js-yaml - npm Package Compare versions

Comparing version 2.0.4 to 2.0.5

examples/sample_document.js

@@ -11,3 +11,3 @@ 'use strict';
 try {
-  var doc = require(__dirname + '/single.yml');
+  var doc = require(__dirname + '/sample_document.yaml');
   console.log(inspect(doc, false, 10, true));
@@ -14,0 +14,0 @@ } catch (e) {

HISTORY.md

@@ -0,1 +1,8 @@
+2.0.5 / 2013-04-26
+------------------
+
+* Close security issue in !!js/function constructor.
+  Big thanks to @nealpoole for security audit.
+
+
 2.0.4 / 2013-04-08
@@ -2,0 +9,0 @@ ------------------

lib/js-yaml/type/js/function.js

 'use strict';
 
 
+var esprima = require('esprima');
+
+
 var NIL  = require('../../common').NIL;
@@ -10,8 +13,26 @@ var Type = require('../../type');
   /*jslint evil:true*/
-  var func;
 
   try {
-    func = new Function('return ' + object);
-    return func();
-  } catch (error) {
+    var source = '(' + object + ')',
+        ast    = esprima.parse(source, { range: true }),
+        params = [],
+        body;
+
+    if ('Program'             !== ast.type         ||
+        1                     !== ast.body.length  ||
+        'ExpressionStatement' !== ast.body[0].type ||
+        'FunctionExpression'  !== ast.body[0].expression.type) {
+      return NIL;
+    }
+
+    ast.body[0].expression.params.forEach(function (param) {
+      params.push(param.name);
+    });
+
+    body = ast.body[0].expression.body.range;
+
+    // Esprima's ranges include the first '{' and the last '}' characters on
+    // function expressions. So cut them out.
+    return new Function(params, source.slice(body[0]+1, body[1]-1));
+  } catch (err) {
     return NIL;
@@ -18,0 +39,0 @@ }

package.json

 {
   "name"            : "js-yaml",
-  "version"         : "2.0.4",
+  "version"         : "2.0.5",
   "description"     : "YAML 1.2 parser and serializer",
@@ -35,5 +35,6 @@ "keywords"        : ["yaml", "parser", "serializer", "pyyaml"],
 
-  "dependencies"    : { "argparse": "~ 0.1.11" },
+  "dependencies"    : { "argparse": "~ 0.1.11",
+                        "esprima":  "~ 1.0.2" },
   "devDependencies" : { "mocha": "*" },
   "engines"         : { "node": ">= 0.6.0" }
 }

New alerts

Uses eval

Supply chain risk

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Fixed alerts

Uses eval

Supply chain risk

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

109628

increased by0.81%

Lines of code

2770

increased by0.54%

Worsened metrics

Dependency count

2

increased by100%

Dependency changes

• + Addedesprima@~ 1.0.2

• + Addedesprima@1.0.4(transitive)