mathjs 13.1.0 → 13.1.1

package/HISTORY.md

@@ -1,5 +1,18 @@
 # History
 
+# 2024-08-27, 13.1.1
+
+- Fix security vulnerability in the CLI and web API allowing to call functions
+  `import`, `createUnit` and `reviver`, allowing to get access to the internal
+  math namespace and allowing arbitrary code execution. Thanks @StarlightPWN.
+- Fix security vulnerability: when overwriting a `rawArgs` function with a 
+  non-`rawArgs` function, it was still called with raw arguments. This was both
+  a functional issue and a security issue. Thanks @StarlightPWN.
+- Fix security vulnerability: ensure that `ObjectWrappingMap` cannot delete
+  unsafe properties. Thanks @StarlightPWN.
+- Fix: not being able to use methods and properties on arrays inside the
+  expression parser.
+
 # 2024-08-26, 13.1.0
 
 - Feat: support multiple inputs in function `map` (#3228, #3196). 

package/bin/cli.js

@@ -56,10 +56,23 @@ const PRECISION = 14 // decimals
  * "Lazy" load math.js: only require when we actually start using it.
  * This ensures the cli application looks like it loads instantly.
  * When requesting help or version number, math.js isn't even loaded.
- * @return {*}
+ * @return {{ evalute: function, parse: function, math: Object }}
  */
 function getMath () {
-  return require('../lib/browser/math.js')
+  const { create, all } = require('../lib/browser/math.js')
+
+  const math = create(all)
+  const parse = math.parse
+  const evaluate = math.evaluate
+
+  // See https://mathjs.org/docs/expressions/security.html#less-vulnerable-expression-parser
+  math.import({
+    'import':     function () { throw new Error('Function import is disabled') },
+    'createUnit': function () { throw new Error('Function createUnit is disabled') },
+    'reviver':    function () { throw new Error('Function reviver is disabled') }
+  }, { override: true })
+
+  return { math, parse, evaluate }
 }
 
 /**
@@ -68,7 +81,7 @@ function getMath () {
  * @param {*} value
  */
 function format (value) {
-  const math = getMath()
+  const { math } = getMath()
 
   return math.format(value, {
     fn: function (value) {
@@ -88,7 +101,7 @@ function format (value) {
  * @return {[Array, String]} completions
  */
 function completer (text) {
-  const math = getMath()
+  const { math } = getMath()
   let matches = []
   let keyword
   const m = /[a-zA-Z_0-9]+$/.exec(text)
@@ -183,7 +196,7 @@ function runStream (input, output, mode, parenthesis) {
   }
 
   // load math.js now, right *after* loading the prompt.
-  const math = getMath()
+  const { math, parse } = getMath()
 
   // TODO: automatic insertion of 'ans' before operators like +, -, *, /
 
@@ -214,7 +227,7 @@ function runStream (input, output, mode, parenthesis) {
           case 'evaluate':
             // evaluate expression
             try {
-              let node = math.parse(expr)
+              let node = parse(expr)
               let res = node.evaluate(scope)
 
               if (math.isResultSet(res)) {
@@ -288,7 +301,7 @@ function runStream (input, output, mode, parenthesis) {
  * @return {string | null} Returns the name when found, else returns null.
  */
 function findSymbolName (node) {
-  const math = getMath()
+  const { math } = getMath()
   let n = node
 
   while (n) {
@@ -412,9 +425,10 @@ if (version) {
   // run a stream, can be user input or pipe input
   runStream(process.stdin, process.stdout, mode, parenthesis)
 } else {
-  fs.stat(scripts[0], function (e, f) {
-    if (e) {
-      console.log(getMath().evaluate(scripts.join(' ')).toString())
+  fs.stat(scripts[0], function (err) {
+    if (err) {
+      const { evaluate } = getMath()
+      console.log(evaluate(scripts.join(' ')).toString())
     } else {
     // work through the queue of scripts
       scripts.forEach(function (arg) {