npm - msgpackr - Versions diffs - 1.11.7 → 1.11.9 - Mend

msgpackr 1.11.7 → 1.11.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/index-no-eval.cjs +25 -6
package/dist/index-no-eval.cjs.map +1 -1
package/dist/index-no-eval.min.js +1 -1
package/dist/index-no-eval.min.js.map +1 -1
package/dist/index.js +25 -6
package/dist/index.js.map +1 -1
package/dist/index.min.js +1 -1
package/dist/index.min.js.map +1 -1
package/dist/node.cjs +25 -6
package/dist/node.cjs.map +1 -1
package/dist/test.js +34 -6
package/dist/test.js.map +1 -1
package/dist/unpack-no-eval.cjs +24 -5
package/dist/unpack-no-eval.cjs.map +1 -1
package/index.d.cts +2 -0
package/index.d.ts +2 -0
package/pack.js +1 -1
package/package.json +1 -1
package/unpack.js +24 -5

package/dist/test.js CHANGED Viewed

@@ -617,26 +617,45 @@
 			} else if ((byte1 & 0xe0) === 0xc0) {
 				// 2 bytes
 				const byte2 = src[position$1++] & 0x3f;
-				units.push(((byte1 & 0x1f) << 6) | byte2);
+				const codePoint = ((byte1 & 0x1f) << 6) | byte2;
+				// Reject overlong encoding: 2-byte sequences must encode values >= 0x80
+				if (codePoint < 0x80) {
+					units.push(0xFFFD); // replacement character
+				} else {
+					units.push(codePoint);
+				}
 			} else if ((byte1 & 0xf0) === 0xe0) {
 				// 3 bytes
 				const byte2 = src[position$1++] & 0x3f;
 				const byte3 = src[position$1++] & 0x3f;
-				units.push(((byte1 & 0x1f) << 12) | (byte2 << 6) | byte3);
+				const codePoint = ((byte1 & 0x1f) << 12) | (byte2 << 6) | byte3;
+				// Reject overlong encoding: 3-byte sequences must encode values >= 0x800
+				// Also reject surrogates (0xD800-0xDFFF)
+				if (codePoint < 0x800 || (codePoint >= 0xD800 && codePoint <= 0xDFFF)) {
+					units.push(0xFFFD); // replacement character
+				} else {
+					units.push(codePoint);
+				}
 			} else if ((byte1 & 0xf8) === 0xf0) {
 				// 4 bytes
 				const byte2 = src[position$1++] & 0x3f;
 				const byte3 = src[position$1++] & 0x3f;
 				const byte4 = src[position$1++] & 0x3f;
 				let unit = ((byte1 & 0x07) << 0x12) | (byte2 << 0x0c) | (byte3 << 0x06) | byte4;
-				if (unit > 0xffff) {
+				// Reject overlong encoding: 4-byte sequences must encode values >= 0x10000
+				// Also reject values > 0x10FFFF (maximum valid Unicode)
+				if (unit < 0x10000 || unit > 0x10FFFF) {
+					units.push(0xFFFD); // replacement character
+				} else if (unit > 0xffff) {
 					unit -= 0x10000;
 					units.push(((unit >>> 10) & 0x3ff) | 0xd800);
 					unit = 0xdc00 | (unit & 0x3ff);
+					units.push(unit);
+				} else {
+					units.push(unit);
 				}
-				units.push(unit);
 			} else {
-				units.push(byte1);
+				units.push(0xFFFD); // replacement character for invalid lead byte
 			}
 			if (units.length >= 0x1000) {
@@ -1338,7 +1357,7 @@
 					hasSharedUpdate = false;
 				let encodingError;
 				try {
-					if (packr.randomAccessStructure && value && value.constructor) {
+					if (packr.randomAccessStructure && value && typeof value === 'object') {
 						if (value.constructor === Object) writeStruct(value); // simple object
 						else if (value.constructor !== Map && !Array.isArray(value) && !extensionClasses.some(extClass => value instanceof extClass)) {
 							// allow user classes, if they don't need special handling (but do use toJSON if available)
@@ -3275,6 +3294,15 @@
 			var deserialized = unpack(serialized);
 			assert.equal(deserialized, data);
 		});
+		test('overlong UTF-8 string', function () {
+			const payload = Buffer.concat([
+				Buffer.from([0xa2]),         // msgpack fixstr, 2 bytes
+				Buffer.from([0xc0, 0xaf]),   // overlong "/"
+			]);
+			const result = unpack(payload);
+			assert.notEqual(result, '/');
+		});
 		test('use ArrayBuffer', function () {
 			const data = {prop: 'a test'};
 			var serialized = pack(data);