fix: Backport misc utility hardening (#2280)

Author: dcodeIO

bench/data/static_pbjs.js

@@ -21,15 +21,19 @@ $root.Test = (function() {
     Test.prototype.inner = null;
     Test.prototype.float = 0;
 
-    Test.encode = function encode(message, writer) {
+    Test.encode = function encode(message, writer, q) {
         if (!writer)
             writer = $Writer.create();
+        if (q === undefined)
+            q = 0;
+        if (q > $util.recursionLimit)
+            throw Error("max depth exceeded");
         if (message.string != null && Object.hasOwnProperty.call(message, "string"))
             writer.uint32(10).string(message.string);
         if (message.uint32 != null && Object.hasOwnProperty.call(message, "uint32"))
             writer.uint32(16).uint32(message.uint32);
         if (message.inner != null && Object.hasOwnProperty.call(message, "inner"))
-            $root.Test.Inner.encode(message.inner, writer.uint32(26).fork()).ldelim();
+            $root.Test.Inner.encode(message.inner, writer.uint32(26).fork(), q + 1).ldelim();
         if (message.float != null && Object.hasOwnProperty.call(message, "float"))
             writer.uint32(37).float(message.float);
         return writer;
@@ -85,15 +89,19 @@ $root.Test = (function() {
         Inner.prototype.innerInner = null;
         Inner.prototype.outer = null;
 
-        Inner.encode = function encode(message, writer) {
+        Inner.encode = function encode(message, writer, q) {
             if (!writer)
                 writer = $Writer.create();
+            if (q === undefined)
+                q = 0;
+            if (q > $util.recursionLimit)
+                throw Error("max depth exceeded");
             if (message.int32 != null && Object.hasOwnProperty.call(message, "int32"))
                 writer.uint32(8).int32(message.int32);
             if (message.innerInner != null && Object.hasOwnProperty.call(message, "innerInner"))
-                $root.Test.Inner.InnerInner.encode(message.innerInner, writer.uint32(18).fork()).ldelim();
+                $root.Test.Inner.InnerInner.encode(message.innerInner, writer.uint32(18).fork(), q + 1).ldelim();
             if (message.outer != null && Object.hasOwnProperty.call(message, "outer"))
-                $root.Outer.encode(message.outer, writer.uint32(26).fork()).ldelim();
+                $root.Outer.encode(message.outer, writer.uint32(26).fork(), q + 1).ldelim();
             return writer;
         };
 
@@ -143,9 +151,13 @@ $root.Test = (function() {
             InnerInner.prototype["enum"] = 0;
             InnerInner.prototype.sint32 = 0;
 
-            InnerInner.encode = function encode(message, writer) {
+            InnerInner.encode = function encode(message, writer, q) {
                 if (!writer)
                     writer = $Writer.create();
+                if (q === undefined)
+                    q = 0;
+                if (q > $util.recursionLimit)
+                    throw Error("max depth exceeded");
                 if (message.long != null && Object.hasOwnProperty.call(message, "long"))
                     writer.uint32(8).int64(message.long);
                 if (message["enum"] != null && Object.hasOwnProperty.call(message, "enum"))
@@ -220,9 +232,13 @@ $root.Outer = (function() {
     Outer.prototype.bool = $util.emptyArray;
     Outer.prototype.double = 0;
 
-    Outer.encode = function encode(message, writer) {
+    Outer.encode = function encode(message, writer, q) {
         if (!writer)
             writer = $Writer.create();
+        if (q === undefined)
+            q = 0;
+        if (q > $util.recursionLimit)
+            throw Error("max depth exceeded");
         if (message.bool != null && message.bool.length) {
             writer.uint32(10).fork();
             for (var i = 0; i < message.bool.length; ++i)

ext/descriptor/index.js

@@ -223,9 +223,14 @@ var unnamedMessageIndex = 0;
  * @param {IDescriptorProto|Reader|Uint8Array} descriptor Descriptor
  * @param {string} [edition="proto2"] The syntax or edition to use
  * @param {boolean} [nested=false] Whether or not this is a nested object
+ * @param {number} [depth] Current nesting depth, defaults to `0`
  * @returns {Type} Type instance
  */
-Type.fromDescriptor = function fromDescriptor(descriptor, edition, nested) {
+Type.fromDescriptor = function fromDescriptor(descriptor, edition, nested, depth) {
+    if (depth === undefined)
+        depth = 0;
+    if (depth > $protobuf.util.nestingLimit)
+        throw Error("max depth exceeded");
     // Decode the descriptor message if specified as a buffer:
     if (typeof descriptor.length === "number")
         descriptor = exports.DescriptorProto.decode(descriptor);
@@ -252,7 +257,7 @@ Type.fromDescriptor = function fromDescriptor(descriptor, edition, nested) {
             type.add(Field.fromDescriptor(descriptor.extension[i], edition, true));
     /* Nested types */ if (descriptor.nestedType)
         for (i = 0; i < descriptor.nestedType.length; ++i) {
-            type.add(Type.fromDescriptor(descriptor.nestedType[i], edition, true));
+            type.add(Type.fromDescriptor(descriptor.nestedType[i], edition, true, depth + 1));
             if (descriptor.nestedType[i].options && descriptor.nestedType[i].options.mapEntry)
                 type.setOption("map_entry", true);
         }

index.d.ts

@@ -2033,6 +2033,13 @@ export namespace util {
         public length(): number;
     }
 
+    /**
+     * Tests if the specified key can affect object prototypes.
+     * @param key Key to test
+     * @returns `true` if the key is unsafe
+     */
+    function isUnsafeProperty(key: string): boolean;
+
     /** Whether running within node or not. */
     let isNode: boolean;
 
@@ -2126,11 +2133,13 @@ export namespace util {
     /**
      * Merges the properties of the source object into the destination object.
      * @param dst Destination object
-     * @param src Source object
-     * @param [ifNotSet=false] Merges only if the key is not already set
+     * @param src Source objects, optionally followed by an `ifNotSet` flag
      * @returns Destination object
      */
-    function merge(dst: { [k: string]: any }, src: { [k: string]: any }, ifNotSet?: boolean): { [k: string]: any };
+    function merge(dst: { [k: string]: any }, ...src: any[]): { [k: string]: any };
+
+    /** Schema declaration nesting limit. */
+    let nestingLimit: number;
 
     /** Recursion limit. */
     let recursionLimit: number;

lib/eventemitter/index.js

@@ -14,7 +14,7 @@ function EventEmitter() {
      * @type {Object.<string,*>}
      * @private
      */
-    this._listeners = {};
+    this._listeners = Object.create(null);
 }
 
 /**
@@ -48,12 +48,14 @@ EventEmitter.prototype.on = function on(evt, fn, ctx) {
  */
 EventEmitter.prototype.off = function off(evt, fn) {
     if (evt === undefined)
-        this._listeners = {};
+        this._listeners = Object.create(null);
     else {
         if (fn === undefined)
             this._listeners[evt] = [];
         else {
             var listeners = this._listeners[evt];
+            if (!listeners)
+                return this;
             for (var i = 0; i < listeners.length;)
                 if (listeners[i].fn === fn)
                     listeners.splice(i, 1);

lib/eventemitter/tests/index.js

@@ -8,6 +8,8 @@ tape.test("eventemitter", function(test) {
     var fn;
     var ctx = {};
 
+    test.equal(Object.getPrototypeOf(ee._listeners), null, "should not inherit listener lookup keys");
+
     test.doesNotThrow(function() {
         ee.emit("a", 1);
         ee.off();
@@ -22,18 +24,21 @@ tape.test("eventemitter", function(test) {
     ee.emit("a", 1);
 
     ee.off("a");
-    test.same(ee._listeners, { a: [] }, "should remove all listeners of the respective event when calling off(evt)");
+    test.same(Object.keys(ee._listeners), [ "a" ], "should keep the event key when calling off(evt)");
+    test.same(ee._listeners.a, [], "should remove all listeners of the respective event when calling off(evt)");
 
     ee.off();
-    test.same(ee._listeners, {}, "should remove all listeners when just calling off()");
+    test.equal(Object.getPrototypeOf(ee._listeners), null, "should keep the listener table isolated when just calling off()");
+    test.same(Object.keys(ee._listeners), [], "should remove all listeners when just calling off()");
 
     ee.on("a", fn = function(arg1) {
         test.equal(this, ctx, "should be called with this = ctx");
         test.equal(arg1, 1, "should be called with arg1 = 1");
     }, ctx).emit("a", 1);
 
     ee.off("a", fn);
-    test.same(ee._listeners, { a: [] }, "should remove the exact listener when calling off(evt, fn)");
+    test.same(Object.keys(ee._listeners), [ "a" ], "should keep the event key when calling off(evt, fn)");
+    test.same(ee._listeners.a, [], "should remove the exact listener when calling off(evt, fn)");
 
     ee.on("a", function() {
         test.equal(this, ee, "should be called with this = ee");
@@ -43,5 +48,36 @@ tape.test("eventemitter", function(test) {
         ee.off("a", fn);
     }, "should not throw if no such listener is found");
 
+    test.test(test.name + " - special event names", function(test) {
+        var ee = new EventEmitter();
+        var calls = 0;
+
+        test.doesNotThrow(function() {
+            ee.off("__proto__", function() {});
+        }, "should not throw when removing an absent special event listener");
+
+        ee.on("__proto__", function(arg) {
+            ++calls;
+            test.equal(arg, 1, "should pass arguments for __proto__ events");
+        });
+        ee.on("constructor", function(arg) {
+            ++calls;
+            test.equal(arg, 2, "should pass arguments for constructor events");
+        });
+        ee.emit("__proto__", 1);
+        ee.emit("constructor", 2);
+
+        test.equal(calls, 2, "should dispatch special event names");
+        test.equal(Object.getPrototypeOf(ee._listeners), null, "should keep the listener table isolated");
+        test.ok(Object.prototype.hasOwnProperty.call(ee._listeners, "__proto__"), "should store __proto__ as an own event key");
+        test.ok(Object.prototype.hasOwnProperty.call(ee._listeners, "constructor"), "should store constructor as an own event key");
+
+        ee.off("__proto__");
+        ee.off("constructor");
+        test.same(ee._listeners.__proto__, [], "should clear __proto__ listeners");
+        test.same(ee._listeners.constructor, [], "should clear constructor listeners");
+        test.end();
+    });
+
     test.end();
 });

src/converter.js

@@ -172,7 +172,7 @@ function genValuePartial_toObject(gen, field, fieldIndex, prop) {
         if (field.resolvedType instanceof Enum) gen
             ("d%s=o.enums===String?(types[%i].values[m%s]===undefined?m%s:types[%i].values[m%s]):m%s", prop, fieldIndex, prop, prop, fieldIndex, prop, prop);
         else gen
-            ("d%s=types[%i].toObject(m%s,o)", prop, fieldIndex, prop);
+            ("d%s=types[%i].toObject(m%s,o,q+1)", prop, fieldIndex, prop);
     } else {
         var isUnsigned = false;
         switch (field.type) {
@@ -216,9 +216,12 @@ converter.toObject = function toObject(mtype) {
     var fields = mtype.fieldsArray.slice().sort(util.compareFieldsById);
     if (!fields.length)
         return util.codegen()("return {}");
-    var gen = util.codegen(["m", "o"], mtype.name + "$toObject")
+    var gen = util.codegen(["m", "o", "q"], mtype.name + "$toObject")
     ("if(!o)")
         ("o={}")
+    ("if(q===undefined)q=0")
+    ("if(q>util.recursionLimit)")
+        ("throw Error(\"max depth exceeded\")")
     ("var d={}");
 
     var repeatedFields = [],

src/encoder.js

@@ -16,8 +16,8 @@ var Enum     = require("./enum"),
  */
 function genTypePartial(gen, field, fieldIndex, ref) {
     return field.delimited
-        ? gen("types[%i].encode(%s,w.uint32(%i)).uint32(%i)", fieldIndex, ref, (field.id << 3 | 3) >>> 0, (field.id << 3 | 4) >>> 0)
-        : gen("types[%i].encode(%s,w.uint32(%i).fork()).ldelim()", fieldIndex, ref, (field.id << 3 | 2) >>> 0);
+        ? gen("types[%i].encode(%s,w.uint32(%i),q+1).uint32(%i)", fieldIndex, ref, (field.id << 3 | 3) >>> 0, (field.id << 3 | 4) >>> 0)
+        : gen("types[%i].encode(%s,w.uint32(%i).fork(),q+1).ldelim()", fieldIndex, ref, (field.id << 3 | 2) >>> 0);
 }
 
 /**
@@ -27,9 +27,12 @@ function genTypePartial(gen, field, fieldIndex, ref) {
  */
 function encoder(mtype) {
     /* eslint-disable no-unexpected-multiline, block-scoped-var, no-redeclare */
-    var gen = util.codegen(["m", "w"], mtype.name + "$encode")
+    var gen = util.codegen(["m", "w", "q"], mtype.name + "$encode")
     ("if(!w)")
-        ("w=Writer.create()");
+        ("w=Writer.create()")
+    ("if(q===undefined)q=0")
+    ("if(q>util.recursionLimit)")
+        ("throw Error(\"max depth exceeded\")");
 
     var i, ref;
 
@@ -50,7 +53,7 @@ function encoder(mtype) {
         ("for(var ks=Object.keys(%s),i=0;i<ks.length;++i){", ref)
             ("w.uint32(%i).fork().uint32(%i).%s(ks[i])", (field.id << 3 | 2) >>> 0, 8 | types.mapKey[field.keyType], field.keyType);
             if (wireType === undefined) gen
-            ("types[%i].encode(%s[ks[i]],w.uint32(18).fork()).ldelim().ldelim()", index, ref); // can't be groups
+            ("types[%i].encode(%s[ks[i]],w.uint32(18).fork(),q+1).ldelim().ldelim()", index, ref); // can't be groups
             else gen
             (".uint32(%i).%s(%s[ks[i]]).ldelim()", 16 | wireType, type, ref);
             gen

src/enum.js

@@ -86,8 +86,8 @@ Enum.prototype._resolveFeatures = function _resolveFeatures(edition) {
     ReflectionObject.prototype._resolveFeatures.call(this, edition);
 
     Object.keys(this.values).forEach(key => {
-        var parentFeaturesCopy = Object.assign({}, this._features);
-        this._valuesFeatures[key] = Object.assign(parentFeaturesCopy, this.valuesOptions && this.valuesOptions[key] && this.valuesOptions[key].features);
+        var parentFeaturesCopy = util.merge({}, this._features);
+        this._valuesFeatures[key] = util.merge(parentFeaturesCopy, this.valuesOptions && this.valuesOptions[key] && this.valuesOptions[key].features || {});
     });
 
     return this;

src/namespace.js

@@ -337,6 +337,8 @@ Namespace.prototype.define = function define(path, json) {
         throw TypeError("illegal path");
     if (path && path.length && path[0] === "")
         throw Error("path must be relative");
+    if (path.length > util.recursionLimit)
+        throw Error("max depth exceeded");
 
     var ptr = this;
     while (path.length > 0) {

src/object.js

@@ -213,7 +213,7 @@ ReflectionObject.prototype._resolveFeatures = function _resolveFeatures(edition)
         throw new Error("Unknown edition for " + this.fullName);
     }
 
-    var protoFeatures = Object.assign(this.options ? Object.assign({},  this.options.features) : {},
+    var protoFeatures = util.merge({}, this.options && this.options.features,
         this._inferLegacyProtoFeatures(edition));
 
     if (this._edition) {
@@ -228,7 +228,7 @@ ReflectionObject.prototype._resolveFeatures = function _resolveFeatures(edition)
         } else {
             throw new Error("Unknown edition: " + edition);
         }
-        this._features = Object.assign(defaults, protoFeatures || {});
+        this._features = util.merge(defaults, protoFeatures);
         this._featuresResolved = true;
         return;
     }
@@ -237,13 +237,13 @@ ReflectionObject.prototype._resolveFeatures = function _resolveFeatures(edition)
     // special-case it
     /* istanbul ignore else */
     if (this.partOf instanceof OneOf) {
-        var lexicalParentFeaturesCopy = Object.assign({}, this.partOf._features);
-        this._features = Object.assign(lexicalParentFeaturesCopy, protoFeatures || {});
+        var lexicalParentFeaturesCopy = util.merge({}, this.partOf._features);
+        this._features = util.merge(lexicalParentFeaturesCopy, protoFeatures);
     } else if (this.declaringField) {
         // Skip feature resolution of sister fields.
     } else if (this.parent) {
-        var parentFeaturesCopy = Object.assign({}, this.parent._features);
-        this._features = Object.assign(parentFeaturesCopy, protoFeatures || {});
+        var parentFeaturesCopy = util.merge({}, this.parent._features);
+        this._features = util.merge(parentFeaturesCopy, protoFeatures);
     } else {
         throw new Error("Unable to find a parent for " + this.fullName);
     }