From 6a5a004d1e1fd7b7250fdc6fb148e0d9015f8368 Mon Sep 17 00:00:00 2001
From: Damien Arrachequesne <damien.arrachequesne@gmail.com>
Date: Mon, 22 May 2023 10:06:05 +0200
Subject: [PATCH 1/4] docs(changelog): include changelog for release 3.4.3

---
 CHANGELOG.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4058886..a558066 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## 2023
 
+- [3.4.3](#343-2023-05-22) (May 2023) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch)
 - [4.2.3](#423-2023-05-22) (May 2023)
 - [4.2.2](#422-2023-01-19) (Jan 2023)
 
@@ -42,12 +43,21 @@
 
 # Release notes
 
+## [3.4.3](https://github.com/socketio/socket.io-parser/compare/3.4.2...3.4.3) (2023-05-22)
+
+
+### Bug Fixes
+
+* check the format of the event name ([2dc3c92](https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced))
+
+
+
 ## [4.2.3](https://github.com/socketio/socket.io-parser/compare/4.2.2...4.2.3) (2023-05-22)
 
 
 ### Bug Fixes
 
-* check the format of the event name ([9be1167](https://github.com/socketio/socket.io-parser/commit/9be11670dfef7745cef9f17e28ebd2f4fc522e9e))
+* check the format of the event name ([3b78117](https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3))
 
 
 

From d9db4737a3c8ce5f1f49ecc8d928a74f3da591f7 Mon Sep 17 00:00:00 2001
From: Damien Arrachequesne <damien.arrachequesne@gmail.com>
Date: Wed, 31 May 2023 08:18:48 +0200
Subject: [PATCH 2/4] fix: ensure reserved events cannot be used as event names

---
 lib/index.ts   | 16 +++++++++++++++-
 test/parser.js |  2 ++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/index.ts b/lib/index.ts
index 4319d2c..d858915 100644
--- a/lib/index.ts
+++ b/lib/index.ts
@@ -5,6 +5,18 @@ import debugModule from "debug"; // debug()
 
 const debug = debugModule("socket.io-parser"); // debug()
 
+/**
+ * These strings must not be used as event names, as they have a special meaning.
+ */
+const RESERVED_EVENTS = [
+  "connect", // used on the client side
+  "connect_error", // used on the client side
+  "disconnect", // used on both sides
+  "disconnecting", // used on the server side
+  "newListener", // used by the Node.js EventEmitter
+  "removeListener", // used by the Node.js EventEmitter
+];
+
 /**
  * Protocol version.
  *
@@ -277,7 +289,9 @@ export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> {
       case PacketType.BINARY_EVENT:
         return (
           Array.isArray(payload) &&
-          (typeof payload[0] === "string" || typeof payload[0] === "number")
+          (typeof payload[0] === "number" ||
+            (typeof payload[0] === "string" &&
+              RESERVED_EVENTS.indexOf(payload[0]) === -1))
         );
       case PacketType.ACK:
       case PacketType.BINARY_ACK:
diff --git a/test/parser.js b/test/parser.js
index c78e675..915e746 100644
--- a/test/parser.js
+++ b/test/parser.js
@@ -121,6 +121,8 @@ describe("socket.io-parser", () => {
     isInvalidPayload('2[{"toString":"foo"}]');
     isInvalidPayload('2[true,"foo"]');
     isInvalidPayload('2[null,"bar"]');
+    isInvalidPayload('2["connect"]');
+    isInvalidPayload('2["disconnect","123"]');
 
     expect(() => new Decoder().add("999")).to.throwException(
       /^unknown packet type 9$/

From b0e6400c93b5c4aa25e6a629d6448b8627275213 Mon Sep 17 00:00:00 2001
From: Damien Arrachequesne <damien.arrachequesne@gmail.com>
Date: Wed, 31 May 2023 10:38:31 +0200
Subject: [PATCH 3/4] fix: properly detect plain objects

The typeof check was not sufficient, as it also matches arrays and
nulls.
---
 lib/index.ts   | 9 +++++++--
 test/parser.js | 1 +
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/index.ts b/lib/index.ts
index d858915..2cea37e 100644
--- a/lib/index.ts
+++ b/lib/index.ts
@@ -131,6 +131,11 @@ export class Encoder {
   }
 }
 
+// see https://stackoverflow.com/questions/8511281/check-if-a-value-is-an-object-in-javascript
+function isObject(value: any): boolean {
+  return Object.prototype.toString.call(value) === "[object Object]";
+}
+
 interface DecoderReservedEvents {
   decoded: (packet: Packet) => void;
 }
@@ -280,11 +285,11 @@ export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> {
   private static isPayloadValid(type: PacketType, payload: any): boolean {
     switch (type) {
       case PacketType.CONNECT:
-        return typeof payload === "object";
+        return isObject(payload);
       case PacketType.DISCONNECT:
         return payload === undefined;
       case PacketType.CONNECT_ERROR:
-        return typeof payload === "string" || typeof payload === "object";
+        return typeof payload === "string" || isObject(payload);
       case PacketType.EVENT:
       case PacketType.BINARY_EVENT:
         return (
diff --git a/test/parser.js b/test/parser.js
index 915e746..46a6e1b 100644
--- a/test/parser.js
+++ b/test/parser.js
@@ -115,6 +115,7 @@ describe("socket.io-parser", () => {
 
     isInvalidPayload('442["some","data"');
     isInvalidPayload('0/admin,"invalid"');
+    isInvalidPayload("0[]");
     isInvalidPayload("1/admin,{}");
     isInvalidPayload('2/admin,"invalid');
     isInvalidPayload("2/admin,{}");

From 164ba2a11edc34c2f363401e9768f9a8541a8b89 Mon Sep 17 00:00:00 2001
From: Damien Arrachequesne <damien.arrachequesne@gmail.com>
Date: Wed, 31 May 2023 10:56:08 +0200
Subject: [PATCH 4/4] chore(release): 4.2.4

Diff: https://github.com/socketio/socket.io-parser/compare/4.2.3...4.2.4
---
 CHANGELOG.md | 11 +++++++++++
 package.json |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a558066..59a8ab8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## 2023
 
+- [4.2.4](#424-2023-05-31) (May 2023)
 - [3.4.3](#343-2023-05-22) (May 2023) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch)
 - [4.2.3](#423-2023-05-22) (May 2023)
 - [4.2.2](#422-2023-01-19) (Jan 2023)
@@ -43,6 +44,16 @@
 
 # Release notes
 
+## [4.2.4](https://github.com/socketio/socket.io-parser/compare/4.2.3...4.2.4) (2023-05-31)
+
+
+### Bug Fixes
+
+* ensure reserved events cannot be used as event names ([d9db473](https://github.com/socketio/socket.io-parser/commit/d9db4737a3c8ce5f1f49ecc8d928a74f3da591f7))
+* properly detect plain objects ([b0e6400](https://github.com/socketio/socket.io-parser/commit/b0e6400c93b5c4aa25e6a629d6448b8627275213))
+
+
+
 ## [3.4.3](https://github.com/socketio/socket.io-parser/compare/3.4.2...3.4.3) (2023-05-22)
 
 
diff --git a/package.json b/package.json
index 0f375d5..478c8fe 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "socket.io-parser",
-  "version": "4.2.3",
+  "version": "4.2.4",
   "description": "socket.io protocol parser",
   "repository": {
     "type": "git",