From 1b967e3405be087681718391857719d2d7f1bcd5 Mon Sep 17 00:00:00 2001 From: Giacomo Rebonato Date: Tue, 30 May 2023 18:53:02 +0200 Subject: [PATCH] fix: Updates fast-xml-parser to address "Prototype Pollution" vulnerability (#4477) * Updates fast-xml-parser * rename function --- libraries/adaptive-expressions/package.json | 2 +- .../src/builtinFunctions/xml.ts | 6 +++--- yarn.lock | 16 ++++++++++++---- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/libraries/adaptive-expressions/package.json b/libraries/adaptive-expressions/package.json index 9ebd66b292..47073a26c0 100644 --- a/libraries/adaptive-expressions/package.json +++ b/libraries/adaptive-expressions/package.json @@ -36,7 +36,7 @@ "lodash.isequal": "^4.5.0", "lru-cache": "^5.1.1", "uuid": "^8.3.2", - "fast-xml-parser": "^3.19.0", + "fast-xml-parser": "^4.1.2", "@xmldom/xmldom": "^0.8.6", "xpath": "^0.0.32" }, diff --git a/libraries/adaptive-expressions/src/builtinFunctions/xml.ts b/libraries/adaptive-expressions/src/builtinFunctions/xml.ts index 0834b685ed..6a0d8d443a 100644 --- a/libraries/adaptive-expressions/src/builtinFunctions/xml.ts +++ b/libraries/adaptive-expressions/src/builtinFunctions/xml.ts @@ -6,11 +6,11 @@ * Licensed under the MIT License. */ +import { XMLBuilder } from 'fast-xml-parser'; import { EvaluateExpressionDelegate, ExpressionEvaluator } from '../expressionEvaluator'; import { ExpressionType } from '../expressionType'; import { FunctionUtils } from '../functionUtils'; import { ReturnType } from '../returnType'; -import { j2xParser } from 'fast-xml-parser'; /** * Return the newline string according to the environment. */ @@ -38,11 +38,11 @@ export class XML extends ExpressionEvaluator { } else if (typeof args[0] === 'object') { obj = args[0]; } - const parser = new j2xParser({ + const parser = new XMLBuilder({ indentBy: ' ', format: true, }); - result = `\n${parser.parse(obj)}`.trim(); + result = `\n${parser.build(obj)}`.trim(); } catch { error = `${args[0]} is not a valid json`; } diff --git a/yarn.lock b/yarn.lock index 834b840423..81fe9c7b78 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5771,10 +5771,12 @@ fast-safe-stringify@^2.0.7: resolved "https://registry.yarnpkg.com/fast-safe-stringify/-/fast-safe-stringify-2.0.7.tgz#124aa885899261f68aedb42a7c080de9da608743" integrity sha512-Utm6CdzT+6xsDk2m8S6uL8VHxNwI6Jub+e9NYTcAms28T84pTa25GJQV9j0CY0N1rM8hK4x6grpF2BQf+2qwVA== -fast-xml-parser@^3.19.0: - version "3.19.0" - resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-3.19.0.tgz#cb637ec3f3999f51406dd8ff0e6fc4d83e520d01" - integrity sha512-4pXwmBplsCPv8FOY1WRakF970TjNGnGnfbOnLqjlYvMiF1SR3yOHyxMR/YCXpPTOspNF5gwudqktIP4VsWkvBg== +fast-xml-parser@^4.1.2: + version "4.2.2" + resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.2.2.tgz#cb7310d1e9cf42d22c687b0fae41f3c926629368" + integrity sha512-DLzIPtQqmvmdq3VUKR7T6omPK/VCRNqgFlGtbESfyhcH2R4I8EzK1/K6E8PkRCK2EabWrUHK32NjYRbEFnnz0Q== + dependencies: + strnum "^1.0.5" fastq@^1.6.0: version "1.9.0" @@ -8785,6 +8787,7 @@ minipass-fetch@^1.3.2: resolved "https://registry.yarnpkg.com/minipass-fetch/-/minipass-fetch-1.3.3.tgz#34c7cea038c817a8658461bf35174551dce17a0a" integrity sha512-akCrLDWfbdAWkMLBxJEeWTdNsjML+dt5YgOI4gJ53vuO0vrmYQkUPxa6j6V65s9CcePIr2SSWqjT2EcrNseryQ== dependencies: + encoding "^0.1.12" minipass "^3.1.0" minipass-sized "^1.0.3" minizlib "^2.0.0" @@ -12094,6 +12097,11 @@ strip-outer@^1.0.1: dependencies: escape-string-regexp "^1.0.2" +strnum@^1.0.5: + version "1.0.5" + resolved "https://registry.yarnpkg.com/strnum/-/strnum-1.0.5.tgz#5c4e829fe15ad4ff0d20c3db5ac97b73c9b072db" + integrity sha512-J8bbNyKKXl5qYcR36TIO8W3mVGVHrmmxsd5PAItGkmyzwJvybiw2IVq5nqd0i4LSNSkB/sx9VHllbfFdr9k1JA== + subarg@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/subarg/-/subarg-1.0.0.tgz#f62cf17581e996b48fc965699f54c06ae268b8d2"