@ts-graphviz/ast 3.0.5-next-dc3ef34316f5642c416711cb6a50704dbef7bb64 → 3.0.5-next-11f7126347816f64f7892c8608b5e3bf1a826670

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +56 -2
  2. package/lib/ast.js +10 -1
  3. package/package.json +2 -2
package/CHANGELOG.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # @ts-graphviz/ast
2
2
 
3
- ## 3.0.5-next-dc3ef34316f5642c416711cb6a50704dbef7bb64
3
+ ## 3.0.5-next-11f7126347816f64f7892c8608b5e3bf1a826670
4
4
 
5
5
  ### Patch Changes
6
6
 
@@ -63,8 +63,62 @@
63
63
 
64
64
  - [#1532](https://github.com/ts-graphviz/ts-graphviz/pull/1532) [`dc3ef34`](https://github.com/ts-graphviz/ts-graphviz/commit/dc3ef34316f5642c416711cb6a50704dbef7bb64) Thanks [@dependabot](https://github.com/apps/dependabot)! - build(deps-dev): bump vite from 7.0.2 to 7.0.8 in the npm_and_yarn group across 1 directory
65
65
 
66
+ - [#1535](https://github.com/ts-graphviz/ts-graphviz/pull/1535) [`11f7126`](https://github.com/ts-graphviz/ts-graphviz/commit/11f7126347816f64f7892c8608b5e3bf1a826670) Thanks [@kamiazya](https://github.com/kamiazya)! - Fix comment injection vulnerability in block comments
67
+
68
+ Addresses security vulnerability where malicious `*/` sequences in comment content could break out of block comment context and inject arbitrary DOT syntax.
69
+
70
+ ## Security Enhancement
71
+
72
+ ### Comment Content Escaping
73
+
74
+ - Added `escapeComment()` utility function to sanitize comment content
75
+ - Block comments: Breaks up `*/` sequences using zero-width space (U+200B) to prevent early comment termination
76
+ - All comment types: Removes null bytes that could cause parsing issues
77
+ - Follows C/C++ and DOT language specifications where block comments cannot be nested
78
+
79
+ ## Changes
80
+
81
+ ### New Utility Function
82
+
83
+ - `escapeComment()` in `packages/ast/src/dot-shim/printer/plugins/utils/escape-comment.ts`
84
+ - Prevents comment injection by inserting zero-width space between `*` and `/`
85
+ - Maintains visual appearance while preventing syntax injection
86
+ - Verified to work with Graphviz 13.1.1
87
+
88
+ ### Updated Components
89
+
90
+ - `CommentPrintPlugin` now applies escaping before outputting comment content
91
+ - All comment values are sanitized at print time, not at creation time
92
+ - Maintains backward compatibility with existing AST structures
93
+
94
+ ### Testing
95
+
96
+ - 11 unit tests for `escapeComment()` function covering:
97
+ - Block comment injection prevention
98
+ - Multiple `*/` sequence handling
99
+ - Null byte removal
100
+ - Normal content preservation
101
+ - Integration tests in `stringify.test.ts` for end-to-end verification
102
+ - All existing tests continue to pass
103
+
104
+ ## Security Impact
105
+
106
+ - Prevents DOT syntax injection via malicious comment content
107
+ - Blocks attempts to escape comment context and inject arbitrary graph definitions
108
+ - Protects against parser manipulation through crafted comment values
109
+ - Zero-width space approach is standards-compliant and validated with official Graphviz parser
110
+
111
+ ## Technical Details
112
+
113
+ According to C/C++ and DOT language specifications, block comments (`/* */`) cannot be nested and there is no escape sequence for the closing delimiter within comments. The standard workaround is to insert a zero-width space (U+200B) between `*` and `/`, which:
114
+
115
+ - Prevents early comment termination
116
+ - Preserves visual appearance (zero-width character is invisible)
117
+ - Is correctly handled by Graphviz parser (tested with version 13.1.1)
118
+ - Follows industry best practices for comment sanitization
119
+
66
120
  - Updated dependencies [[`dc3ef34`](https://github.com/ts-graphviz/ts-graphviz/commit/dc3ef34316f5642c416711cb6a50704dbef7bb64)]:
67
- - @ts-graphviz/common@3.0.4-next-dc3ef34316f5642c416711cb6a50704dbef7bb64
121
+ - @ts-graphviz/common@3.0.4-next-11f7126347816f64f7892c8608b5e3bf1a826670
68
122
 
69
123
  ## 3.0.4
70
124
 
package/lib/ast.js CHANGED
@@ -2865,6 +2865,14 @@ const AttributePrintPlugin = {
2865
2865
  yield ";";
2866
2866
  }
2867
2867
  };
2868
+ const ZERO_WIDTH_SPACE = "​";
2869
+ function escapeComment(value, kind) {
2870
+ let escaped = value.replace(/\0/g, "");
2871
+ if (kind === "Block") {
2872
+ escaped = escaped.replace(/\*\//g, `*${ZERO_WIDTH_SPACE}/`);
2873
+ }
2874
+ return escaped;
2875
+ }
2868
2876
  const EOL_PATTERN = /\r?\n/;
2869
2877
  const paddingMap = {
2870
2878
  Block: " * ",
@@ -2880,7 +2888,8 @@ const CommentPrintPlugin = {
2880
2888
  if (ast.kind === "Block") {
2881
2889
  yield* ["/**", context.EOL];
2882
2890
  }
2883
- const lines = ast.value.split(EOL_PATTERN);
2891
+ const escapedValue = escapeComment(ast.value, ast.kind);
2892
+ const lines = escapedValue.split(EOL_PATTERN);
2884
2893
  const lineLength = lines.length;
2885
2894
  for (let i = 0; i < lineLength; i++) {
2886
2895
  yield padding;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ts-graphviz/ast",
3
- "version": "3.0.5-next-dc3ef34316f5642c416711cb6a50704dbef7bb64",
3
+ "version": "3.0.5-next-11f7126347816f64f7892c8608b5e3bf1a826670",
4
4
  "description": "Graphviz AST(Abstract Syntax Tree) Utilities",
5
5
  "keywords": [],
6
6
  "homepage": "https://github.com/ts-graphviz/ts-graphviz#readme",
@@ -33,7 +33,7 @@
33
33
  "./package.json": "./package.json"
34
34
  },
35
35
  "dependencies": {
36
- "@ts-graphviz/common": "^3.0.4-next-dc3ef34316f5642c416711cb6a50704dbef7bb64"
36
+ "@ts-graphviz/common": "^3.0.4-next-11f7126347816f64f7892c8608b5e3bf1a826670"
37
37
  },
38
38
  "devDependencies": {
39
39
  "peggy": "^5.0.6",