From 0841bd562351c3d45a5288e2adf9707cc8a3131d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Jan 2023 07:23:55 +0100 Subject: [PATCH 1/8] chore: bump ua-parser-js from 1.0.32 to 1.0.33 (#121) Bumps [ua-parser-js](https://github.com/faisalman/ua-parser-js) from 1.0.32 to 1.0.33. - [Release notes](https://github.com/faisalman/ua-parser-js/releases) - [Changelog](https://github.com/faisalman/ua-parser-js/blob/master/changelog.md) - [Commits](https://github.com/faisalman/ua-parser-js/compare/1.0.32...1.0.33) --- updated-dependencies: - dependency-name: ua-parser-js dependency-type: indirect ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/package-lock.json b/package-lock.json index 85630e9..b6dd966 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "socket.io-parser", - "version": "4.2.1", + "version": "4.2.2", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "socket.io-parser", - "version": "4.2.1", + "version": "4.2.2", "license": "MIT", "dependencies": { "@socket.io/component-emitter": "~3.1.0", @@ -7251,9 +7251,9 @@ } }, "node_modules/ua-parser-js": { - "version": "1.0.32", - "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.32.tgz", - "integrity": "sha512-dXVsz3M4j+5tTiovFVyVqssXBu5HM47//YSOeZ9fQkdDKkfzv2v3PP1jmH6FUyPW+yCSn7aBVK1fGGKNhowdDA==", + "version": "1.0.33", + "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.33.tgz", + "integrity": "sha512-RqshF7TPTE0XLYAqmjlu5cLLuGdKrNu9O1KLA/qp39QtbZwuzwv1dT46DZSopoUMsYgXpB3Cv8a03FI8b74oFQ==", "dev": true, "funding": [ { @@ -13832,9 +13832,9 @@ "dev": true }, "ua-parser-js": { - "version": "1.0.32", - "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.32.tgz", - "integrity": "sha512-dXVsz3M4j+5tTiovFVyVqssXBu5HM47//YSOeZ9fQkdDKkfzv2v3PP1jmH6FUyPW+yCSn7aBVK1fGGKNhowdDA==", + "version": "1.0.33", + "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.33.tgz", + "integrity": "sha512-RqshF7TPTE0XLYAqmjlu5cLLuGdKrNu9O1KLA/qp39QtbZwuzwv1dT46DZSopoUMsYgXpB3Cv8a03FI8b74oFQ==", "dev": true }, "unbzip2-stream": { From 3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Mon, 22 May 2023 07:37:31 +0200 Subject: [PATCH 2/8] fix: check the format of the event name A packet like '2[{"toString":"foo"}]' was decoded as: { type: EVENT, data: [ { "toString": "foo" } ] } Which would then throw an error when passed to the EventEmitter class: > TypeError: Cannot convert object to primitive value > at Socket.emit (node:events:507:25) > at .../node_modules/socket.io/lib/socket.js:531:14 History of the isPayloadValid() method: - added in [78f9fc2](https://github.com/socketio/socket.io-parser/commit/78f9fc2999b15804b02f2c22a2b4007734a26af9) (v4.0.1, socket.io@3.0.0) - updated in [1c220dd](https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9) (v4.0.4, socket.io@3.1.0) --- lib/index.ts | 5 ++++- test/parser.js | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/index.ts b/lib/index.ts index 6b77094..4319d2c 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -275,7 +275,10 @@ export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> { return typeof payload === "string" || typeof payload === "object"; case PacketType.EVENT: case PacketType.BINARY_EVENT: - return Array.isArray(payload) && payload.length > 0; + return ( + Array.isArray(payload) && + (typeof payload[0] === "string" || typeof payload[0] === "number") + ); case PacketType.ACK: case PacketType.BINARY_ACK: return Array.isArray(payload); diff --git a/test/parser.js b/test/parser.js index 1b99166..c78e675 100644 --- a/test/parser.js +++ b/test/parser.js @@ -118,6 +118,9 @@ describe("socket.io-parser", () => { isInvalidPayload("1/admin,{}"); isInvalidPayload('2/admin,"invalid'); isInvalidPayload("2/admin,{}"); + isInvalidPayload('2[{"toString":"foo"}]'); + isInvalidPayload('2[true,"foo"]'); + isInvalidPayload('2[null,"bar"]'); expect(() => new Decoder().add("999")).to.throwException( /^unknown packet type 9$/ From dcc70d9678ac896de08294d6e8d668be6a68680a Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Mon, 22 May 2023 08:19:57 +0200 Subject: [PATCH 3/8] refactor: export typescript declarations for the commonjs build Related: https://github.com/socketio/socket.io/issues/4621#issuecomment-1551853243 --- tsconfig.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tsconfig.json b/tsconfig.json index f033355..b9e4980 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -3,7 +3,7 @@ "outDir": "build/cjs/", "target": "es2018", // Node.js 10 (https://github.com/microsoft/TypeScript/wiki/Node-Target-Mapping) "module": "commonjs", - "declaration": false + "declaration": true }, "include": [ "./lib/**/*" From b6c824f82421aa44dfd5ef395f5132866543de59 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Mon, 22 May 2023 08:23:45 +0200 Subject: [PATCH 4/8] chore(release): 4.2.3 Diff: https://github.com/socketio/socket.io-parser/compare/4.2.2...4.2.3 --- CHANGELOG.md | 10 ++++++++++ package.json | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cfb5b91..4058886 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 2023 +- [4.2.3](#423-2023-05-22) (May 2023) - [4.2.2](#422-2023-01-19) (Jan 2023) ## 2022 @@ -41,6 +42,15 @@ # Release notes +## [4.2.3](https://github.com/socketio/socket.io-parser/compare/4.2.2...4.2.3) (2023-05-22) + + +### Bug Fixes + +* check the format of the event name ([9be1167](https://github.com/socketio/socket.io-parser/commit/9be11670dfef7745cef9f17e28ebd2f4fc522e9e)) + + + ## [4.2.2](https://github.com/socketio/socket.io-parser/compare/4.2.1...4.2.2) (2023-01-19) diff --git a/package.json b/package.json index d672f88..0f375d5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "socket.io-parser", - "version": "4.2.2", + "version": "4.2.3", "description": "socket.io protocol parser", "repository": { "type": "git", From 6a5a004d1e1fd7b7250fdc6fb148e0d9015f8368 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Mon, 22 May 2023 10:06:05 +0200 Subject: [PATCH 5/8] docs(changelog): include changelog for release 3.4.3 --- CHANGELOG.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4058886..a558066 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 2023 +- [3.4.3](#343-2023-05-22) (May 2023) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch) - [4.2.3](#423-2023-05-22) (May 2023) - [4.2.2](#422-2023-01-19) (Jan 2023) @@ -42,12 +43,21 @@ # Release notes +## [3.4.3](https://github.com/socketio/socket.io-parser/compare/3.4.2...3.4.3) (2023-05-22) + + +### Bug Fixes + +* check the format of the event name ([2dc3c92](https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced)) + + + ## [4.2.3](https://github.com/socketio/socket.io-parser/compare/4.2.2...4.2.3) (2023-05-22) ### Bug Fixes -* check the format of the event name ([9be1167](https://github.com/socketio/socket.io-parser/commit/9be11670dfef7745cef9f17e28ebd2f4fc522e9e)) +* check the format of the event name ([3b78117](https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3)) From d9db4737a3c8ce5f1f49ecc8d928a74f3da591f7 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Wed, 31 May 2023 08:18:48 +0200 Subject: [PATCH 6/8] fix: ensure reserved events cannot be used as event names --- lib/index.ts | 16 +++++++++++++++- test/parser.js | 2 ++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/index.ts b/lib/index.ts index 4319d2c..d858915 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -5,6 +5,18 @@ import debugModule from "debug"; // debug() const debug = debugModule("socket.io-parser"); // debug() +/** + * These strings must not be used as event names, as they have a special meaning. + */ +const RESERVED_EVENTS = [ + "connect", // used on the client side + "connect_error", // used on the client side + "disconnect", // used on both sides + "disconnecting", // used on the server side + "newListener", // used by the Node.js EventEmitter + "removeListener", // used by the Node.js EventEmitter +]; + /** * Protocol version. * @@ -277,7 +289,9 @@ export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> { case PacketType.BINARY_EVENT: return ( Array.isArray(payload) && - (typeof payload[0] === "string" || typeof payload[0] === "number") + (typeof payload[0] === "number" || + (typeof payload[0] === "string" && + RESERVED_EVENTS.indexOf(payload[0]) === -1)) ); case PacketType.ACK: case PacketType.BINARY_ACK: diff --git a/test/parser.js b/test/parser.js index c78e675..915e746 100644 --- a/test/parser.js +++ b/test/parser.js @@ -121,6 +121,8 @@ describe("socket.io-parser", () => { isInvalidPayload('2[{"toString":"foo"}]'); isInvalidPayload('2[true,"foo"]'); isInvalidPayload('2[null,"bar"]'); + isInvalidPayload('2["connect"]'); + isInvalidPayload('2["disconnect","123"]'); expect(() => new Decoder().add("999")).to.throwException( /^unknown packet type 9$/ From b0e6400c93b5c4aa25e6a629d6448b8627275213 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Wed, 31 May 2023 10:38:31 +0200 Subject: [PATCH 7/8] fix: properly detect plain objects The typeof check was not sufficient, as it also matches arrays and nulls. --- lib/index.ts | 9 +++++++-- test/parser.js | 1 + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/index.ts b/lib/index.ts index d858915..2cea37e 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -131,6 +131,11 @@ export class Encoder { } } +// see https://stackoverflow.com/questions/8511281/check-if-a-value-is-an-object-in-javascript +function isObject(value: any): boolean { + return Object.prototype.toString.call(value) === "[object Object]"; +} + interface DecoderReservedEvents { decoded: (packet: Packet) => void; } @@ -280,11 +285,11 @@ export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> { private static isPayloadValid(type: PacketType, payload: any): boolean { switch (type) { case PacketType.CONNECT: - return typeof payload === "object"; + return isObject(payload); case PacketType.DISCONNECT: return payload === undefined; case PacketType.CONNECT_ERROR: - return typeof payload === "string" || typeof payload === "object"; + return typeof payload === "string" || isObject(payload); case PacketType.EVENT: case PacketType.BINARY_EVENT: return ( diff --git a/test/parser.js b/test/parser.js index 915e746..46a6e1b 100644 --- a/test/parser.js +++ b/test/parser.js @@ -115,6 +115,7 @@ describe("socket.io-parser", () => { isInvalidPayload('442["some","data"'); isInvalidPayload('0/admin,"invalid"'); + isInvalidPayload("0[]"); isInvalidPayload("1/admin,{}"); isInvalidPayload('2/admin,"invalid'); isInvalidPayload("2/admin,{}"); From 164ba2a11edc34c2f363401e9768f9a8541a8b89 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Wed, 31 May 2023 10:56:08 +0200 Subject: [PATCH 8/8] chore(release): 4.2.4 Diff: https://github.com/socketio/socket.io-parser/compare/4.2.3...4.2.4 --- CHANGELOG.md | 11 +++++++++++ package.json | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a558066..59a8ab8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 2023 +- [4.2.4](#424-2023-05-31) (May 2023) - [3.4.3](#343-2023-05-22) (May 2023) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch) - [4.2.3](#423-2023-05-22) (May 2023) - [4.2.2](#422-2023-01-19) (Jan 2023) @@ -43,6 +44,16 @@ # Release notes +## [4.2.4](https://github.com/socketio/socket.io-parser/compare/4.2.3...4.2.4) (2023-05-31) + + +### Bug Fixes + +* ensure reserved events cannot be used as event names ([d9db473](https://github.com/socketio/socket.io-parser/commit/d9db4737a3c8ce5f1f49ecc8d928a74f3da591f7)) +* properly detect plain objects ([b0e6400](https://github.com/socketio/socket.io-parser/commit/b0e6400c93b5c4aa25e6a629d6448b8627275213)) + + + ## [3.4.3](https://github.com/socketio/socket.io-parser/compare/3.4.2...3.4.3) (2023-05-22) diff --git a/package.json b/package.json index 0f375d5..478c8fe 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "socket.io-parser", - "version": "4.2.3", + "version": "4.2.4", "description": "socket.io protocol parser", "repository": { "type": "git",