shelving 1.267.0 → 1.267.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -79,5 +79,8 @@ export class CloudflareKVProvider extends DBProvider {
|
|
|
79
79
|
}
|
|
80
80
|
}
|
|
81
81
|
function _getKey(collection, id) {
|
|
82
|
-
|
|
82
|
+
// Percent-encode both parts so the `:` separator is unambiguous: without this, an `id` containing `:`
|
|
83
|
+
// (e.g. collection `a` + id `b:c`) collides with a different collection/id pair (collection `a:b` + id `c`).
|
|
84
|
+
// Plain identifiers (letters, digits, `-`, `_`, `.`) are left unchanged, so keys for typical names/UUIDs are stable.
|
|
85
|
+
return `${encodeURIComponent(collection)}:${encodeURIComponent(id)}`;
|
|
83
86
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "shelving",
|
|
3
|
-
"version": "1.267.
|
|
3
|
+
"version": "1.267.2",
|
|
4
4
|
"author": "Dave Houlbrooke <dave@shax.com>",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
@@ -9,13 +9,13 @@
|
|
|
9
9
|
"main": "./index.js",
|
|
10
10
|
"module": "./index.js",
|
|
11
11
|
"devDependencies": {
|
|
12
|
-
"@biomejs/biome": "^2.5.
|
|
12
|
+
"@biomejs/biome": "^2.5.2",
|
|
13
13
|
"@google-cloud/firestore": "^8.6.0",
|
|
14
14
|
"@heroicons/react": "^2.2.0",
|
|
15
15
|
"@types/bun": "^1.3.14",
|
|
16
16
|
"@types/react": "^19.2.17",
|
|
17
17
|
"@types/react-dom": "^19.2.3",
|
|
18
|
-
"@typescript/native-preview": "^7.0.0-dev.
|
|
18
|
+
"@typescript/native-preview": "^7.0.0-dev.20260704.1",
|
|
19
19
|
"firebase": "^12.15.0",
|
|
20
20
|
"react": "^19.3.0-canary-fef12a01-20260413",
|
|
21
21
|
"react-dom": "^19.3.0-canary-fef12a01-20260413",
|
package/schema/StringSchema.js
CHANGED
|
@@ -31,12 +31,15 @@ export class StringSchema extends Schema {
|
|
|
31
31
|
if (typeof str !== "string")
|
|
32
32
|
throw value ? `Must be ${this.one}` : "Required";
|
|
33
33
|
const sane = this.sanitize(str);
|
|
34
|
+
// Enforce `max` before running `match`, so an over-length string is rejected without ever being handed to
|
|
35
|
+
// the (potentially expensive) regex — a length cap can't shield the pattern otherwise. `min` stays after
|
|
36
|
+
// `match` to preserve the existing "Invalid" precedence for short-but-malformed values.
|
|
37
|
+
if (sane.length > this.max)
|
|
38
|
+
throw `Maximum ${this.max} characters`;
|
|
34
39
|
if (this.match && !this.match.test(sane))
|
|
35
40
|
throw str.length ? `Invalid ${this.one}` : "Required";
|
|
36
41
|
if (sane.length < this.min)
|
|
37
42
|
throw str.length ? `Minimum ${this.min} characters` : "Required";
|
|
38
|
-
if (sane.length > this.max)
|
|
39
|
-
throw `Maximum ${this.max} characters`;
|
|
40
43
|
return sane;
|
|
41
44
|
}
|
|
42
45
|
/**
|
package/util/crypto.js
CHANGED
|
@@ -4,6 +4,7 @@ import { requireBytes } from "./bytes.js";
|
|
|
4
4
|
// Constants.
|
|
5
5
|
const ALGORITHM = { name: "PBKDF2", hash: "SHA-512" };
|
|
6
6
|
const ITERATIONS = 500000;
|
|
7
|
+
const MAX_ITERATIONS = 10000000; // Upper bound on iterations accepted from a stored hash — guards against a malicious hash forcing an arbitrarily expensive derivation (DoS). Comfortably above the 500k default.
|
|
7
8
|
const SALT_LENGTH = 16; // 16 bytes = 128 bits
|
|
8
9
|
const HASH_LENGTH = 64; // 64 bytes = 512 bits
|
|
9
10
|
const PASSWORD_LENGTH = 6;
|
|
@@ -42,8 +43,8 @@ export async function hashPassword(password, iterations = ITERATIONS) {
|
|
|
42
43
|
received: password.length,
|
|
43
44
|
caller: hashPassword,
|
|
44
45
|
});
|
|
45
|
-
if (iterations < 1)
|
|
46
|
-
throw new ValueError(
|
|
46
|
+
if (iterations < 1 || iterations > MAX_ITERATIONS)
|
|
47
|
+
throw new ValueError(`Iterations must be between 1 and ${MAX_ITERATIONS}`, { received: iterations, caller: hashPassword });
|
|
47
48
|
// Hash the password.
|
|
48
49
|
const key = await _getKey(password);
|
|
49
50
|
const salt = getRandomBytes(SALT_LENGTH);
|
|
@@ -70,7 +71,7 @@ export async function verifyPassword(password, hash) {
|
|
|
70
71
|
const hashBytes = decodeBase64URLBytes(h);
|
|
71
72
|
// Check iterations.
|
|
72
73
|
const iterations = Number.parseInt(i, 10);
|
|
73
|
-
if (!Number.isFinite(iterations) || iterations < 1)
|
|
74
|
+
if (!Number.isFinite(iterations) || iterations < 1 || iterations > MAX_ITERATIONS)
|
|
74
75
|
return false;
|
|
75
76
|
// Derive the hash.
|
|
76
77
|
const key = await _getKey(password);
|
package/util/validate.js
CHANGED
|
@@ -124,7 +124,10 @@ export function validateArray(unsafeArray, validator) {
|
|
|
124
124
|
*/
|
|
125
125
|
export function validateDictionary(unsafeDictionary, validator) {
|
|
126
126
|
let changed = false;
|
|
127
|
-
|
|
127
|
+
// Null-prototype accumulator: an untrusted `"__proto__"` key (or `"constructor"`) then becomes an inert own
|
|
128
|
+
// property instead of invoking the inherited `__proto__` setter, so a crafted `{ "__proto__": … }` input can't
|
|
129
|
+
// reassign the returned dictionary's prototype, and the entry stays enumerable so `min`/`max` counts are correct.
|
|
130
|
+
const safeDictionary = Object.create(null);
|
|
128
131
|
const messages = [];
|
|
129
132
|
for (const [key, unsafeValue] of getDictionaryItems(unsafeDictionary)) {
|
|
130
133
|
try {
|