fix: Updates fast-xml-parser to address "Prototype Pollution" vulnera…

…bility (#4477) * Updates fast-xml-parser * rename function
microsoft · May 30, 2023 · 1b967e3 · 1b967e3
1 parent da25217
commit 1b967e3
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/libraries/adaptive-expressions/package.json b/libraries/adaptive-expressions/package.json
@@ -36,7 +36,7 @@
     "lodash.isequal": "^4.5.0",
     "lru-cache": "^5.1.1",
     "uuid": "^8.3.2",
-    "fast-xml-parser": "^3.19.0",
+    "fast-xml-parser": "^4.1.2",
     "@xmldom/xmldom": "^0.8.6",
     "xpath": "^0.0.32"
   },

diff --git a/libraries/adaptive-expressions/src/builtinFunctions/xml.ts b/libraries/adaptive-expressions/src/builtinFunctions/xml.ts
@@ -6,11 +6,11 @@
  * Licensed under the MIT License.
  */
 
+import { XMLBuilder } from 'fast-xml-parser';
 import { EvaluateExpressionDelegate, ExpressionEvaluator } from '../expressionEvaluator';
 import { ExpressionType } from '../expressionType';
 import { FunctionUtils } from '../functionUtils';
 import { ReturnType } from '../returnType';
-import { j2xParser } from 'fast-xml-parser';
 /**
  * Return the newline string according to the environment.
  */
@@ -38,11 +38,11 @@ export class XML extends ExpressionEvaluator {
             } else if (typeof args[0] === 'object') {
                 obj = args[0];
             }
-            const parser = new j2xParser({
+            const parser = new XMLBuilder({
                 indentBy: '  ',
                 format: true,
             });
-            result = `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>\n${parser.parse(obj)}`.trim();
+            result = `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>\n${parser.build(obj)}`.trim();
         } catch {
             error = `${args[0]} is not a valid json`;
         }

diff --git a/yarn.lock b/yarn.lock
@@ -5771,10 +5771,12 @@ fast-safe-stringify@^2.0.7:
   resolved "https://registry.yarnpkg.com/fast-safe-stringify/-/fast-safe-stringify-2.0.7.tgz#124aa885899261f68aedb42a7c080de9da608743"
   integrity sha512-Utm6CdzT+6xsDk2m8S6uL8VHxNwI6Jub+e9NYTcAms28T84pTa25GJQV9j0CY0N1rM8hK4x6grpF2BQf+2qwVA==
 
-fast-xml-parser@^3.19.0:
-  version "3.19.0"
-  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-3.19.0.tgz#cb637ec3f3999f51406dd8ff0e6fc4d83e520d01"
-  integrity sha512-4pXwmBplsCPv8FOY1WRakF970TjNGnGnfbOnLqjlYvMiF1SR3yOHyxMR/YCXpPTOspNF5gwudqktIP4VsWkvBg==
+fast-xml-parser@^4.1.2:
+  version "4.2.2"
+  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.2.2.tgz#cb7310d1e9cf42d22c687b0fae41f3c926629368"
+  integrity sha512-DLzIPtQqmvmdq3VUKR7T6omPK/VCRNqgFlGtbESfyhcH2R4I8EzK1/K6E8PkRCK2EabWrUHK32NjYRbEFnnz0Q==
+  dependencies:
+    strnum "^1.0.5"
 
 fastq@^1.6.0:
   version "1.9.0"
@@ -8785,6 +8787,7 @@ minipass-fetch@^1.3.2:
   resolved "https://registry.yarnpkg.com/minipass-fetch/-/minipass-fetch-1.3.3.tgz#34c7cea038c817a8658461bf35174551dce17a0a"
   integrity sha512-akCrLDWfbdAWkMLBxJEeWTdNsjML+dt5YgOI4gJ53vuO0vrmYQkUPxa6j6V65s9CcePIr2SSWqjT2EcrNseryQ==
   dependencies:
+    encoding "^0.1.12"
     minipass "^3.1.0"
     minipass-sized "^1.0.3"
     minizlib "^2.0.0"
@@ -12094,6 +12097,11 @@ strip-outer@^1.0.1:
   dependencies:
     escape-string-regexp "^1.0.2"
 
+strnum@^1.0.5:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/strnum/-/strnum-1.0.5.tgz#5c4e829fe15ad4ff0d20c3db5ac97b73c9b072db"
+  integrity sha512-J8bbNyKKXl5qYcR36TIO8W3mVGVHrmmxsd5PAItGkmyzwJvybiw2IVq5nqd0i4LSNSkB/sx9VHllbfFdr9k1JA==
+
 subarg@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/subarg/-/subarg-1.0.0.tgz#f62cf17581e996b48fc965699f54c06ae268b8d2"