security: remove regexp vulnerable to DOS in cast option, npm report 69742

Author: wdavidw

CHANGELOG.md

@@ -7,6 +7,10 @@
 * max_comment_size: new option
 * promise: new API module
 
+## Trunk
+
+* security: remove regexp vulnerable to DOS in cast option, npm report 69742
+
 ## Version 4.4.5
 
 * ts: add buffer as allowed type for input, fix #248

lib/es5/index.js

@@ -985,21 +985,20 @@ function (_Transform) {
         }
       }
 
-      if (this.__isInt(field) === true) {
-        return [undefined, parseInt(field)];
-      } else if (this.__isFloat(field)) {
+      if (this.__isFloat(field)) {
         return [undefined, parseFloat(field)];
       } else if (this.options.cast_date !== false) {
         return [undefined, this.options.cast_date.call(null, field, context)];
       }
 
       return [undefined, field];
-    }
-  }, {
-    key: "__isInt",
-    value: function __isInt(value) {
-      return /^(\-|\+)?([1-9]+[0-9]*)$/.test(value);
-    }
+    } // Keep it in case we implement the `cast_int` option
+    // __isInt(value){
+    //   // return Number.isInteger(parseInt(value))
+    //   // return !isNaN( parseInt( obj ) );
+    //   return /^(\-|\+)?[1-9][0-9]*$/.test(value)
+    // }
+
   }, {
     key: "__isFloat",
     value: function __isFloat(value) {

lib/index.js

@@ -747,18 +747,19 @@ class Parser extends Transform {
         return [err]
       }
     }
-    if(this.__isInt(field) === true){
-      return [undefined, parseInt(field)]
-    }else if(this.__isFloat(field)){
+    if(this.__isFloat(field)){
       return [undefined, parseFloat(field)]
     }else if(this.options.cast_date !== false){
       return [undefined, this.options.cast_date.call(null, field, context)]
     }
     return [undefined, field]
   }
-  __isInt(value){
-    return /^(\-|\+)?([1-9]+[0-9]*)$/.test(value)
-  }
+  // Keep it in case we implement the `cast_int` option
+  // __isInt(value){
+  //   // return Number.isInteger(parseInt(value))
+  //   // return !isNaN( parseInt( obj ) );
+  //   return /^(\-|\+)?[1-9][0-9]*$/.test(value)
+  // }
   __isFloat(value){
     return (value - parseFloat( value ) + 1) >= 0 // Borrowed from jquery
   }

test/option.cast.coffee

@@ -31,8 +31,14 @@ describe 'Option `cast`', ->
       parser.end()
 
     it 'ints', (next) ->
-      parse '123a,123,0123,', cast: true, (err, data) ->
-        data.should.eql [ ['123a', 123, 123, ''] ]
+      parse '123a,123,+123,-123,0123,+0123,-0123,', cast: true, (err, data) ->
+        data.should.eql [ ['123a', 123, 123, -123, 123, 123, -123, ''] ]
+        next()
+
+    it 'ints isnt exposed to DOS vulnerabilities, npm security issue 69742', (next) ->
+      data = Array.from( length: 3000000 ).map( (x) -> '1' ).join('') + '!'
+      parse data, cast: true, (err, data) ->
+        data[0][0].length.should.eql 3000001
         next()
 
     it 'float', (next) ->
@@ -54,11 +60,11 @@ describe 'Option `cast`', ->
       , (err, records) ->
         records.should.eql [
           [ '2000-01-01T05:00:00.000Z', {
-            column: 1, empty_lines: 0, header: false, index: 1, 
+            column: 1, empty_lines: 0, header: false, index: 1,
             invalid_field_length: 0, lines: 1, quoting: false, records: 0
           } ]
           [ '2050-11-27T05:00:00.000Z', {
-            column: 1, empty_lines: 0, header: false, index: 1, 
+            column: 1, empty_lines: 0, header: false, index: 1,
             invalid_field_length: 0, lines: 2, quoting: false, records: 1
           } ]
         ] unless err