Merge pull request #563 from metrico/security_fix

fix security alerts
metrico · Sep 3, 2024 · ea4b257 · ea4b257
2 parents 5c29b5c + 44886ae
commit ea4b257
Show file tree

Hide file tree

Showing 7 changed files with 3,700 additions and 4,326 deletions.
diff --git a/jest.config.js b/jest.config.js
@@ -2,6 +2,6 @@ const path = require('path')
 module.exports = {
   setupFilesAfterEnv: [path.join(__dirname, '/test/jest.setup.js')],
   moduleNameMapper: {
-    '^axios$': 'axios/dist/node/axios.cjs'
+    '^axios$': require.resolve('axios'),//'axios/dist/node/axios.cjs'
   }
 }
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -72,7 +72,7 @@
     "snappyjs": "^0.6.1",
     "stream-chain": "^2.2.4",
     "stream-json": "^1.7.3",
-    "ws": "^8.0.0",
+    "ws": "^8.17.1",
     "xxhash-wasm": "^0.4.2",
     "yaml": "^1.10.2",
     "@stricjs/utils": "^1.6.1",
@@ -101,7 +101,7 @@
     "eslint-plugin-jest": "^25.3.0",
     "eslint-plugin-node": "^11.1.0",
     "eslint-plugin-promise": "^5.2.0",
-    "jest": "^27.4.5",
+    "jest": "^29.7.0",
     "node-abort-controller": "^3.1.1",
     "node-fetch": "^2.6.7",
     "pino-pretty": "^7.5.1",

diff --git a/parser/bnf.js b/parser/bnf.js
@@ -79,21 +79,35 @@ compiler._ParseScript = compiler.ParseScript
 compiler.ParseScript = function (script) {
   const qLiterals = []
   const aqLiterals = []
-  const quotedStrings = script.replaceAll(/"([^"\\]|\\.)*"/g, (str) => {
-    if (str.length < 512) {
-      return str
+  let _script = script
+  let res = ''
+  let qsMatch = _script.match(/^([^"]*)("([^"\\]|\\.)*")?/)
+  while (qsMatch && qsMatch[0]) {
+    let repl = qsMatch[2] || ''
+    if (repl.length > 512) {
+      qLiterals.push(repl)
+      repl = `"QL_${qLiterals.length - 1}"`
     }
-    qLiterals.push(str)
-    return `"QL_${qLiterals.length - 1}"`
-  })
-  const aQuotedStrings = quotedStrings.replaceAll(/`([^`\\]|\\.)*`/g, (str) => {
-    if (str.length < 512) {
-      return str
+    res = res + qsMatch[1] + repl
+    _script = _script.slice(qsMatch[0].length)
+    qsMatch = _script.match(/^([^"]*)("([^"\\]|\\.)*")?/)
+  }
+
+  _script = res
+  res = ''
+  qsMatch = _script.match(/^([^`]*)(`([^`\\]|\\.)*`)?/)
+  while (qsMatch && qsMatch[0]) {
+    let repl = qsMatch[2] || ''
+    if (repl.length > 512) {
+      aqLiterals.push(repl)
+      repl = `\`AL_${qLiterals.length - 1}\``
     }
-    aqLiterals.push(str)
-    return `\`AL_${aqLiterals.length - 1}\``
-  })
-  const parsedScript = this._ParseScript(aQuotedStrings)
+    res = res + qsMatch[1] + repl
+    _script = _script.slice(qsMatch[0].length)
+    qsMatch = _script.match(/^([^`]*)(`([^`\\]|\\.)*`)?/)
+  }
+
+  const parsedScript = this._ParseScript(res)
   if (!parsedScript) {
     return parsedScript
   }

diff --git a/test/__snapshots__/parser.test.js.snap b/test/__snapshots__/parser.test.js.snap
@@ -1,8 +1,8 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
 exports[`should compile regex 1`] = `
-"SCRIPT: abcd\\\\(
- SYNTAX: abcd\\\\(
+"SCRIPT: abcd\\(
+ SYNTAX: abcd\\(
   literal: a
    letter: a
   literal: b
@@ -11,20 +11,20 @@ exports[`should compile regex 1`] = `
    letter: c
   literal: d
    letter: d
-  literal: \\\\(
-   quoted_brack: \\\\(
+  literal: \\(
+   quoted_brack: \\(
 "
 `;
 
 exports[`should compile regex 2`] = `
-"SCRIPT: (a\\\\(bc)
- SYNTAX: (a\\\\(bc)
-  any_group: (a\\\\(bc)
-   group_tail: a\\\\(bc
+"SCRIPT: (a\\(bc)
+ SYNTAX: (a\\(bc)
+  any_group: (a\\(bc)
+   group_tail: a\\(bc
     literal: a
      letter: a
-    literal: \\\\(
-     quoted_brack: \\\\(
+    literal: \\(
+     quoted_brack: \\(
     literal: b
      letter: b
     literal: c
@@ -33,26 +33,26 @@ exports[`should compile regex 2`] = `
 `;
 
 exports[`should compile regex 3`] = `
-"SCRIPT: (?<label1>a[^\\\\[\\\\(\\\\)]bc)
- SYNTAX: (?<label1>a[^\\\\[\\\\(\\\\)]bc)
-  any_group: (?<label1>a[^\\\\[\\\\(\\\\)]bc)
+"SCRIPT: (?<label1>a[^\\[\\(\\)]bc)
+ SYNTAX: (?<label1>a[^\\[\\(\\)]bc)
+  any_group: (?<label1>a[^\\[\\(\\)]bc)
    group_name: ?<label1>
     label: label1
-   group_tail: a[^\\\\[\\\\(\\\\)]bc
+   group_tail: a[^\\[\\(\\)]bc
     literal: a
      letter: a
     literal: [
      letter: [
     literal: ^
      letter: ^
-    literal: \\\\
-     letter: \\\\
+    literal: \\
+     letter: \\
     literal: [
      letter: [
-    literal: \\\\(
-     quoted_brack: \\\\(
-    literal: \\\\)
-     quoted_brack: \\\\)
+    literal: \\(
+     quoted_brack: \\(
+    literal: \\)
+     quoted_brack: \\)
     literal: ]
      letter: ]
     literal: b
@@ -63,28 +63,28 @@ exports[`should compile regex 3`] = `
 `;
 
 exports[`should compile regex 4`] = `
-"SCRIPT: (a(?<label1>[^\\\\[\\\\(\\\\)]bc))
- SYNTAX: (a(?<label1>[^\\\\[\\\\(\\\\)]bc))
-  any_group: (a(?<label1>[^\\\\[\\\\(\\\\)]bc))
-   group_tail: a(?<label1>[^\\\\[\\\\(\\\\)]bc)
+"SCRIPT: (a(?<label1>[^\\[\\(\\)]bc))
+ SYNTAX: (a(?<label1>[^\\[\\(\\)]bc))
+  any_group: (a(?<label1>[^\\[\\(\\)]bc))
+   group_tail: a(?<label1>[^\\[\\(\\)]bc)
     literal: a
      letter: a
-    any_group: (?<label1>[^\\\\[\\\\(\\\\)]bc)
+    any_group: (?<label1>[^\\[\\(\\)]bc)
      group_name: ?<label1>
       label: label1
-     group_tail: [^\\\\[\\\\(\\\\)]bc
+     group_tail: [^\\[\\(\\)]bc
       literal: [
        letter: [
       literal: ^
        letter: ^
-      literal: \\\\
-       letter: \\\\
+      literal: \\
+       letter: \\
       literal: [
        letter: [
-      literal: \\\\(
-       quoted_brack: \\\\(
-      literal: \\\\)
-       quoted_brack: \\\\)
+      literal: \\(
+       quoted_brack: \\(
+      literal: \\)
+       quoted_brack: \\)
       literal: ]
        letter: ]
       literal: b
@@ -95,18 +95,18 @@ exports[`should compile regex 4`] = `
 `;
 
 exports[`should compile regex 5`] = `
-"SCRIPT: (a[\\\\(\\\\)]+(?<l2>b)(?<label1>[^\\\\[\\\\(\\\\)]bc))
- SYNTAX: (a[\\\\(\\\\)]+(?<l2>b)(?<label1>[^\\\\[\\\\(\\\\)]bc))
-  any_group: (a[\\\\(\\\\)]+(?<l2>b)(?<label1>[^\\\\[\\\\(\\\\)]bc))
-   group_tail: a[\\\\(\\\\)]+(?<l2>b)(?<label1>[^\\\\[\\\\(\\\\)]bc)
+"SCRIPT: (a[\\(\\)]+(?<l2>b)(?<label1>[^\\[\\(\\)]bc))
+ SYNTAX: (a[\\(\\)]+(?<l2>b)(?<label1>[^\\[\\(\\)]bc))
+  any_group: (a[\\(\\)]+(?<l2>b)(?<label1>[^\\[\\(\\)]bc))
+   group_tail: a[\\(\\)]+(?<l2>b)(?<label1>[^\\[\\(\\)]bc)
     literal: a
      letter: a
     literal: [
      letter: [
-    literal: \\\\(
-     quoted_brack: \\\\(
-    literal: \\\\)
-     quoted_brack: \\\\)
+    literal: \\(
+     quoted_brack: \\(
+    literal: \\)
+     quoted_brack: \\)
     literal: ]
      letter: ]
     literal: +
@@ -117,22 +117,22 @@ exports[`should compile regex 5`] = `
      group_tail: b
       literal: b
        letter: b
-    any_group: (?<label1>[^\\\\[\\\\(\\\\)]bc)
+    any_group: (?<label1>[^\\[\\(\\)]bc)
      group_name: ?<label1>
       label: label1
-     group_tail: [^\\\\[\\\\(\\\\)]bc
+     group_tail: [^\\[\\(\\)]bc
       literal: [
        letter: [
       literal: ^
        letter: ^
-      literal: \\\\
-       letter: \\\\
+      literal: \\
+       letter: \\
       literal: [
        letter: [
-      literal: \\\\(
-       quoted_brack: \\\\(
-      literal: \\\\)
-       quoted_brack: \\\\)
+      literal: \\(
+       quoted_brack: \\(
+      literal: \\)
+       quoted_brack: \\)
       literal: ]
        letter: ]
       literal: b
@@ -142,71 +142,71 @@ exports[`should compile regex 5`] = `
 "
 `;
 
-exports[`should erase names 1`] = `"abcd\\\\("`;
+exports[`should erase names 1`] = `"abcd\\("`;
 
-exports[`should erase names 2`] = `"(a\\\\(bc)"`;
+exports[`should erase names 2`] = `"(a\\(bc)"`;
 
-exports[`should erase names 3`] = `"(a[^\\\\[\\\\(\\\\)]bc)"`;
+exports[`should erase names 3`] = `"(a[^\\[\\(\\)]bc)"`;
 
-exports[`should erase names 4`] = `"(a([^\\\\[\\\\(\\\\)]bc))"`;
+exports[`should erase names 4`] = `"(a([^\\[\\(\\)]bc))"`;
 
-exports[`should erase names 5`] = `"(a[\\\\(\\\\)]+(b)([^\\\\[\\\\(\\\\)]bc))"`;
+exports[`should erase names 5`] = `"(a[\\(\\)]+(b)([^\\[\\(\\)]bc))"`;
 
-exports[`should get named groups 1`] = `Array []`;
+exports[`should get named groups 1`] = `[]`;
 
 exports[`should get named groups 2`] = `
-Array [
-  Object {
-    "val": "a\\\\(bc",
+[
+  {
+    "val": "a\\(bc",
   },
 ]
 `;
 
 exports[`should get named groups 3`] = `
-Array [
-  Object {
+[
+  {
     "name": "label1",
-    "val": "a[^\\\\[\\\\(\\\\)]bc",
+    "val": "a[^\\[\\(\\)]bc",
   },
 ]
 `;
 
 exports[`should get named groups 4`] = `
-Array [
-  Object {
-    "val": "a(?<label1>[^\\\\[\\\\(\\\\)]bc)",
+[
+  {
+    "val": "a(?<label1>[^\\[\\(\\)]bc)",
   },
-  Object {
+  {
     "name": "label1",
-    "val": "[^\\\\[\\\\(\\\\)]bc",
+    "val": "[^\\[\\(\\)]bc",
   },
 ]
 `;
 
 exports[`should get named groups 5`] = `
-Array [
-  Object {
-    "val": "a[\\\\(\\\\)]+(?<l2>b)(?<label1>[^\\\\[\\\\(\\\\)]bc)",
+[
+  {
+    "val": "a[\\(\\)]+(?<l2>b)(?<label1>[^\\[\\(\\)]bc)",
   },
-  Object {
+  {
     "name": "l2",
     "val": "b",
   },
-  Object {
+  {
     "name": "label1",
-    "val": "[^\\\\[\\\\(\\\\)]bc",
+    "val": "[^\\[\\(\\)]bc",
   },
 ]
 `;
 
 exports[`should process regex 1`] = `
-Object {
-  "labels": Array [
-    Object {
+{
+  "labels": [
+    {
       "name": "helper",
       "val": "[a-zA-Z0-9]+",
     },
-    Object {
+    {
       "name": "token",
       "val": "[a-zA-Z]+",
     },