
+            data.push(x);
+        } else {
+            data.push(...Buffer.from(x, 'ascii'));
+        }
+    }
+    return Uint8Array.from(data);
 }

package/tests/decode.js

@@ -504,3 +504,55 @@ test('decode (eof at marker)', () => {
 test('decode (eof at key)', () => {
     expect(() => decode(toBuffer('{', 'i', 2, 'a'))).toThrow(UnexpectedEof);
 });
+
+describe('proto poisoning attack', () => {
+    it('should remove __proto__ key', () => {
+        const obj = /** @type {Record<string, unknown>} */ (
+            decode(toBuffer('{', 'i', 9, '__proto__', '{', 'i', 1, 'a', 'S', 'i', 3, 'abc', '}', '}'))
+        );
+        expect(Object.hasOwn(obj, '__proto__')).toBe(false);
+        expect(obj['__proto__']).toBe(Object.prototype);
+    });
+    it('should allow __proto__ key', () => {
+        const obj = /** @type {Record<string, unknown>} */ (
+            decode(toBuffer('{', 'i', 9, '__proto__', '{', 'i', 1, 'a', 'S', 'i', 3, 'abc', '}', '}'), {
+                protoAction: 'allow',
+            })
+        );
+        expect(Object.hasOwn(obj, '__proto__')).toBe(true);
+        expect(obj['__proto__']).toEqual({ a: 'abc' });
+    });
+    it('should throw on __proto__ key', () => {
+        expect(() =>
+            decode(toBuffer('{', 'i', 9, '__proto__', '{', 'i', 1, 'a', 'S', 'i', 3, 'abc', '}', '}'), {
+                protoAction: 'error',
+            }),
+        ).toThrow(`Unexpected "__proto__"`);
+    });
+});
+
+describe('constructor poisoning attack', () => {
+    it('should remove constructor key', () => {
+        const obj = /** @type {Record<string, unknown>} */ (
+            decode(toBuffer('{', 'i', 11, 'constructor', '{', 'i', 1, 'a', 'S', 'i', 3, 'abc', '}', '}'), {
+                constructorAction: 'remove',
+            })
+        );
+        expect(Object.hasOwn(obj, 'constructor')).toBe(false);
+        expect(obj.constructor).toBe(Object);
+    });
+    it('should allow constructor key', () => {
+        const obj = /** @type {Record<string, unknown>} */ (
+            decode(toBuffer('{', 'i', 11, 'constructor', '{', 'i', 1, 'a', 'S', 'i', 3, 'abc', '}', '}'))
+        );
+        expect(Object.hasOwn(obj, 'constructor')).toBe(true);
+        expect(obj.constructor).toEqual({ a: 'abc' });
+    });
+    it('should throw on constructor key', () => {
+        expect(() =>
+            decode(toBuffer('{', 'i', 11, 'constructor', '{', 'i', 1, 'a', 'S', 'i', 3, 'abc', '}', '}'), {
+                constructorAction: 'error',
+            }),
+        ).toThrow(`Unexpected "constructor"`);
+    });
+});

package/tests/e2e/.data.js

@@ -465,6 +465,17 @@ EXPECTED['object with undefined values'] = { a: 1, c: { d: 2, f: null } };
 INPUTS['array with undefined values'] = [1, undefined, 2, undefined, 3];
 EXPECTED['array with undefined values'] = [1, null, 2, null, 3];
 
+INPUTS['inject __proto__'] = JSON.parse('{"__proto__": {"a":1}}');
+EXPECTED['inject __proto__'] = {};
+
 INPUTS['invalid __proto__'] = JSON.parse('{"__proto__":"xxx"}');
+EXPECTED['invalid __proto__'] = {};
 
 INPUTS['null __proto__'] = JSON.parse('{"__proto__":null}');
+EXPECTED['null __proto__'] = {};
+
+INPUTS['inject constructor'] = { constructor: { prototype: { a: 1 } } };
+INPUTS['invalid constructor prototype'] = { constructor: { prototype: 'xxx' } };
+INPUTS['null constructor prototype'] = { constructor: { prototype: null } };
+INPUTS['invalid constructor'] = { constructor: 'xxx' };
+INPUTS['null constructor'] = { constructor: null };

package/tests/e2e/stream.js

@@ -13,7 +13,19 @@ describe('stream', () => {
                 expect(decoded).toEqual(expected);
             }).rejects.toThrow(expected);
         } else {
-            const decoded = await decodeStream(encodeStream(input));
+            const encoded = await encodeStream(input).toArray();
+            const data = encoded.flatMap((/** @type {Buffer} */ chunk) => {
+                // split to random chunks
+                const chunks = [];
+                let offset = 0;
+                while (offset < chunk.length) {
+                    const size = Math.floor(Math.random() * chunk.length);
+                    chunks.push(chunk.subarray(offset, offset + size));
+                    offset += size;
+                }
+                return chunks;
+            });
+            const decoded = await decodeStream(Readable.from(data));
             expect(decoded).toEqual(expected);
         }
     });

package/tests/encode.js

@@ -408,7 +408,7 @@ test('encode object', () => {
 });
 
 test('encode object (keep order)', () => {
-    expect(toArray(encode({ b: 2, a: 1, c: 3 }))).toEqual(
+    expect(toArray(encode({ b: 2, a: 1, c: 3 }, { sortObjectKeys: true }))).toEqual(
         toArray('{', 'i', 1, 'a', 'U', 1, 'i', 1, 'b', 'U', 2, 'i', 1, 'c', 'U', 3, '}'),
     );
     // @ts-expect-error Access private property

package/dist/stream-helper/decoder.d.ts

@@ -1,12 +0,0 @@
-import { DecoderBase } from '../base/decoder.js';
-/** 未结束的流 */
-export declare const kEof: unique symbol;
-/** 流式解码 UBJSON */
-export declare class StreamDecoderHelper extends DecoderBase {
-    /** @inheritdoc */
-    protected eof(): never;
-    /** 读取的字节数 */
-    get readLength(): number;
-}
-export { UnexpectedEofError as UnexpectedEof } from '../helper/errors.js';
-//# sourceMappingURL=decoder.d.ts.map

package/dist/stream-helper/decoder.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"decoder.d.ts","sourceRoot":"","sources":["../../src/stream-helper/decoder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,YAAY;AACZ,eAAO,MAAM,IAAI,eAAgB,CAAC;AAElC,kBAAkB;AAClB,qBAAa,mBAAoB,SAAQ,WAAW;IAChD,kBAAkB;cACC,GAAG,IAAI,KAAK;IAM/B,aAAa;IACb,IAAI,UAAU,IAAI,MAAM,CAEvB;CACJ;AAED,OAAO,EAAE,kBAAkB,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/stream-helper/decoder.js

@@ -1,18 +0,0 @@
-import { DecoderBase } from '../base/decoder.js';
-/** 未结束的流 */
-export const kEof = Symbol('EOF');
-/** 流式解码 UBJSON */
-export class StreamDecoderHelper extends DecoderBase {
-    /** @inheritdoc */
-    eof() {
-        // 性能优化，避免 new Error 的开销
-        // eslint-disable-next-line @typescript-eslint/only-throw-error
-        throw kEof;
-    }
-    /** 读取的字节数 */
-    get readLength() {
-        return this.offset;
-    }
-}
-export { UnexpectedEofError as UnexpectedEof } from '../helper/errors.js';
-//# sourceMappingURL=decoder.js.map

package/dist/stream-helper/decoder.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"decoder.js","sourceRoot":"","sources":["../../src/stream-helper/decoder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,YAAY;AACZ,MAAM,CAAC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;AAElC,kBAAkB;AAClB,MAAM,OAAO,mBAAoB,SAAQ,WAAW;IAChD,kBAAkB;IACC,GAAG;QAClB,wBAAwB;QACxB,+DAA+D;QAC/D,MAAM,IAAI,CAAC;IACf,CAAC;IAED,aAAa;IACb,IAAI,UAAU;QACV,OAAO,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;CACJ;AAED,OAAO,EAAE,kBAAkB,IAAI,aAAa,EAAE,MAAM,qBAAqB,CAAC"}

package/src/stream-helper/decoder.ts

@@ -1,21 +0,0 @@
-import { DecoderBase } from '../base/decoder.js';
-
-/** 未结束的流 */
-export const kEof = Symbol('EOF');
-
-/** 流式解码 UBJSON */
-export class StreamDecoderHelper extends DecoderBase {
-    /** @inheritdoc */
-    protected override eof(): never {
-        // 性能优化，避免 new Error 的开销
-        // eslint-disable-next-line @typescript-eslint/only-throw-error
-        throw kEof;
-    }
-
-    /** 读取的字节数 */
-    get readLength(): number {
-        return this.offset;
-    }
-}
-
-export { UnexpectedEofError as UnexpectedEof } from '../helper/errors.js';