npm - msgpackr - Versions diffs - 1.10.0 → 1.10.2 - Mend

msgpackr 1.10.0 → 1.10.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +1 -0
package/dist/index-no-eval.cjs +41 -19
package/dist/index-no-eval.cjs.map +1 -1
package/dist/index-no-eval.min.js +1 -1
package/dist/index-no-eval.min.js.map +1 -1
package/dist/index.js +41 -19
package/dist/index.js.map +1 -1
package/dist/index.min.js +1 -1
package/dist/index.min.js.map +1 -1
package/dist/node.cjs +41 -19
package/dist/node.cjs.map +1 -1
package/dist/test.js +75 -20
package/dist/test.js.map +1 -1
package/dist/unpack-no-eval.cjs +21 -4
package/dist/unpack-no-eval.cjs.map +1 -1
package/index.d.cts +1 -0
package/index.d.ts +1 -0
package/pack.js +20 -15
package/package.json +1 -1
package/unpack.js +21 -4

package/unpack.js CHANGED Viewed

@@ -914,7 +914,7 @@ function readKey() {
 			return readFixedString(length)
 	} else { // not cacheable, go back and do a standard read
 		position--
-		return read().toString()
+		return asSafeString(read())
 	}
 	let key = ((length << 5) ^ (length > 1 ? dataView.getUint16(position) : length > 0 ? src[position] : 0)) & 0xfff
 	let entry = keyCache[key]
@@ -966,9 +966,17 @@ function readKey() {
 	return entry.string = readFixedString(length)
 }
+function asSafeString(property) {
+	// protect against expensive (DoS) string conversions
+	if (typeof property === 'string') return property;
+	if (typeof property === 'number' || typeof property === 'boolean' || typeof property === 'bigint') return property.toString();
+	if (property == null) return property + '';
+	throw new Error('Invalid property type for record', typeof property);
+}
 // the registration of the record definition extension (as "r")
 const recordDefinition = (id, highByte) => {
-	let structure = read().map(property => property.toString()) // ensure that all keys are strings and that the array is mutable
+	let structure = read().map(asSafeString) // ensure that all keys are strings and
+	// that the array is mutable
 	let firstByte = id
 	if (highByte !== undefined) {
 		id = id < 32 ? -((highByte << 5) + id) : ((highByte << 5) + id)
@@ -1002,11 +1010,12 @@ currentExtensions[0x42] = (data) => {
 let errors = { Error, TypeError, ReferenceError };
 currentExtensions[0x65] = () => {
 	let data = read()
-	return (errors[data[0]] || Error)(data[1])
+	return (errors[data[0]] || Error)(data[1], { cause: data[2] })
 }
 currentExtensions[0x69] = (data) => {
 	// id extension (for structured clones)
+	if (currentUnpackr.structuredClone === false) throw new Error('Structured clone extension is disabled')
 	let id = dataView.getUint32(position - 4)
 	if (!referenceMap)
 		referenceMap = new Map()
@@ -1030,6 +1039,7 @@ currentExtensions[0x69] = (data) => {
 currentExtensions[0x70] = (data) => {
 	// pointer extension (for structured clones)
+	if (currentUnpackr.structuredClone === false) throw new Error('Structured clone extension is disabled')
 	let id = dataView.getUint32(position - 4)
 	let refEntry = referenceMap.get(id)
 	refEntry.used = true
@@ -1044,8 +1054,15 @@ let glbl = typeof globalThis === 'object' ? globalThis : window;
 currentExtensions[0x74] = (data) => {
 	let typeCode = data[0]
 	let typedArrayName = typedArrays[typeCode]
-	if (!typedArrayName)
+	if (!typedArrayName) {
+		if (typeCode === 16) {
+			let ab = new ArrayBuffer(data.length - 1)
+			let u8 = new Uint8Array(ab)
+			u8.set(data.subarray(1))
+			return ab;
+		}
 		throw new Error('Could not find typed array for code ' + typeCode)
+	}
 	// we have to always slice/copy here to get a new ArrayBuffer that is word/byte aligned
 	return new glbl[typedArrayName](Uint8Array.prototype.slice.call(data, 1).buffer)
 }