@ts-graphviz/ast 3.0.4-next-52e3f1ff58a77bf9bd9a0d0b6e29edb20e3700e5 → 3.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +22 -1
- package/lib/ast.d.ts +6 -0
- package/lib/ast.js +17 -2
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,9 +1,30 @@
|
|
|
1
1
|
# @ts-graphviz/ast
|
|
2
2
|
|
|
3
|
-
## 3.0.4
|
|
3
|
+
## 3.0.4
|
|
4
4
|
|
|
5
5
|
### Patch Changes
|
|
6
6
|
|
|
7
|
+
- [#1531](https://github.com/ts-graphviz/ts-graphviz/pull/1531) [`c4a08b9`](https://github.com/ts-graphviz/ts-graphviz/commit/c4a08b9f6bbe9104a461d5dc599ca307f6940f7c) Thanks [@kamiazya](https://github.com/kamiazya)! - Fix stack overflow vulnerability in edge chain parser
|
|
8
|
+
|
|
9
|
+
This patch addresses a security vulnerability where deeply chained edges in DOT files could cause stack overflow, leading to application crashes and potential DoS attacks.
|
|
10
|
+
|
|
11
|
+
**Changes:**
|
|
12
|
+
|
|
13
|
+
- Added depth limit (default: 1000) to edge chain parsing in PEG grammar
|
|
14
|
+
- Introduced `maxEdgeChainDepth` option to `parse()` function for custom depth limits
|
|
15
|
+
- Improved parser to track and limit edge chain depth during parsing
|
|
16
|
+
- Reset edge chain depth counter after successful edge parse
|
|
17
|
+
|
|
18
|
+
**Security Impact:**
|
|
19
|
+
|
|
20
|
+
- Prevents stack overflow attacks from maliciously crafted DOT files with deep edge chains (e.g., `a -> b -> c -> ... -> z`)
|
|
21
|
+
- Prevents memory exhaustion from unbounded `edgeops` array growth
|
|
22
|
+
- Normal use cases (typically <100 edges per chain) are unaffected
|
|
23
|
+
- Configurable limit allows complex graphs when needed
|
|
24
|
+
|
|
25
|
+
**Breaking Changes:**
|
|
26
|
+
None. This is a backward-compatible security fix with sensible defaults.
|
|
27
|
+
|
|
7
28
|
- [#1526](https://github.com/ts-graphviz/ts-graphviz/pull/1526) [`00aaf2f`](https://github.com/ts-graphviz/ts-graphviz/commit/00aaf2ff6ef6fa8b6611ec2a477bc46b76fdebaf) Thanks [@kamiazya](https://github.com/kamiazya)! - Fix critical stack overflow vulnerability in HTML string parser
|
|
8
29
|
|
|
9
30
|
This patch addresses a critical security vulnerability where deeply nested HTML-like structures in DOT files could cause stack overflow, leading to application crashes and potential DoS attacks.
|
package/lib/ast.d.ts
CHANGED
|
@@ -195,6 +195,12 @@ export declare interface CommonParseOptions {
|
|
|
195
195
|
* @default 100
|
|
196
196
|
*/
|
|
197
197
|
maxHtmlNestingDepth?: number;
|
|
198
|
+
/**
|
|
199
|
+
* maxEdgeChainDepth (optional): Maximum allowed depth for chained edges.
|
|
200
|
+
* Default is 1000. This limit prevents stack overflow attacks from deeply chained edge structures.
|
|
201
|
+
* @default 1000
|
|
202
|
+
*/
|
|
203
|
+
maxEdgeChainDepth?: number;
|
|
198
204
|
}
|
|
199
205
|
|
|
200
206
|
/**
|
package/lib/ast.js
CHANGED
|
@@ -321,6 +321,7 @@ function peg$parse(input, options) {
|
|
|
321
321
|
);
|
|
322
322
|
}
|
|
323
323
|
function peg$f14(id, rhs, _children) {
|
|
324
|
+
edgeChainDepth = 0;
|
|
324
325
|
return b.createElement(
|
|
325
326
|
// @ts-ignore
|
|
326
327
|
"Edge",
|
|
@@ -365,6 +366,13 @@ function peg$parse(input, options) {
|
|
|
365
366
|
return { operator, location: location() };
|
|
366
367
|
}
|
|
367
368
|
function peg$f22(edgeop, id, rest) {
|
|
369
|
+
edgeChainDepth++;
|
|
370
|
+
if (edgeChainDepth > MAX_EDGE_CHAIN_DEPTH) {
|
|
371
|
+
const loc = location();
|
|
372
|
+
error(
|
|
373
|
+
`Edge chain depth exceeds maximum allowed depth of ${MAX_EDGE_CHAIN_DEPTH} at line ${loc.start.line}, column ${loc.start.column}. Consider breaking up long edge chains or increasing the 'maxEdgeChainDepth' option.`
|
|
374
|
+
);
|
|
375
|
+
}
|
|
368
376
|
edgeops.push(edgeop);
|
|
369
377
|
return [id].concat(rest || []);
|
|
370
378
|
}
|
|
@@ -2706,7 +2714,9 @@ function peg$parse(input, options) {
|
|
|
2706
2714
|
}
|
|
2707
2715
|
const edgeops = [];
|
|
2708
2716
|
const MAX_HTML_NESTING_DEPTH = options.maxHtmlNestingDepth ?? 100;
|
|
2717
|
+
const MAX_EDGE_CHAIN_DEPTH = options.maxEdgeChainDepth ?? 1e3;
|
|
2709
2718
|
let htmlNestingDepth = 0;
|
|
2719
|
+
let edgeChainDepth = 0;
|
|
2710
2720
|
const b = new Builder({
|
|
2711
2721
|
locationFunction: location
|
|
2712
2722
|
});
|
|
@@ -2743,9 +2753,14 @@ function peg$parse(input, options) {
|
|
|
2743
2753
|
}
|
|
2744
2754
|
}
|
|
2745
2755
|
function parse(input, options) {
|
|
2746
|
-
const { startRule, filename, maxHtmlNestingDepth } = options ?? {};
|
|
2756
|
+
const { startRule, filename, maxHtmlNestingDepth, maxEdgeChainDepth } = options ?? {};
|
|
2747
2757
|
try {
|
|
2748
|
-
return peg$parse(input, {
|
|
2758
|
+
return peg$parse(input, {
|
|
2759
|
+
startRule,
|
|
2760
|
+
filename,
|
|
2761
|
+
maxHtmlNestingDepth,
|
|
2762
|
+
maxEdgeChainDepth
|
|
2763
|
+
});
|
|
2749
2764
|
} catch (e) {
|
|
2750
2765
|
if (e instanceof peg$SyntaxError) {
|
|
2751
2766
|
throw new DotSyntaxError(e.message, {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@ts-graphviz/ast",
|
|
3
|
-
"version": "3.0.4
|
|
3
|
+
"version": "3.0.4",
|
|
4
4
|
"description": "Graphviz AST(Abstract Syntax Tree) Utilities",
|
|
5
5
|
"keywords": [],
|
|
6
6
|
"homepage": "https://github.com/ts-graphviz/ts-graphviz#readme",
|