Skip to content

Commit

Permalink
use Object.create(null) to create all parsed objects (prevent prototy…
Browse files Browse the repository at this point in the history 
…pe replacement)
  • Loading branch information
@autopulated
autopulated committed Mar 2, 2021
1 parent 1832e0b commit 581b19a
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 20 deletions.
10 changes: 5 additions & 5 deletions lib/parser.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions src/parser.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,12 +102,12 @@ class exports.Parser extends events
charkey = @options.charkey

@saxParser.onopentag = (node) =>
obj = {}
obj = Object.create(null)

This comment has been minimized.

Sign in to view

Copy link
@guimard

guimard Apr 25, 2023

Hi, it should be Object.create({}) else prototype of obj is "null", then it may break should tests. For example, try to launch test on node-rest-client.

This comment has been minimized.

Sign in to view

Copy link
@Leonidas-from-XIV

Leonidas-from-XIV Apr 25, 2023

Owner

Yes, we are deliberately creating an object without prototype to fix a CVE.
obj[charkey] = ""
unless @options.ignoreAttrs
for own key of node.attributes
if attrkey not of obj and not @options.mergeAttrs
obj[attrkey] = {}
obj[attrkey] = Object.create(null)

This comment has been minimized.

Sign in to view

Copy link
@guimard

guimard Apr 25, 2023

Same for all replacement of {} by Object.create(null) instead of Object.create({})

This comment has been minimized.

Sign in to view

Copy link
@Leonidas-from-XIV

Leonidas-from-XIV Apr 25, 2023

Owner

Does it fix the CVE though?
newValue = if @options.attrValueProcessors then processItem(@options.attrValueProcessors, node.attributes[key], key) else node.attributes[key]
processedKey = if @options.attrNameProcessors then processItem(@options.attrNameProcessors, key) else key
if @options.mergeAttrs
Expand Down Expand Up @@ -163,7 +163,7 @@ class exports.Parser extends events
# put children into <childkey> property and unfold chars if necessary
if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
if not @options.preserveChildrenOrder
node = {}
node = Object.create(null)
# separate attributes
if @options.attrkey of obj
node[@options.attrkey] = obj[@options.attrkey]
Expand All @@ -181,7 +181,7 @@ class exports.Parser extends events
# append current node onto parent's <childKey> array
s[@options.childkey] = s[@options.childkey] or []
# push a clone so that the node in the children array can receive the #name property while the original obj can do without it
objClone = {}
objClone = Object.create(null)
for own key of obj
objClone[key] = obj[key]
s[@options.childkey].push objClone
Expand All @@ -198,7 +198,7 @@ class exports.Parser extends events
if @options.explicitRoot
# avoid circular references
old = obj
obj = {}
obj = Object.create(null)
obj[nodeName] = old

@resultObject = obj
Expand Down
20 changes: 10 additions & 10 deletions test/parser.test.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -547,13 +547,13 @@ module.exports =

'test single attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase], (r)->
console.log 'Result object: ' + util.inspect r, false, 10
equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAMELCASEATTR'), true
equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWERCASEATTR'), true)
equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAMELCASEATTR'), true
equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWERCASEATTR'), true)

'test multiple attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase, nameCutoff], (r)->
console.log 'Result object: ' + util.inspect r, false, 10
equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAME'), true
equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWE'), true)
equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAME'), true
equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWE'), true)

'test single attrValueProcessors': skeleton(attrValueProcessors: [nameToUpperCase], (r)->
console.log 'Result object: ' + util.inspect r, false, 10
Expand All @@ -575,21 +575,21 @@ module.exports =

'test single tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase], (r)->
console.log 'Result object: ' + util.inspect r, false, 10
equ r.hasOwnProperty('SAMPLE'), true
equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true)
equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true)

'test single tagNameProcessors in simple callback': (test) ->
fs.readFile fileName, (err, data) ->
xml2js.parseString data, tagNameProcessors: [nameToUpperCase], (err, r)->
console.log 'Result object: ' + util.inspect r, false, 10
equ r.hasOwnProperty('SAMPLE'), true
equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true
equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true
test.finish()

'test multiple tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase, nameCutoff], (r)->
console.log 'Result object: ' + util.inspect r, false, 10
equ r.hasOwnProperty('SAMP'), true
equ r.SAMP.hasOwnProperty('TAGN'), true)
equ {}.hasOwnProperty.call(r, 'SAMP'), true
equ {}.hasOwnProperty.call(r.SAMP, 'TAGN'), true)

'test attrValueProcessors key param': skeleton(attrValueProcessors: [replaceValueByName], (r)->
console.log 'Result object: ' + util.inspect r, false, 10
Expand Down

0 comments on commit 581b19a

Please sign in to comment.