From c2b5d643fdc41c9b28b4930ec55e93dbedf6636d Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Tue, 11 Apr 2023 13:33:36 +0100 Subject: [PATCH] Require xml2js `>=0.5.0` to address CVE-2023-0842 --- node_modules/.package-lock.json | 6 +++--- node_modules/xml2js/README.md | 27 +++++++++++++++++++++++---- node_modules/xml2js/lib/parser.js | 16 ++++++++++------ node_modules/xml2js/package.json | 5 +++-- package-lock.json | 6 +++--- package.json | 3 +++ 6 files changed, 45 insertions(+), 18 deletions(-) diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index d09949cdd0..2ebb190a3d 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -6045,9 +6045,9 @@ } }, "node_modules/xml2js": { - "version": "0.4.23", - "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz", - "integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==", + "version": "0.5.0", + "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz", + "integrity": "sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==", "dependencies": { "sax": ">=0.6.0", "xmlbuilder": "~11.0.0" diff --git a/node_modules/xml2js/README.md b/node_modules/xml2js/README.md index 7534c89332..67f2104a51 100644 --- a/node_modules/xml2js/README.md +++ b/node_modules/xml2js/README.md @@ -113,7 +113,7 @@ var xml = ''; // With parser var parser = new xml2js.Parser(/* options */); -parser.parseStringPromise(data).then(function (result) { +parser.parseStringPromise(xml).then(function (result) { console.dir(result); console.log('Done'); }) @@ -122,7 +122,7 @@ parser.parseStringPromise(data).then(function (result) { }); // Without parser -xml2js.parseStringPromise(data /*, options */).then(function (result) { +xml2js.parseStringPromise(xml /*, options */).then(function (result) { console.dir(result); console.log('Done'); }) @@ -180,6 +180,16 @@ var obj = {name: "Super", Surname: "Man", age: 23}; var builder = new xml2js.Builder(); var xml = builder.buildObject(obj); ``` +will result in: + +```xml + + + Super + Man + 23 + +``` At the moment, a one to one bi-directional conversion is guaranteed only for default configuration, except for `attrkey`, `charkey` and `explicitArray` options @@ -195,6 +205,11 @@ var obj = {root: {$: {id: "my id"}, _: "my inner text"}}; var builder = new xml2js.Builder(); var xml = builder.buildObject(obj); ``` +will result in: +```xml + +my inner text +``` ### Adding xmlns attributes @@ -309,14 +324,18 @@ value})``. Possible options are: Version 0.1 default was `@`. * `charkey` (default: `_`): Prefix that is used to access the character content. Version 0.1 default was `#`. - * `explicitCharkey` (default: `false`) + * `explicitCharkey` (default: `false`) Determines whether or not to use + a `charkey` prefix for elements with no attributes. * `trim` (default: `false`): Trim the whitespace at the beginning and end of text nodes. * `normalizeTags` (default: `false`): Normalize all tag names to lowercase. * `normalize` (default: `false`): Trim whitespaces inside text nodes. * `explicitRoot` (default: `true`): Set this if you want to get the root node in the resulting object. - * `emptyTag` (default: `''`): what will the value of empty nodes be. + * `emptyTag` (default: `''`): what will the value of empty nodes be. In case + you want to use an empty object as a default value, it is better to provide a factory + function `() => ({})` instead. Without this function a plain object would + become a shared reference across all occurrences with unwanted behavior. * `explicitArray` (default: `true`): Always put child nodes in an array if true; otherwise an array is created only if there is more than one. * `ignoreAttrs` (default: `false`): Ignore all XML attributes and only create diff --git a/node_modules/xml2js/lib/parser.js b/node_modules/xml2js/lib/parser.js index 59f4d545f9..192382d3c4 100644 --- a/node_modules/xml2js/lib/parser.js +++ b/node_modules/xml2js/lib/parser.js @@ -141,14 +141,14 @@ this.saxParser.onopentag = (function(_this) { return function(node) { var key, newValue, obj, processedKey, ref; - obj = {}; + obj = Object.create(null); obj[charkey] = ""; if (!_this.options.ignoreAttrs) { ref = node.attributes; for (key in ref) { if (!hasProp.call(ref, key)) continue; if (!(attrkey in obj) && !_this.options.mergeAttrs) { - obj[attrkey] = {}; + obj[attrkey] = Object.create(null); } newValue = _this.options.attrValueProcessors ? processItem(_this.options.attrValueProcessors, node.attributes[key], key) : node.attributes[key]; processedKey = _this.options.attrNameProcessors ? processItem(_this.options.attrNameProcessors, key) : key; @@ -198,7 +198,11 @@ } } if (isEmpty(obj)) { - obj = _this.options.emptyTag !== '' ? _this.options.emptyTag : emptyStr; + if (typeof _this.options.emptyTag === 'function') { + obj = _this.options.emptyTag(); + } else { + obj = _this.options.emptyTag !== '' ? _this.options.emptyTag : emptyStr; + } } if (_this.options.validator != null) { xpath = "/" + ((function() { @@ -222,7 +226,7 @@ } if (_this.options.explicitChildren && !_this.options.mergeAttrs && typeof obj === 'object') { if (!_this.options.preserveChildrenOrder) { - node = {}; + node = Object.create(null); if (_this.options.attrkey in obj) { node[_this.options.attrkey] = obj[_this.options.attrkey]; delete obj[_this.options.attrkey]; @@ -237,7 +241,7 @@ obj = node; } else if (s) { s[_this.options.childkey] = s[_this.options.childkey] || []; - objClone = {}; + objClone = Object.create(null); for (key in obj) { if (!hasProp.call(obj, key)) continue; objClone[key] = obj[key]; @@ -254,7 +258,7 @@ } else { if (_this.options.explicitRoot) { old = obj; - obj = {}; + obj = Object.create(null); obj[nodeName] = old; } _this.resultObject = obj; diff --git a/node_modules/xml2js/package.json b/node_modules/xml2js/package.json index 0769b61152..bc8eb6639f 100644 --- a/node_modules/xml2js/package.json +++ b/node_modules/xml2js/package.json @@ -6,7 +6,7 @@ "json" ], "homepage": "https://github.com/Leonidas-from-XIV/node-xml2js", - "version": "0.4.23", + "version": "0.5.0", "author": "Marek Kubica (https://xivilization.net)", "contributors": [ "maqr (https://github.com/maqr)", @@ -53,7 +53,8 @@ "David Wood (http://codesleuth.co.uk/)", "Nicolas Maquet (https://github.com/nmaquet)", "Lovell Fuller (http://lovell.info/)", - "d3adc0d3 (https://github.com/d3adc0d3)" + "d3adc0d3 (https://github.com/d3adc0d3)", + "James Crosby (https://github.com/autopulated)" ], "main": "./lib/xml2js", "files": [ diff --git a/package-lock.json b/package-lock.json index 9eba936375..9debadb85a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -6101,9 +6101,9 @@ } }, "node_modules/xml2js": { - "version": "0.4.23", - "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz", - "integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==", + "version": "0.5.0", + "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz", + "integrity": "sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==", "dependencies": { "sax": ">=0.6.0", "xmlbuilder": "~11.0.0" diff --git a/package.json b/package.json index b8e5ceb81c..f35b30da42 100644 --- a/package.json +++ b/package.json @@ -73,5 +73,8 @@ "removeNPMAbsolutePaths": "3.0.0", "sinon": "^15.0.1", "typescript": "^5.0.2" + }, + "overrides": { + "xml2js": ">=0.5.0" } }