@ts-graphviz/ast 3.0.5-next-11f7126347816f64f7892c8608b5e3bf1a826670 → 3.0.5-next-9296372cefd7dcf81ff8d3d827bb124ac56849ec
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +64 -2
- package/lib/ast.js +1 -1
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,9 +1,71 @@
|
|
|
1
1
|
# @ts-graphviz/ast
|
|
2
2
|
|
|
3
|
-
## 3.0.5-next-
|
|
3
|
+
## 3.0.5-next-9296372cefd7dcf81ff8d3d827bb124ac56849ec
|
|
4
4
|
|
|
5
5
|
### Patch Changes
|
|
6
6
|
|
|
7
|
+
- [#1536](https://github.com/ts-graphviz/ts-graphviz/pull/1536) [`4296b4e`](https://github.com/ts-graphviz/ts-graphviz/commit/4296b4e0cf17f36cc385c2ce93ec7ec89bd4a73a) Thanks [@kamiazya](https://github.com/kamiazya)! - Add null byte sanitization and comprehensive security tests for DOT injection prevention
|
|
8
|
+
|
|
9
|
+
## Security Fix
|
|
10
|
+
|
|
11
|
+
### Null Byte Handling
|
|
12
|
+
|
|
13
|
+
Added null byte removal to the `escape()` function to prevent Graphviz parsing errors. Graphviz treats null bytes (`\0`) as string terminators, causing syntax errors when encountered in quoted strings. This is now consistent with the `escapeComment()` function which already strips null bytes.
|
|
14
|
+
|
|
15
|
+
**Why this matters:**
|
|
16
|
+
|
|
17
|
+
- Prevents "syntax error in line X scanning a quoted string" errors in Graphviz
|
|
18
|
+
- Removes potential attack vector for causing parser failures
|
|
19
|
+
- Aligns with existing comment sanitization behavior
|
|
20
|
+
|
|
21
|
+
## Test Coverage Additions
|
|
22
|
+
|
|
23
|
+
### Unit Tests (escape.test.ts)
|
|
24
|
+
|
|
25
|
+
Added 16 new test cases covering various DOT injection attack vectors:
|
|
26
|
+
|
|
27
|
+
- Semicolon-based statement injection
|
|
28
|
+
- Edge operator injection attempts
|
|
29
|
+
- Graph termination injection via quotes and newlines
|
|
30
|
+
- Closing brace injection
|
|
31
|
+
- Attribute injection with equals sign
|
|
32
|
+
- Multiple quote injection attempts
|
|
33
|
+
- Mixed newlines and quotes
|
|
34
|
+
- Subgraph injection attempts
|
|
35
|
+
- Edge chain injection
|
|
36
|
+
- HTML-like label injection with quotes
|
|
37
|
+
- Port injection
|
|
38
|
+
- Already-escaped string handling
|
|
39
|
+
- Null byte removal (2 tests)
|
|
40
|
+
- Unicode strings with quotes
|
|
41
|
+
- Strict keyword injection
|
|
42
|
+
|
|
43
|
+
### Integration Tests (to-dot.test.ts)
|
|
44
|
+
|
|
45
|
+
Added 10 new end-to-end test cases:
|
|
46
|
+
|
|
47
|
+
- Statement injection in node IDs (semicolon)
|
|
48
|
+
- Edge operator injection in node IDs
|
|
49
|
+
- Graph termination injection via quotes and newlines
|
|
50
|
+
- Statement injection in subgraph IDs
|
|
51
|
+
- Attribute value injection prevention
|
|
52
|
+
- Edge ID injection prevention
|
|
53
|
+
- Multiple quotes in node ID
|
|
54
|
+
- Port specification injection
|
|
55
|
+
- Graph comment injection
|
|
56
|
+
- Node comment injection
|
|
57
|
+
|
|
58
|
+
## Validation
|
|
59
|
+
|
|
60
|
+
All tests confirm that the existing escape implementation correctly prevents DOT language injection by:
|
|
61
|
+
|
|
62
|
+
- Escaping double quotes (`"` → `\"`)
|
|
63
|
+
- Escaping newlines (`\n` → `\n`)
|
|
64
|
+
- Escaping carriage returns (`\r` → `\r`)
|
|
65
|
+
- Ensuring malicious strings are treated as literal identifiers, not DOT syntax
|
|
66
|
+
|
|
67
|
+
Verified with actual Graphviz parser (version 13.1.1) that escaped output renders safely without executing injected DOT code.
|
|
68
|
+
|
|
7
69
|
- [#1533](https://github.com/ts-graphviz/ts-graphviz/pull/1533) [`ed770be`](https://github.com/ts-graphviz/ts-graphviz/commit/ed770be7fffc93b9171198c9a84270df7477185d) Thanks [@kamiazya](https://github.com/kamiazya)! - Add memory exhaustion protection with input size and AST node count limits
|
|
8
70
|
|
|
9
71
|
Addresses security vulnerability where extremely large inputs or inputs with excessive elements could cause memory exhaustion, leading to application crashes and potential DoS attacks.
|
|
@@ -118,7 +180,7 @@
|
|
|
118
180
|
- Follows industry best practices for comment sanitization
|
|
119
181
|
|
|
120
182
|
- Updated dependencies [[`dc3ef34`](https://github.com/ts-graphviz/ts-graphviz/commit/dc3ef34316f5642c416711cb6a50704dbef7bb64)]:
|
|
121
|
-
- @ts-graphviz/common@3.0.4-next-
|
|
183
|
+
- @ts-graphviz/common@3.0.4-next-9296372cefd7dcf81ff8d3d827bb124ac56849ec
|
|
122
184
|
|
|
123
185
|
## 3.0.4
|
|
124
186
|
|
package/lib/ast.js
CHANGED
|
@@ -2947,7 +2947,7 @@ const GraphPrintPlugin = {
|
|
|
2947
2947
|
yield "}";
|
|
2948
2948
|
}
|
|
2949
2949
|
};
|
|
2950
|
-
const escape = (value) => value.replace(/(?<!\\)"|[\r\n]/g, escapeReplacer);
|
|
2950
|
+
const escape = (value) => value.replace(/\0/g, "").replace(/(?<!\\)"|[\r\n]/g, escapeReplacer);
|
|
2951
2951
|
const escapeMap = {
|
|
2952
2952
|
"\r": String.raw`\r`,
|
|
2953
2953
|
"\n": String.raw`\n`,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@ts-graphviz/ast",
|
|
3
|
-
"version": "3.0.5-next-
|
|
3
|
+
"version": "3.0.5-next-9296372cefd7dcf81ff8d3d827bb124ac56849ec",
|
|
4
4
|
"description": "Graphviz AST(Abstract Syntax Tree) Utilities",
|
|
5
5
|
"keywords": [],
|
|
6
6
|
"homepage": "https://github.com/ts-graphviz/ts-graphviz#readme",
|
|
@@ -33,7 +33,7 @@
|
|
|
33
33
|
"./package.json": "./package.json"
|
|
34
34
|
},
|
|
35
35
|
"dependencies": {
|
|
36
|
-
"@ts-graphviz/common": "^3.0.4-next-
|
|
36
|
+
"@ts-graphviz/common": "^3.0.4-next-9296372cefd7dcf81ff8d3d827bb124ac56849ec"
|
|
37
37
|
},
|
|
38
38
|
"devDependencies": {
|
|
39
39
|
"peggy": "^5.0.6",
|