npm - fast-xml-parser - Versions diffs - 4.5.3 → 4.5.5 - Mend

fast-xml-parser 4.5.3 → 4.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/CHANGELOG.md +17 -0
package/package.json +5 -6
package/src/fxp.d.ts +126 -18
package/src/util.js +26 -9
package/src/xmlbuilder/orderedJs2Xml.js +14 -3
package/src/xmlparser/DocTypeReader.js +387 -131
package/src/xmlparser/OptionsBuilder.js +139 -41
package/src/xmlparser/OrderedObjParser.js +346 -191
package/src/v6/CharsSymbol.js +0 -16
package/src/v6/EntitiesParser.js +0 -104
package/src/v6/OptionsBuilder.js +0 -61
package/src/v6/OutputBuilders/BaseOutputBuilder.js +0 -69
package/src/v6/OutputBuilders/JsArrBuilder.js +0 -103
package/src/v6/OutputBuilders/JsMinArrBuilder.js +0 -100
package/src/v6/OutputBuilders/JsObjBuilder.js +0 -154
package/src/v6/OutputBuilders/ParserOptionsBuilder.js +0 -94
package/src/v6/Report.js +0 -0
package/src/v6/TagPath.js +0 -81
package/src/v6/TagPathMatcher.js +0 -13
package/src/v6/XMLParser.js +0 -83
package/src/v6/Xml2JsParser.js +0 -235
package/src/v6/XmlPartReader.js +0 -210
package/src/v6/XmlSpecialTagsReader.js +0 -111
package/src/v6/inputSource/BufferSource.js +0 -116
package/src/v6/inputSource/StringSource.js +0 -121
package/src/v6/valueParsers/EntitiesParser.js +0 -105
package/src/v6/valueParsers/booleanParser.js +0 -22
package/src/v6/valueParsers/booleanParserExt.js +0 -19
package/src/v6/valueParsers/currency.js +0 -38
package/src/v6/valueParsers/join.js +0 -13
package/src/v6/valueParsers/number.js +0 -14
package/src/v6/valueParsers/trim.js +0 -6

package/src/xmlparser/OptionsBuilder.js CHANGED Viewed

@@ -1,47 +1,145 @@
+const { DANGEROUS_PROPERTY_NAMES, criticalProperties } = require("../util");
+const defaultOnDangerousProperty = (name) => {
+  if (DANGEROUS_PROPERTY_NAMES.includes(name)) {
+    return "__" + name;
+  }
+  return name;
+};
 const defaultOptions = {
-    preserveOrder: false,
-    attributeNamePrefix: '@_',
-    attributesGroupName: false,
-    textNodeName: '#text',
-    ignoreAttributes: true,
-    removeNSPrefix: false, // remove NS from tag name or attribute name if true
-    allowBooleanAttributes: false, //a tag can have attributes without any value
-    //ignoreRootElement : false,
-    parseTagValue: true,
-    parseAttributeValue: false,
-    trimValues: true, //Trim string values of tag and attributes
-    cdataPropName: false,
-    numberParseOptions: {
-      hex: true,
-      leadingZeros: true,
-      eNotation: true
-    },
-    tagValueProcessor: function(tagName, val) {
-      return val;
-    },
-    attributeValueProcessor: function(attrName, val) {
-      return val;
-    },
-    stopNodes: [], //nested tags will not be parsed even for errors
-    alwaysCreateTextNode: false,
-    isArray: () => false,
-    commentPropName: false,
-    unpairedTags: [],
-    processEntities: true,
-    htmlEntities: false,
-    ignoreDeclaration: false,
-    ignorePiTags: false,
-    transformTagName: false,
-    transformAttributeName: false,
-    updateTag: function(tagName, jPath, attrs){
-      return tagName
-    },
-    // skipEmptyListItem: false
+  preserveOrder: false,
+  attributeNamePrefix: '@_',
+  attributesGroupName: false,
+  textNodeName: '#text',
+  ignoreAttributes: true,
+  removeNSPrefix: false, // remove NS from tag name or attribute name if true
+  allowBooleanAttributes: false, //a tag can have attributes without any value
+  //ignoreRootElement : false,
+  parseTagValue: true,
+  parseAttributeValue: false,
+  trimValues: true, //Trim string values of tag and attributes
+  cdataPropName: false,
+  numberParseOptions: {
+    hex: true,
+    leadingZeros: true,
+    eNotation: true
+  },
+  tagValueProcessor: function (tagName, val) {
+    return val;
+  },
+  attributeValueProcessor: function (attrName, val) {
+    return val;
+  },
+  stopNodes: [], //nested tags will not be parsed even for errors
+  alwaysCreateTextNode: false,
+  isArray: () => false,
+  commentPropName: false,
+  unpairedTags: [],
+  processEntities: true,
+  htmlEntities: false,
+  ignoreDeclaration: false,
+  ignorePiTags: false,
+  transformTagName: false,
+  transformAttributeName: false,
+  updateTag: function (tagName, jPath, attrs) {
+    return tagName
+  },
+  // skipEmptyListItem: false
+  captureMetaData: false,
+  maxNestedTags: 100,
+  strictReservedNames: true,
+  onDangerousProperty: defaultOnDangerousProperty
 };
-const buildOptions = function(options) {
-    return Object.assign({}, defaultOptions, options);
+/**
+ * Validates that a property name is safe to use
+ * @param {string} propertyName - The property name to validate
+ * @param {string} optionName - The option field name (for error message)
+ * @throws {Error} If property name is dangerous
+ */
+function validatePropertyName(propertyName, optionName) {
+  if (typeof propertyName !== 'string') {
+    return; // Only validate string property names
+  }
+  const normalized = propertyName.toLowerCase();
+  if (DANGEROUS_PROPERTY_NAMES.some(dangerous => normalized === dangerous.toLowerCase())) {
+    throw new Error(
+      `[SECURITY] Invalid ${optionName}: "${propertyName}" is a reserved JavaScript keyword that could cause prototype pollution`
+    );
+  }
+  if (criticalProperties.some(dangerous => normalized === dangerous.toLowerCase())) {
+    throw new Error(
+      `[SECURITY] Invalid ${optionName}: "${propertyName}" is a reserved JavaScript keyword that could cause prototype pollution`
+    );
+  }
+}
+/**
+ * Normalizes processEntities option for backward compatibility
+ * @param {boolean|object} value
+ * @returns {object} Always returns normalized object
+ */
+function normalizeProcessEntities(value) {
+  // Boolean backward compatibility
+  if (typeof value === 'boolean') {
+    return {
+      enabled: value, // true or false
+      maxEntitySize: 10000,
+      maxExpansionDepth: 10,
+      maxTotalExpansions: 1000,
+      maxExpandedLength: 100000,
+      allowedTags: null,
+      tagFilter: null
+    };
+  }
+  // Object config - merge with defaults
+  if (typeof value === 'object' && value !== null) {
+    return {
+      enabled: value.enabled !== false,
+      maxEntitySize: Math.max(1, value.maxEntitySize ?? 10000),
+      maxExpansionDepth: Math.max(1, value.maxExpansionDepth ?? 10),
+      maxTotalExpansions: Math.max(1, value.maxTotalExpansions ?? 1000),
+      maxExpandedLength: Math.max(1, value.maxExpandedLength ?? 100000),
+      maxEntityCount: Math.max(1, value.maxEntityCount ?? 100),
+      allowedTags: value.allowedTags ?? null,
+      tagFilter: value.tagFilter ?? null
+    };
+  }
+  // Default to enabled with limits
+  return normalizeProcessEntities(true);
+}
+const buildOptions = function (options) {
+  const built = Object.assign({}, defaultOptions, options);
+  // Validate property names to prevent prototype pollution
+  const propertyNameOptions = [
+    { value: built.attributeNamePrefix, name: 'attributeNamePrefix' },
+    { value: built.attributesGroupName, name: 'attributesGroupName' },
+    { value: built.textNodeName, name: 'textNodeName' },
+    { value: built.cdataPropName, name: 'cdataPropName' },
+    { value: built.commentPropName, name: 'commentPropName' }
+  ];
+  for (const { value, name } of propertyNameOptions) {
+    if (value) {
+      validatePropertyName(value, name);
+    }
+  }
+  if (built.onDangerousProperty === null) {
+    built.onDangerousProperty = defaultOnDangerousProperty;
+  }
+  // Always normalize processEntities for backward compatibility and validation
+  built.processEntities = normalizeProcessEntities(built.processEntities);
+  //console.debug(built.processEntities)
+  return built;
 };
 exports.buildOptions = buildOptions;