npm - pulse-js-framework - Versions diffs - 1.5.1 → 1.5.3 - Mend

pulse-js-framework 1.5.1 → 1.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/runtime/store.js CHANGED Viewed

@@ -20,6 +20,12 @@ import { loggers, createLogger } from './logger.js';
 const log = loggers.store;
+/**
+ * Maximum nesting depth for nested objects to prevent abuse
+ * @type {number}
+ */
+const MAX_NESTING_DEPTH = 10;
 /**
  * @typedef {Object} StoreOptions
  * @property {boolean} [persist=false] - Persist state to localStorage
@@ -46,6 +52,102 @@ const log = loggers.store;
  * @typedef {function(Store): Store} StorePlugin
  */
+/**
+ * Dangerous property names that could cause prototype pollution
+ * @type {Set<string>}
+ */
+const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+/**
+ * Invalid value types that cannot be stored in state
+ * @type {Set<string>}
+ */
+const INVALID_TYPES = new Set(['function', 'symbol']);
+/**
+ * Validate state values, rejecting functions, symbols, and circular references
+ * @private
+ * @param {*} value - Value to validate
+ * @param {string} path - Current path for error messages
+ * @param {WeakSet} seen - Set of objects already visited (for circular detection)
+ * @throws {TypeError} If value contains invalid types or circular references
+ */
+function validateStateValue(value, path = 'state', seen = new WeakSet()) {
+  const valueType = typeof value;
+  // Check for invalid types
+  if (INVALID_TYPES.has(valueType)) {
+    throw new TypeError(
+      `Invalid state value at "${path}": ${valueType}s cannot be stored in state. ` +
+      `State values must be primitives, arrays, or plain objects.`
+    );
+  }
+  // Check objects for circular references and nested invalid types
+  if (value !== null && valueType === 'object') {
+    // Check for circular reference
+    if (seen.has(value)) {
+      throw new TypeError(
+        `Circular reference detected at "${path}". ` +
+        `State must not contain circular references.`
+      );
+    }
+    seen.add(value);
+    // Validate array elements
+    if (Array.isArray(value)) {
+      for (let i = 0; i < value.length; i++) {
+        validateStateValue(value[i], `${path}[${i}]`, seen);
+      }
+    } else {
+      // Validate object properties
+      for (const [key, val] of Object.entries(value)) {
+        validateStateValue(val, `${path}.${key}`, seen);
+      }
+    }
+  }
+}
+/**
+ * Safely deserialize persisted state, preventing prototype pollution
+ * and property injection attacks.
+ * @private
+ * @param {Object} savedState - The parsed JSON state
+ * @param {Object} schema - The initial state defining allowed keys
+ * @returns {Object} Sanitized state object
+ */
+function safeDeserialize(savedState, schema) {
+  if (typeof savedState !== 'object' || savedState === null || Array.isArray(savedState)) {
+    return {};
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(savedState)) {
+    // Block dangerous keys that could pollute prototypes
+    if (DANGEROUS_KEYS.has(key)) {
+      log.warn(`Blocked potentially dangerous key in persisted state: "${key}"`);
+      continue;
+    }
+    // Only allow keys that exist in the schema (initial state)
+    if (!(key in schema)) {
+      continue;
+    }
+    // Recursively validate nested objects
+    if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+      if (typeof schema[key] === 'object' && schema[key] !== null && !Array.isArray(schema[key])) {
+        result[key] = safeDeserialize(value, schema[key]);
+      }
+      // If schema expects primitive but got object, skip it
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
 /**
  * Create a global store with reactive state properties.
  * @template T
@@ -70,13 +172,18 @@ const log = loggers.store;
 export function createStore(initialState = {}, options = {}) {
   const { persist = false, storageKey = 'pulse-store' } = options;
+  // Validate initial state
+  validateStateValue(initialState, 'initialState');
   // Load persisted state if enabled
   let state = initialState;
   if (persist && typeof localStorage !== 'undefined') {
     try {
       const saved = localStorage.getItem(storageKey);
       if (saved) {
-        state = { ...initialState, ...JSON.parse(saved) };
+        const parsed = JSON.parse(saved);
+        const sanitized = safeDeserialize(parsed, initialState);
+        state = { ...initialState, ...sanitized };
       }
     } catch (e) {
       log.warn('Failed to load persisted state:', e);
@@ -93,9 +200,18 @@ export function createStore(initialState = {}, options = {}) {
    * @private
    * @param {string} key - State key
    * @param {*} value - Initial value
+   * @param {number} [depth=0] - Current nesting depth
    * @returns {Pulse|Object} Pulse or nested object of pulses
    */
-  function createPulse(key, value) {
+  function createPulse(key, value, depth = 0) {
+    // Prevent excessive nesting depth
+    if (depth > MAX_NESTING_DEPTH) {
+      log.warn(`Max nesting depth (${MAX_NESTING_DEPTH}) exceeded for key: "${key}". Flattening to single pulse.`);
+      const p = pulse(value);
+      pulses[key] = p;
+      return p;
+    }
     if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
       // Create a pulse for the nested object itself (for $setState support)
       const objectPulse = pulse(value);
@@ -104,7 +220,7 @@ export function createStore(initialState = {}, options = {}) {
       // Also create nested pulses for individual properties
       const nested = {};
       for (const [k, v] of Object.entries(value)) {
-        nested[k] = createPulse(`${key}.${k}`, v);
+        nested[k] = createPulse(`${key}.${k}`, v, depth + 1);
       }
       return nested;
     }
@@ -119,6 +235,15 @@ export function createStore(initialState = {}, options = {}) {
     store[key] = createPulse(key, value);
   }
+  // Sync nested pulses for persisted state to ensure consistency
+  if (persist && typeof localStorage !== 'undefined') {
+    for (const [key, value] of Object.entries(state)) {
+      if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+        updateNestedPulses(key, value);
+      }
+    }
+  }
   // Persist state changes
   if (persist) {
     effect(() => {

package/runtime/utils.js CHANGED Viewed

@@ -22,10 +22,10 @@ const HTML_ESCAPES = {
 };
 /**
- * Regex for HTML special characters
+ * Regex for HTML special characters (auto-generated from HTML_ESCAPES keys)
  * @private
  */
-const HTML_ESCAPE_REGEX = /[&<>"']/g;
+const HTML_ESCAPE_REGEX = new RegExp(`[${Object.keys(HTML_ESCAPES).join('')}]`, 'g');
 /**
  * Escape HTML special characters to prevent XSS attacks.