Commitb559f05

committed

fix: check the format of the index of each attachment

A specially crafted packet could be incorrectly decoded.Example:```jsconst decoder = new Decoder();decoder.on("decoded", (packet) => { console.log(packet.data); // prints [ 'hello', [Function: splice] ]})decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');decoder.add(Buffer.from("world"));```As usual, please remember not to trust user input.Backported fromb5d0cb7

1 parentaf1b23c commitb559f05Copy full SHA for b559f05

File tree

4 files changed

+66

-3

lines changed

lib
- binary.ts
- index.ts
test
- buffer.js
- parser.js

4 files changed

+66

-3

lines changed

`‎lib/binary.ts`

Lines changed: 10 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -60,8 +60,16 @@ export function reconstructPacket(packet, buffers) {`
`60`	`60`	`function_reconstructPacket(data,buffers){`
`61`	`61`	`if(!data)returndata;`
`62`	`62`
`63`		`-if(data&&data._placeholder){`
`64`		`-returnbuffers[data.num];// appropriate buffer (should be natural order anyway)`
	`63`	`+if(data&&data._placeholder===true){`
	`64`	`+constisIndexValid=`
	`65`	`+typeofdata.num==="number"&&`
	`66`	`+data.num>=0&&`
	`67`	`+data.num<buffers.length;`
	`68`	`+if(isIndexValid){`
	`69`	`+returnbuffers[data.num];// appropriate buffer (should be natural order anyway)`
	`70`	`+}else{`
	`71`	`+thrownewError("illegal attachments");`
	`72`	`+}`
`65`	`73`	`}elseif(Array.isArray(data)){`
`66`	`74`	`for(leti=0;i<data.length;i++){`
`67`	`75`	`data[i]=_reconstructPacket(data[i],buffers);`

`‎lib/index.ts`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,9 @@ export class Decoder extends Emitter {`
`129`	`129`	`publicadd(obj:any){`
`130`	`130`	`letpacket;`
`131`	`131`	`if(typeofobj==="string"){`
	`132`	`+if(this.reconstructor){`
	`133`	`+thrownewError("got plaintext data when reconstructing a packet");`
	`134`	`+}`
`132`	`135`	`packet=this.decodeString(obj);`
`133`	`136`	`if(`
`134`	`137`	`packet.type===PacketType.BINARY_EVENT\|\|`

`‎test/buffer.js`

Lines changed: 49 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`		`-const{ PacketType}=require("..");`
	`1`	`+const{ PacketType, Decoder}=require("../");`
`2`	`2`	`consthelpers=require("./helpers.js");`
	`3`	`+constexpect=require("expect.js");`
`3`	`4`
`4`	`5`	`describe("parser",()=>{`
`5`	`6`	`it("encodes a Buffer",(done)=>{`
`@@ -14,6 +15,18 @@ describe("parser", () => {`
`14`	`15`	`);`
`15`	`16`	`});`
`16`	`17`
	`18`	`+it("encodes a nested Buffer",(done)=>{`
	`19`	`+helpers.test_bin(`
	`20`	`+{`
	`21`	`+type:PacketType.EVENT,`
	`22`	`+data:["a",{b:["c",Buffer.from("abc","utf8")]}],`
	`23`	`+id:23,`
	`24`	`+nsp:"/cool",`
	`25`	`+},`
	`26`	`+done`
	`27`	`+);`
	`28`	`+});`
	`29`	`+`
`17`	`30`	`it("encodes a binary ack with Buffer",(done)=>{`
`18`	`31`	`helpers.test_bin(`
`19`	`32`	`{`
`@@ -25,4 +38,39 @@ describe("parser", () => {`
`25`	`38`	`done`
`26`	`39`	`);`
`27`	`40`	`});`
	`41`	`+`
	`42`	`+it("throws an error when adding an attachment with an invalid 'num' attribute (string)",()=>{`
	`43`	`+constdecoder=newDecoder();`
	`44`	`+`
	`45`	`+expect(()=>{`
	`46`	`+decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');`
	`47`	`+decoder.add(Buffer.from("world"));`
	`48`	`+}).to.throwException(/^illegalattachments$/);`
	`49`	`+});`
	`50`	`+`
	`51`	`+it("throws an error when adding an attachment with an invalid 'num' attribute (out-of-bound)",()=>{`
	`52`	`+constdecoder=newDecoder();`
	`53`	`+`
	`54`	`+expect(()=>{`
	`55`	`+decoder.add('51-["hello",{"_placeholder":true,"num":1}]');`
	`56`	`+decoder.add(Buffer.from("world"));`
	`57`	`+}).to.throwException(/^illegalattachments$/);`
	`58`	`+});`
	`59`	`+`
	`60`	`+it("throws an error when adding an attachment without header",()=>{`
	`61`	`+constdecoder=newDecoder();`
	`62`	`+`
	`63`	`+expect(()=>{`
	`64`	`+decoder.add(Buffer.from("world"));`
	`65`	`+}).to.throwException(/^gotbinarydatawhennotreconstructingapacket$/);`
	`66`	`+});`
	`67`	`+`
	`68`	`+it("throws an error when decoding a binary event without attachments",()=>{`
	`69`	`+constdecoder=newDecoder();`
	`70`	`+`
	`71`	`+expect(()=>{`
	`72`	`+decoder.add('51-["hello",{"_placeholder":true,"num":0}]');`
	`73`	`+decoder.add('2["hello"]');`
	`74`	`+}).to.throwException(/^gotplaintextdatawhenreconstructingapacket$/);`
	`75`	`+});`
`28`	`76`	`});`

`‎test/parser.js`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -146,5 +146,9 @@ describe("parser", () => {`
`146`	`146`	`expect(()=>newDecoder().add("999")).to.throwException(`
`147`	`147`	`/^unknownpackettype9$/`
`148`	`148`	`);`
	`149`	`+`
	`150`	`+expect(()=>newDecoder().add(999)).to.throwException(`
	`151`	`+/^Unknowntype:999$/`
	`152`	`+);`
`149`	`153`	`});`
`150`	`154`	`});`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb559f05

File tree

4 files changed

4 files changed

`‎lib/binary.ts`

`‎lib/index.ts`

`‎test/buffer.js`

`‎test/parser.js`

0 commit comments