Merge pull request from GHSA-2hj9-hg84-7g3w

Fix escaping of unsafe characters in `Error` objects and property names

Author: commenthol

.eslintignore

@@ -1,2 +1,3 @@
 coverage/*
-tmp/*
+tmp
+lib

.gitignore

@@ -3,6 +3,7 @@ coverage/
 .nyc_output/
 doc/
 tmp/
+lib/
 *.log
 *.tgz
 *.sh

README.md

@@ -25,7 +25,7 @@ The following Objects are supported
 
 > **Note:** Version >3.0.0 has moved the serializeToModule method into its own
 > package at [serialize-to-module][]  
->
+> 
 > Migrating from 2.x to 3.x for serialize:
 > ```js
 > // v2.x
@@ -40,6 +40,7 @@ The following Objects are supported
 
 * [Methods](#methods)
   * [serialize](#serialize)
+  * [serializeToModule](#serializetomodule)
 * [Contribution and License Agreement](#contribution-and-license-agreement)
 * [License](#license)
 

package.json

@@ -18,20 +18,30 @@
   "license": "MIT",
   "author": "commenthol <commenthol@gmail.com>",
   "main": "lib",
+  "module": "src",
   "directories": {
     "lib": "lib",
     "test": "test"
   },
   "scripts": {
-    "all": "npm run lint && npm test",
-    "clean": "rimraf doc coverage .nyc_output node_modules *.tgz",
+    "all": "npm run clean && npm run lint && npm run build &&  npm test",
+    "build": "babel -d lib src",
+    "clean": "rimraf lib doc coverage .nyc_output *.tgz",
     "coverage": "nyc -r text -r html npm test",
-    "lint": "eslint lib test",
+    "lint": "eslint src test",
     "prepublishOnly": "npm run all",
     "readme": "markedpp --githubid -i README.md -o README.md",
     "test": "mocha"
   },
+  "babel": {
+    "presets": [
+      "@babel/preset-env"
+    ]
+  },
   "eslintConfig": {
+    "env": {
+      "mocha": true
+    },
     "extends": "standard",
     "plugins": [
       "standard"
@@ -42,15 +52,18 @@
   },
   "dependencies": {},
   "devDependencies": {
-    "eslint": "^5.16.0",
-    "eslint-config-standard": "^12.0.0",
-    "eslint-plugin-import": "^2.17.2",
-    "eslint-plugin-node": "^9.1.0",
-    "eslint-plugin-promise": "^4.1.1",
-    "eslint-plugin-standard": "^4.0.0",
-    "mocha": "^6.1.4",
+    "@babel/cli": "^7.7.5",
+    "@babel/core": "^7.7.5",
+    "@babel/preset-env": "^7.7.6",
+    "eslint": "^6.7.2",
+    "eslint-config-standard": "^14.1.0",
+    "eslint-plugin-import": "^2.19.1",
+    "eslint-plugin-node": "^10.0.0",
+    "eslint-plugin-promise": "^4.2.1",
+    "eslint-plugin-standard": "^4.0.1",
+    "mocha": "^6.2.2",
     "nyc": "^14.1.1",
-    "rimraf": "^2.6.3"
+    "rimraf": "^3.0.0"
   },
   "engines": {
     "node": ">=4.0.0"

lib/index.js renamed to src/index.js

@@ -6,15 +6,15 @@
 'use strict'
 
 // dependencies
-var util = require('./internal/utils')
-var Ref = require('./internal/reference')
+const utils = require('./internal/utils')
+const Ref = require('./internal/reference')
 
 /**
  * serializes an object to javascript
  *
  * @example <caption>serializing regex, date, buffer, ...</caption>
- * var serialize = require('serialize-to-js').serialize;
- * var obj = {
+ * const serialize = require('serialize-to-js').serialize;
+ * const obj = {
  *   str: '<script>var a = 0 > 1</script>',
  *   num: 3.1415,
  *   bool: true,
@@ -30,10 +30,10 @@ var Ref = require('./internal/reference')
  * // > {str: "\u003Cscript\u003Evar a = 0 \u003E 1\u003C\u002Fscript\u003E", num: 3.1415, bool: true, nil: null, undef: undefined, obj: {foo: "bar"}, arr: [1, "2"], regexp: /^test?$/, date: new Date("2016-04-15T16:22:52.009Z"), buffer: new Buffer('ZGF0YQ==', 'base64')}
  *
  * @example <caption>serializing while respecting references</caption>
- * var serialize = require('serialize-to-js').serialize;
- * var obj = { object: { regexp: /^test?$/ } };
+ * const serialize = require('serialize-to-js').serialize;
+ * const obj = { object: { regexp: /^test?$/ } };
  * obj.reference = obj.object;
- * var opts = { reference: true };
+ * const opts = { reference: true };
  * console.log(serialize(obj, opts));
  * //> {object: {regexp: /^test?$/}}
  * console.log(opts.references);
@@ -47,84 +47,78 @@ var Ref = require('./internal/reference')
  * @return {String} serialized representation of `source`
  */
 function serialize (source, opts) {
-  var out = ''
-  var key
-  var tmp
-  var type
-  var i
+  let type
 
   opts = opts || {}
   if (!opts._visited) {
     opts._visited = []
   }
   if (!opts._refs) {
     opts.references = []
-    opts._refs = new Ref(opts.references)
+    opts._refs = new Ref(opts.references, opts)
   }
 
-  if (util.isNull(source)) {
-    out += 'null'
-  } else if (util.isArray(source)) {
-    tmp = source.map(function (item) {
-      return serialize(item, opts)
-    })
-    out += '[' + tmp.join(', ') + ']'
-  } else if (util.isFunction(source)) {
-    tmp = source.toString()
+  if (utils.isNull(source)) {
+    return 'null'
+  } else if (Array.isArray(source)) {
+    const tmp = source.map(item => serialize(item, opts))
+    return `[${tmp.join(', ')}]`
+  } else if (utils.isFunction(source)) {
+    // serializes functions only in unsafe mode!
+    const _tmp = source.toString()
+    const tmp = opts.unsafe ? _tmp : utils.saferFunctionString(_tmp, opts)
     // append function to es6 function within obj
-    out += !/^\s*(function|\([^)]*\)\s*=>)/m.test(tmp) ? 'function ' + tmp : tmp
-  } else if (util.isObject(source)) {
-    if (util.isRegExp(source)) {
-      out += 'new RegExp(' + serialize(source.source) + ', "' + source.flags + '")'
-    } else if (util.isDate(source)) {
-      out += 'new Date("' + source.toJSON() + '")'
-    } else if (util.isError(source)) {
-      out += 'new Error(' + (source.message ? '"' + source.message + '"' : '') + ')'
-    } else if (util.isBuffer(source)) {
+    return !/^\s*(function|\([^)]*?\)\s*=>)/m.test(tmp) ? 'function ' + tmp : tmp
+  } else if (utils.isObject(source)) {
+    if (utils.isRegExp(source)) {
+      return `new RegExp(${utils.quote(source.source, opts)}, "${source.flags}")`
+    } else if (utils.isDate(source)) {
+      return `new Date(${utils.quote(source.toJSON(), opts)})`
+    } else if (utils.isError(source)) {
+      return `new Error(${utils.quote(source.message, opts)})`
+    } else if (utils.isBuffer(source)) {
       // check for buffer first otherwise tests fail on node@4.4
       // looks like buffers are accidentially detected as typed arrays
-      out += "Buffer.from('" + source.toString('base64') + "', 'base64')"
-    } else if ((type = util.isTypedArray(source))) {
-      tmp = []
-      for (i = 0; i < source.length; i++) {
+      return `Buffer.from('${source.toString('base64')}', 'base64')`
+    } else if ((type = utils.isTypedArray(source))) {
+      const tmp = []
+      for (let i = 0; i < source.length; i++) {
         tmp.push(source[i])
       }
-      out += 'new ' + type + '(' +
-        '[' + tmp.join(', ') + ']' +
-        ')'
+      return `new ${type}([${tmp.join(', ')}])`
     } else {
-      tmp = []
+      const tmp = []
       // copy properties if not circular
       if (!~opts._visited.indexOf(source)) {
         opts._visited.push(source)
-        for (key in source) {
-          if (source.hasOwnProperty(key)) {
-            if (opts.reference && util.isObject(source[key])) {
+        for (const key in source) {
+          if (Object.prototype.hasOwnProperty.call(source, key)) {
+            if (opts.reference && utils.isObject(source[key])) {
               opts._refs.push(key)
               if (!opts._refs.hasReference(source[key])) {
-                tmp.push(Ref.wrapkey(key) + ': ' + serialize(source[key], opts))
+                tmp.push(Ref.wrapkey(key, opts) + ': ' + serialize(source[key], opts))
               }
               opts._refs.pop()
             } else {
-              tmp.push(Ref.wrapkey(key) + ': ' + serialize(source[key], opts))
+              tmp.push(Ref.wrapkey(key, opts) + ': ' + serialize(source[key], opts))
             }
           }
         }
-        out += '{' + tmp.join(', ') + '}'
         opts._visited.pop()
+        return `{${tmp.join(', ')}}`
       } else {
         if (opts.ignoreCircular) {
-          out += '{/*[Circular]*/}'
+          return '{/*[Circular]*/}'
         } else {
           throw new Error('can not convert circular structures.')
         }
       }
     }
-  } else if (util.isString(source)) {
-    out += '"' + (opts.unsafe ? util.unsafeString(source) : util.safeString(source)) + '"'
+  } else if (utils.isString(source)) {
+    return utils.quote(source, opts)
   } else {
-    out += '' + source
+    return '' + source
   }
-  return out
 }
+
 module.exports = serialize

lib/internal/reference.js renamed to src/internal/reference.js

@@ -5,18 +5,22 @@
 
 'use strict'
 
-var KEY = /^[a-zA-Z$_][a-zA-Z$_0-9]*$/
+const utils = require('./utils')
+
+const KEY = /^[a-zA-Z$_][a-zA-Z$_0-9]*$/
 
 /**
  * handle references
  * @constructor
  * @param {Object} references
+ * @param {boolean} opts.unsafe
  */
-function Ref (references) {
+function Ref (references, opts) {
   this.keys = []
   this.refs = []
   this.key = []
   this.references = references || []
+  this._opts = opts || {}
 }
 
 /**
@@ -25,8 +29,8 @@ function Ref (references) {
  * @param {String} key - objects key
  * @return {String} wrapped key in quotes if necessary
  */
-Ref.wrapkey = function (key) {
-  return (KEY.test(key) ? key : '"' + key.replace(/"/g, '\\"') + '"')
+Ref.wrapkey = function (key, opts) {
+  return (KEY.test(key) ? key : utils.quote(key, opts))
 }
 
 Ref.prototype = {
@@ -47,17 +51,17 @@ Ref.prototype = {
    * join the keys
    */
   join: function (key) {
-    var out = ''
+    let out = ''
     key = key || this.key
     if (typeof key === 'string') {
       key = [key]
     }
 
-    key.forEach(function (k) {
+    key.forEach(k => {
       if (KEY.test(k)) {
         out += '.' + k
       } else {
-        out += '[' + Ref.wrapkey(k) + ']'
+        out += '[' + Ref.wrapkey(k, this._opts) + ']'
       }
     })
     return out
@@ -69,7 +73,7 @@ Ref.prototype = {
    * @return {Boolean}
    */
   hasReference: function (source) {
-    var idx
+    let idx
     if (~(idx = this.refs.indexOf(source))) {
       this.references.push([this.join(), this.keys[idx]])
       return true