Skip to content

Commit

Permalink
fix(security): Remove PureFunctionSerializer
Browse files Browse the repository at this point in the history 
Remove PureFunctionSerializer which is a source of security issue as it would allow a client to inject code into server.

https://huntr.dev/bounties/63f1ff91-48f3-4886-a179-103f1ddd8ff8/
  • Loading branch information
@mhevery
mhevery committed Mar 3, 2023
1 parent 1cd2bd6 commit 4d9ba6e
Showing 1 changed file with 14 additions and 29 deletions.
43 changes: 14 additions & 29 deletions packages/qwik/src/core/container/serializers.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,20 +226,6 @@ const ComponentSerializer: Serializer<Component<any>> = {
},
};

const PureFunctionSerializer: Serializer<Function> = {
prefix: '\u0011',
test: (obj) => typeof obj === 'function' && obj.__qwik_serializable__ !== undefined,
serialize: (obj) => {
return obj.toString();
},
prepare: (data) => {
const fn = new Function('return ' + data)();
fn.__qwik_serializable__ = true;
return fn;
},
fill: undefined,
};

const SignalSerializer: Serializer<SignalImpl<any>> = {
prefix: '\u0012',
test: (v) => v instanceof SignalImpl,
Expand Down Expand Up @@ -335,21 +321,20 @@ const FormDataSerializer: Serializer<FormData> = {
};

const serializers: Serializer<any>[] = [
QRLSerializer,
SignalSerializer,
SignalWrapperSerializer,
WatchSerializer,
ResourceSerializer,
URLSerializer,
DateSerializer,
RegexSerializer,
ErrorSerializer,
DocumentSerializer,
ComponentSerializer,
PureFunctionSerializer,
NoFiniteNumberSerializer,
URLSearchParamsSerializer,
FormDataSerializer,
QRLSerializer, ////////////// \u0002
SignalSerializer, /////////// \u0012
SignalWrapperSerializer, //// \u0013
WatchSerializer, //////////// \u0003
ResourceSerializer, ///////// \u0004
URLSerializer, ////////////// \u0005
DateSerializer, ///////////// \u0006
RegexSerializer, //////////// \u0007
ErrorSerializer, //////////// \u000E
DocumentSerializer, ///////// \u000F
ComponentSerializer, //////// \u0010
NoFiniteNumberSerializer, /// \u0014
URLSearchParamsSerializer, // \u0015
FormDataSerializer, ///////// \u0016
];

const collectorSerializers = /*#__PURE__*/ serializers.filter((a) => a.collect);
Expand Down

0 comments on commit 4d9ba6e

Please sign in to comment.