ueberdb2 3.0.1 → 4.0.1

package/CHANGELOG.md

@@ -1,11 +1,49 @@
 # Notable Changes
 
+## v4.0.1
+
+Security fix:
+
+  * `getSub()` now returns `null` when it encounters a non-"own" property
+    (including `__proto__`) or any non-object while walking the given property
+    path. This should make it easier to avoid accidental prototype pollution
+    vulnerabilities.
+
+## v4.0.0
+
+Compatibility changes:
+
+  * `redis`: The `socket` and `client_options` settings, deprecated since
+    v1.3.1, have been removed.
+  * `redis`: The client configuration object has changed with the new version of
+    the `redis` client library. See the [`redis` client library
+    documentation](https://github.com/redis/node-redis/blob/redis%404.1.0/docs/client-configuration.md)
+    for details.
+
+Bug fixes:
+
+  * `redis`: Several `findKeys()` fixes.
+
+Updated database dependencies:
+
+  * `redis`: Updated `redis` from 3.1.2 to 4.1.0.
+
+## v3.0.2
+
+Security fix:
+
+  * `getSub()` now returns `null` when it encounters a non-"own" property
+    (including `__proto__`) or any non-object while walking the given property
+    path. This should make it easier to avoid accidental prototype pollution
+    vulnerabilities.
+
 ## v3.0.1
 
 Bug fixes:
 
   * Fixed `findKeys()` calls containing special regular expression characters
-    for those database drivers that use the glob-to-regex helper function.
+    (applicable to the database drivers that use the glob-to-regex helper
+    function).
 
 ## v3.0.0
 
@@ -17,8 +55,12 @@ Compatibility changes:
     the `migrate_to_newer_schema` option to `true`.
   * As mentioned in the v2.2.0 changes, passing callbacks to the database
     methods is deprecated. Use the returned Promises instead.
-  * As mentioned in the v1.4.15 changes, `postgrespool` is deprecated. Use
-    `postgres` instead.
+  * `postgrespool`: As mentioned in the v1.4.15 changes, `postgrespool` is
+    deprecated. Use `postgres` instead.
+  * `redis`: As mentioned in the v1.3.1 changes, the `socket` and
+    `client_options` settings are deprecated. Pass the [client options
+    object](https://www.npmjs.com/package/redis/v/3.1.2#options-object-properties)
+    directly.
 
 Bug fixes:
 
@@ -33,6 +75,15 @@ Updated database dependencies:
   * `postgres`: Updated `pg` to 8.7.3.
   * `sqlite`: Updated `sqlite3` to 5.0.6.
 
+## v2.2.4
+
+Security fix:
+
+  * `getSub()` now returns `null` when it encounters a non-"own" property
+    (including `__proto__`) or any non-object while walking the given property
+    path. This should make it easier to avoid accidental prototype pollution
+    vulnerabilities.
+
 ## v2.2.0
 
 Compatibility changes:

package/README.md

@@ -272,16 +272,8 @@ You should create your database as utf8mb4_bin.
 If you enabled TLS on your Redis database (available since Redis 6.0) you will
 need to change your connections parameters, here is an example:
 
-```
-settings:
-    {
-      host:
-      port: rediss://<redis_database_address>:<redis_database_port>
-      socket:
-      database:
-      password:
-      client_options
-    }
+```javascript
+const db = new ueberdb.Database('redis', {url: 'rediss://localhost'});
 ```
 
 Do not provide a `host` value.

package/databases/redis_db.js

@@ -1,5 +1,4 @@
 'use strict';
-/* eslint new-cap: ["error", {"capIsNewExceptions": ["KEYS", "SMEMBERS"]}] */
 
 /**
  * 2011 Peter 'Pita' Martischka
@@ -18,111 +17,80 @@
  */
 
 const AbstractDatabase = require('../lib/AbstractDatabase');
-const async = require('async');
 const redis = require('redis');
 
 exports.Database = class extends AbstractDatabase {
   constructor(settings) {
     super();
-    this.client = null;
+    this._client = null;
     this.settings = settings || {};
   }
 
-  auth(callback) {
-    if (!this.settings.password) return callback();
-    this.client.auth(this.settings.password, callback);
-  }
-
-  select(callback) {
-    if (!this.settings.database) return callback();
-    this.client.select(this.settings.database, callback);
-  }
+  get isAsync() { return true; }
 
-  _deprecatedInit(callback) {
-    if (this.settings.socket) {
-      // Deprecated, but kept for backwards compatibility.
-      this.client = redis.createClient(this.settings.socket,
-          this.settings.client_options);
-    } else {
-      // Deprecated, but kept for backwards compatibility.
-      this.client = redis.createClient(this.settings.port,
-          this.settings.host, this.settings.client_options);
-    }
-
-    this.client.database = this.settings.database;
-    async.waterfall([this.auth.bind(this), this.select.bind(this)], callback);
+  async init() {
+    this._client = redis.createClient(this.settings);
+    await this._client.connect();
+    await this._client.ping();
   }
 
-  init(callback) {
-    if (this.settings.socket || this.settings.client_options) return this._deprecatedInit(callback);
-    this.client = redis.createClient(this.settings);
-    callback();
+  async get(key) {
+    return await this._client.get(key);
   }
 
-  get(key, callback) {
-    this.client.get(key, callback);
-  }
-
-  findKeys(key, notKey, callback) {
-    // As redis provides only limited support for getting a list of all
-    // available keys we have to limit key and notKey here.
-    // See http://redis.io/commands/keys
-    if (notKey == null) {
-      this.client.KEYS(key, callback);
-    } else if (notKey === '*:*:*') {
-      // restrict key to format "text:*"
-      const matches = /^([^:]+):\*$/.exec(key);
-      if (matches) {
-        this.client.SMEMBERS(`ueberDB:keys:${matches[1]}`, callback);
-      } else {
-        const msg = 'redis db only supports key patterns like pad:* when notKey is set to *:*:*';
-        callback(new Error(msg), null);
-      }
-    } else {
-      callback(new Error('redis db currently only supports *:*:* as notKey'), null);
+  async findKeys(key, notKey) {
+    const [type] = /^([^:*]+):\*$/.exec(key) || [];
+    if (type != null && ['*:*:*', `${key}:*`].includes(notKey)) {
+      // Performance optimization for a common Etherpad case.
+      return await this._client.sMembers(`ueberDB:keys:${type}`);
+    }
+    let keys = await this._client.keys(key.replace(/[?[\]\\]/g, '\\$&'));
+    if (notKey != null) {
+      const regex = this.createFindRegex(key, notKey);
+      keys = keys.filter((k) => regex.test(k));
     }
+    return keys;
   }
 
-  set(key, value, callback) {
+  async set(key, value) {
     const matches = /^([^:]+):([^:]+)$/.exec(key);
-    if (matches) {
-      this.client.sadd([`ueberDB:keys:${matches[1]}`, matches[0]]);
-    }
-    this.client.set(key, value, callback);
+    await Promise.all([
+      matches && this._client.sAdd(`ueberDB:keys:${matches[1]}`, matches[0]),
+      this._client.set(key, value),
+    ]);
   }
 
-  remove(key, callback) {
+  async remove(key) {
     const matches = /^([^:]+):([^:]+)$/.exec(key);
-    if (matches) {
-      this.client.srem([`ueberDB:keys:${matches[1]}`, matches[0]]);
-    }
-    this.client.del(key, callback);
+    await Promise.all([
+      matches && this._client.sRem(`ueberDB:keys:${matches[1]}`, matches[0]),
+      this._client.del(key),
+    ]);
   }
 
-  doBulk(bulk, callback) {
-    const multi = this.client.multi();
+  async doBulk(bulk) {
+    const multi = this._client.multi();
 
     for (const {key, type, value} of bulk) {
       const matches = /^([^:]+):([^:]+)$/.exec(key);
       if (type === 'set') {
         if (matches) {
-          multi.sadd([`ueberDB:keys:${matches[1]}`, matches[0]]);
+          multi.sAdd(`ueberDB:keys:${matches[1]}`, matches[0]);
         }
         multi.set(key, value);
       } else if (type === 'remove') {
         if (matches) {
-          multi.srem([`ueberDB:keys:${matches[1]}`, matches[0]]);
+          multi.sRem(`ueberDB:keys:${matches[1]}`, matches[0]);
         }
         multi.del(key);
       }
     }
 
-    multi.exec(callback);
+    await multi.exec();
   }
 
-  close(callback) {
-    this.client.quit(() => {
-      callback();
-    });
+  async close() {
+    await this._client.quit();
+    this._client = null;
   }
 };

package/lib/CacheAndBufferLayer.js

@@ -508,33 +508,27 @@ exports.Database = class {
    *     "bla"]
    */
   async getSub(key, sub) {
-    let subvalue;
     await this._lock(key);
     try {
-      // get the full value
-      const value = await this._getLocked(key);
-
-      // everything is correct, navigate to the subvalue and return it
-      subvalue = value;
-
-      for (let i = 0; i < sub.length; i++) {
-        // test if the subvalue exist
-        if (subvalue != null && subvalue[sub[i]] !== undefined) {
-          subvalue = subvalue[sub[i]];
-        } else {
-          // the subvalue doesn't exist, break the loop and return null
-          subvalue = null;
-          break;
+      let v = await this._getLocked(key);
+      for (const k of sub) {
+        if (typeof v !== 'object' || (v != null && !Object.prototype.hasOwnProperty.call(v, k)) ||
+            // __proto__ is not an "own" property but we check for it explicitly for added safety,
+            // to improve readability, and to help static code analysis tools rule out prototype
+            // pollution vulnerabilities.
+            k === '__proto__') {
+          v = null;
         }
+        if (v == null) break;
+        v = v[k];
       }
-
       if (this.logger.isDebugEnabled()) {
-        this.logger.debug(`GETSUB - ${key}${JSON.stringify(sub)} - ${JSON.stringify(subvalue)}`);
+        this.logger.debug(`GETSUB - ${key}${JSON.stringify(sub)} - ${JSON.stringify(v)}`);
       }
+      return clone(v);
     } finally {
       this._unlock(key);
     }
-    return clone(subvalue);
   }
 
   /**

package/package.json

@@ -30,7 +30,7 @@
     "mysql": "2.18.1",
     "nano": "^10.0.0",
     "pg": "^8.7.3",
-    "redis": "^3.1.2",
+    "redis": "^4.1.0",
     "rethinkdb": "^2.4.2",
     "simple-git": "^3.7.1"
   },
@@ -51,7 +51,7 @@
     "url": "https://github.com/ether/ueberDB.git"
   },
   "main": "./index",
-  "version": "3.0.1",
+  "version": "4.0.1",
   "bugs": {
     "url": "https://github.com/ether/ueberDB/issues"
   },

package/test/test.js

@@ -142,7 +142,6 @@ describe(__filename, function () {
 
               it('findKeys with exclusion works', async function () {
                 if (database === 'mongodb') this.skip(); // TODO: Fix mongodb.
-                if (database === 'redis') this.skip(); // TODO: Fix redis.
                 const key = new Randexp(/([a-z]\w{0,20})foo\1/).gen();
                 await Promise.all([
                   db.set(key, true),

package/test/test_getSub.js

@@ -0,0 +1,31 @@
+'use strict';
+
+const assert = require('assert').strict;
+const ueberdb = require('../index');
+
+describe(__filename, function () {
+  let db;
+
+  beforeEach(async function () {
+    db = new ueberdb.Database('memory', {}, {});
+    await db.init();
+    await db.set('k', {s: 'v'});
+  });
+
+  afterEach(async function () {
+    if (db != null) await db.close();
+    db = null;
+  });
+
+  it('getSub stops at non-objects', async function () {
+    assert(await db.getSub('k', ['s', 'length']) == null);
+  });
+
+  it('getSub ignores non-own properties', async function () {
+    assert(await db.getSub('k', ['toString']) == null);
+  });
+
+  it('getSub ignores __proto__', async function () {
+    assert(await db.getSub('k', ['__proto__']) == null);
+  });
+});

package/test/test_setSub.js

@@ -4,9 +4,19 @@ const assert = require('assert').strict;
 const ueberdb = require('../index');
 
 describe(__filename, function () {
-  it('setSub rejects __proto__', async function () {
-    const db = new ueberdb.Database('memory', {}, {});
+  let db;
+
+  beforeEach(async function () {
+    db = new ueberdb.Database('memory', {}, {});
     await db.init();
+  });
+
+  afterEach(async function () {
+    if (db != null) await db.close();
+    db = null;
+  });
+
+  it('setSub rejects __proto__', async function () {
     await db.set('k', {});
     await assert.rejects(db.setSub('k', ['__proto__'], 'v'));
   });