Commit04d23ce

committed

fix: check the format of the index of each attachment

A specially crafted packet could be incorrectly decoded.Example:```jsconst decoder = new Decoder();decoder.on("decoded", (packet) => { console.log(packet.data); // prints [ 'hello', [Function: splice] ]})decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');decoder.add(Buffer.from("world"));```As usual, please remember not to trust user input.Backported fromb5d0cb7

1 parent6a59237 commit04d23ceCopy full SHA for 04d23ce

File tree

3 files changed

+58

-4

lines changed

3 files changed

+58

-4

lines changed

`‎binary.js‎`

Lines changed: 10 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -70,8 +70,16 @@ exports.reconstructPacket = function(packet, buffers) {`
`70`	`70`	`function_reconstructPacket(data,buffers){`
`71`	`71`	`if(!data)returndata;`
`72`	`72`
`73`		`-if(data&&data._placeholder){`
`74`		`-returnbuffers[data.num];// appropriate buffer (should be natural order anyway)`
	`73`	`+if(data&&data._placeholder===true){`
	`74`	`+varisIndexValid=`
	`75`	`+typeofdata.num==="number"&&`
	`76`	`+data.num>=0&&`
	`77`	`+data.num<buffers.length;`
	`78`	`+if(isIndexValid){`
	`79`	`+returnbuffers[data.num];// appropriate buffer (should be natural order anyway)`
	`80`	`+}else{`
	`81`	`+thrownewError("illegal attachments");`
	`82`	`+}`
`75`	`83`	`}elseif(isArray(data)){`
`76`	`84`	`for(vari=0;i<data.length;i++){`
`77`	`85`	`data[i]=_reconstructPacket(data[i],buffers);`

`‎index.js‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -239,6 +239,9 @@ Emitter(Decoder.prototype);`
`239`	`239`	`Decoder.prototype.add=function(obj){`
`240`	`240`	`varpacket;`
`241`	`241`	`if(typeofobj==='string'){`
	`242`	`+if(this.reconstructor){`
	`243`	`+thrownewError("got plaintext data when reconstructing a packet");`
	`244`	`+}`
`242`	`245`	`packet=decodeString(obj);`
`243`	`246`	`if(exports.BINARY_EVENT===packet.type\|\|exports.BINARY_ACK===packet.type){// binary packet's json`
`244`	`247`	`this.reconstructor=newBinaryReconstructor(packet);`

`‎test/buffer.js‎`

Lines changed: 45 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,7 @@`
`1`	`1`	`varparser=require('../index.js');`
`2`	`2`	`varexpect=require('expect.js');`
`3`	`3`	`varhelpers=require('./helpers.js');`
`4`		`-varencode=parser.encode;`
`5`		`-vardecode=parser.decode;`
	`4`	`+varDecoder=parser.Decoder;`
`6`	`5`
`7`	`6`	`describe('parser',function(){`
`8`	`7`	`it('encodes a Buffer',function(){`
`@@ -14,6 +13,15 @@ describe('parser', function() {`
`14`	`13`	`});`
`15`	`14`	`});`
`16`	`15`
	`16`	`+it("encodes a nested Buffer",function(){`
	`17`	`+helpers.test_bin({`
	`18`	`+type:parser.BINARY_EVENT,`
	`19`	`+data:["a",{b:["c",Buffer.from("abc","utf8")]}],`
	`20`	`+id:23,`
	`21`	`+nsp:"/cool",`
	`22`	`+});`
	`23`	`+});`
	`24`	`+`
`17`	`25`	`it('encodes a binary ack with Buffer',function(){`
`18`	`26`	`helpers.test_bin({`
`19`	`27`	`type:parser.BINARY_ACK,`
`@@ -22,4 +30,39 @@ describe('parser', function() {`
`22`	`30`	`nsp:'/back'`
`23`	`31`	`})`
`24`	`32`	`});`
	`33`	`+`
	`34`	`+it("throws an error when adding an attachment with an invalid 'num' attribute (string)",function(){`
	`35`	`+vardecoder=newDecoder();`
	`36`	`+`
	`37`	`+expect(function(){`
	`38`	`+decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');`
	`39`	`+decoder.add(Buffer.from("world"));`
	`40`	`+}).to.throwException(/^illegalattachments$/);`
	`41`	`+});`
	`42`	`+`
	`43`	`+it("throws an error when adding an attachment with an invalid 'num' attribute (out-of-bound)",function(){`
	`44`	`+vardecoder=newDecoder();`
	`45`	`+`
	`46`	`+expect(function(){`
	`47`	`+decoder.add('51-["hello",{"_placeholder":true,"num":1}]');`
	`48`	`+decoder.add(Buffer.from("world"));`
	`49`	`+}).to.throwException(/^illegalattachments$/);`
	`50`	`+});`
	`51`	`+`
	`52`	`+it("throws an error when adding an attachment without header",function(){`
	`53`	`+vardecoder=newDecoder();`
	`54`	`+`
	`55`	`+expect(function(){`
	`56`	`+decoder.add(Buffer.from("world"));`
	`57`	`+}).to.throwException(/^gotbinarydatawhennotreconstructingapacket$/);`
	`58`	`+});`
	`59`	`+`
	`60`	`+it("throws an error when decoding a binary event without attachments",function(){`
	`61`	`+vardecoder=newDecoder();`
	`62`	`+`
	`63`	`+expect(function(){`
	`64`	`+decoder.add('51-["hello",{"_placeholder":true,"num":0}]');`
	`65`	`+decoder.add('2["hello"]');`
	`66`	`+}).to.throwException(/^gotplaintextdatawhenreconstructingapacket$/);`
	`67`	`+});`
`25`	`68`	`});`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit04d23ce

File tree

3 files changed

3 files changed

`‎binary.js‎`

`‎index.js‎`

`‎test/buffer.js‎`

0 commit comments