From 19055674d010fe49e1476f10d0786af03d8ed1a8 Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Wed, 19 Feb 2025 12:21:33 +0530 Subject: [PATCH 1/5] fix(node-options): encode urls in default node options --- __test__/mock/json-element-mock-result.ts | 2 +- src/options/default-node-options.ts | 6 +++--- src/options/default-options.ts | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/__test__/mock/json-element-mock-result.ts b/__test__/mock/json-element-mock-result.ts index 800d991..b8aec13 100644 --- a/__test__/mock/json-element-mock-result.ts +++ b/__test__/mock/json-element-mock-result.ts @@ -24,7 +24,7 @@ const styleObjHtml = "

heading1

Embed entry as a link

Open entry as a link in new tab

Bold entry

Bold entry open in new tab

" const referenceObjHtmlBlock = "

Embed entry as a link

Embed entry as a link open in new tab

" const imagetags = "
\"batman\"
The Batman
" -const escapeHtml = "

<p>Welcome to Contentstack! <script>console.log(/\"Hello from Contentstack!/\");</script> Explore our platform to create, manage, and publish content seamlessly.</p>

" +const escapeHtml = "

<p>Welcome to Contentstack! <script>console.log(/"Hello from Contentstack!/");</script> Explore our platform to create, manage, and publish content seamlessly.</p>

" export { h1Html, diff --git a/src/options/default-node-options.ts b/src/options/default-node-options.ts index f6a64a2..d79ad27 100644 --- a/src/options/default-node-options.ts +++ b/src/options/default-node-options.ts @@ -19,11 +19,11 @@ export const defaultNodeOption: RenderOption = { return `${sanitizeHTML(next(node.children))}` }, [NodeType.IMAGE]:(node: Node, next: Next) => { - const sanitizedSrc = sanitizeHTML(node.attrs.src || node.attrs.url); + const sanitizedSrc = encodeURI(sanitizeHTML(node.attrs.src || node.attrs.url)); return `${sanitizeHTML(next(node.children))}` }, [NodeType.EMBED]:(node: Node, next: Next) => { - const sanitizedSrc = sanitizeHTML(node.attrs.src || node.attrs.url); + const sanitizedSrc = encodeURI(sanitizeHTML(node.attrs.src || node.attrs.url)); return `${sanitizeHTML(next(node.children))}` }, [NodeType.HEADING_1]:(node: Node, next: Next) => { @@ -123,7 +123,7 @@ export const defaultNodeOption: RenderOption = { ['reference']:(node: Node, next: Next) => { if (node.attrs.type === 'asset') { - const src = node.attrs['asset-link']; + const src = encodeURI(node.attrs['asset-link']); const alt = node.attrs?.['redactor-attributes']?.['alt']; const link = node.attrs.link; const target = node.attrs.target || ""; diff --git a/src/options/default-options.ts b/src/options/default-options.ts index aac5309..bed35f3 100644 --- a/src/options/default-options.ts +++ b/src/options/default-options.ts @@ -16,18 +16,18 @@ export const defaultOptions: RenderOption = { return `${title}`; }, [StyleType.LINK]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => { - const url = sanitizeHTML(item.url || 'undefined'); + const url = encodeURI(sanitizeHTML(item.url || 'undefined')); const text = sanitizeHTML(metadata.text || item.title || item.uid || (item.system ? item.system.uid : '')); return `${text}`; }, [StyleType.DISPLAY]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => { - const url = sanitizeHTML(item.url || 'undefined'); + const url = encodeURI(sanitizeHTML(item.url || 'undefined')); const alt = sanitizeHTML(metadata.attributes.alt || item.title || item.filename || item.uid || (item.system ? item.system.uid : '')); return `${alt}`; }, [StyleType.DOWNLOAD]: (item: EmbeddedItem | EntryNode, metadata: Metadata) => { - const href = sanitizeHTML(item.url || 'undefined'); + const href = encodeURI(sanitizeHTML(item.url || 'undefined')); const text = sanitizeHTML(metadata.text || item.title || item.uid || (item.system ? item.system.content_type_uid : '')); return `${text}`; }, From 3d27ee2e1c6df2289f3614807bcf9fe7bd2e1b3e Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Wed, 19 Feb 2025 12:23:54 +0530 Subject: [PATCH 2/5] fix(attributes): sanitize keys and values to prevent html injection --- __test__/attributes-to-string.test.ts | 75 +++++++++++++++++++++++++++ src/Models/metadata-model.ts | 42 ++++++++------- src/helper/enumerate-entries.ts | 9 ++-- 3 files changed, 103 insertions(+), 23 deletions(-) diff --git a/__test__/attributes-to-string.test.ts b/__test__/attributes-to-string.test.ts index 4b8173a..ca64f53 100644 --- a/__test__/attributes-to-string.test.ts +++ b/__test__/attributes-to-string.test.ts @@ -49,5 +49,80 @@ describe('Attributes to String', () => { expect(resultString).toEqual(' style="text-align:left; " rows="4" cols="2" colWidths="250, 250"') done() }) + it('Should rignore attributes with forbidden characters in keys and values', done => { + const attr = { + "style": { + "text-align": "left" + }, + "rows": 4, + "cols": 2, + "colWidths": [250, 250], + "

test

test

{ + const attr = { + "style": { + "color": "red", + "font-size": "14px" + } + } as Attributes; + + const resultString = attributeToString(attr); + + expect(resultString).toEqual(' style="color:red; font-size:14px; "'); + done(); + }); + it('Should convert arrays into comma-separated values', done => { + const attr = { + "data-values": [10, 20, 30] + } as Attributes; + + const resultString = attributeToString(attr); + + expect(resultString).toEqual(' data-values="10, 20, 30"'); + done(); + }); + it('Should handle special characters in values properly', done => { + const attr = { + "title": 'This & That > Those < Them "Quoted"', + "description": "Hello " + } as Attributes; + + const resultString = attributeToString(attr); + + expect(resultString).toEqual(' title="This & That > Those < Them "Quoted"" description="Hello <script>alert(xss)</script>"'); + done(); + }); + + it('Should handle mixed types of values properly', done => { + const attr = { + "rows": 5, + "isEnabled": true, + "ids": [101, 102], + "style": { "margin": "10px", "padding": "5px" } + } as Attributes; + + const resultString = attributeToString(attr); + + expect(resultString).toEqual(' rows="5" isEnabled="true" ids="101, 102" style="margin:10px; padding:5px; "'); + done(); + }); + it('Should sanitize both keys and values to prevent HTML injection', done => { + const attr = { + "": "test", + "safeKey": "" + } as Attributes; + + const resultString = attributeToString(attr); + expect(resultString).toEqual(' safeKey="<script>alert(xss)</script>"'); + done(); + }); }) \ No newline at end of file diff --git a/src/Models/metadata-model.ts b/src/Models/metadata-model.ts index 8d8a354..dd95c3b 100644 --- a/src/Models/metadata-model.ts +++ b/src/Models/metadata-model.ts @@ -1,5 +1,7 @@ import StyleType from '../embedded-types/style-type'; import TextNode from '../nodes/text-node'; +import { replaceHtmlEntities, forbiddenAttrChars } from '../helper/enumerate-entries'; + export interface Metadata { text: string; attributes: Attributes; @@ -58,30 +60,30 @@ export function attributeToString(attributes: Attributes): string { let result = ''; for (const key in attributes) { if (Object.prototype.hasOwnProperty.call(attributes, key)) { - let element = attributes[key]; - if (element instanceof Array) { - let elementString = ''; - let isFirst = true; - element.forEach((value) => { - if (isFirst) { - elementString += `${value}`; - isFirst = false; - } else { - elementString += `, ${value}`; - } - }); - element = elementString; - } else if (typeof element === 'object') { + // Sanitize the key to prevent HTML injection + const sanitizedKey = replaceHtmlEntities(key); + + // Skip keys that contain forbidden characters (even after sanitization) + if (forbiddenAttrChars.some(char => sanitizedKey.includes(char))) { + continue; + } + let value = attributes[key]; + if (Array.isArray(value)) { + value = value.join(', '); + } else if (typeof value === 'object') { let elementString = ''; - for (const elementKey in element) { - if (Object.prototype.hasOwnProperty.call(element, elementKey)) { - const value = element[elementKey]; - elementString += `${elementKey}:${value}; `; + for (const subKey in value) { + if (Object.prototype.hasOwnProperty.call(value, subKey)) { + const subValue = value[subKey]; + if (subValue != null && subValue !== '') { + elementString += `${replaceHtmlEntities(subKey)}:${replaceHtmlEntities(String(subValue))}; `; + } } } - element = elementString; + value = elementString; } - result += ` ${key}="${element}"`; + // Sanitize the value to prevent HTML injection + result += ` ${sanitizedKey}="${replaceHtmlEntities(String(value))}"`; } } return result; diff --git a/src/helper/enumerate-entries.ts b/src/helper/enumerate-entries.ts index c23e5b6..d76df3b 100644 --- a/src/helper/enumerate-entries.ts +++ b/src/helper/enumerate-entries.ts @@ -42,7 +42,7 @@ export function enumerateContents( } export function textNodeToHTML(node: TextNode, renderOption: RenderOption): string { - let text = escapeHtml(node.text); + let text = replaceHtmlEntities(node.text); if (node.classname || node.id) { text = (renderOption[MarkType.CLASSNAME_OR_ID] as RenderMark)(text, node.classname, node.id); } @@ -159,9 +159,12 @@ function nodeToHTML( } } -function escapeHtml(text: string): string { +export function replaceHtmlEntities(text: string): string { return text .replace(/&/g, '&') .replace(//g, '>') -} \ No newline at end of file + .replace(/"/g, '"') +} + +export const forbiddenAttrChars = ['"', "'", '>','<', '/', '=']; \ No newline at end of file From a87a6cf4a57d44183ab3412a95571442fc1ca4ce Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Wed, 19 Feb 2025 12:30:06 +0530 Subject: [PATCH 3/5] chore(version): update version to 1.3.19 and add changelog entry for html injection fix --- CHANGELOG.md | 5 +- package-lock.json | 697 +++++++++++++++++++++++++++++-------- package.json | 6 +- semgrep-native-report.json | 1 + 4 files changed, 556 insertions(+), 153 deletions(-) create mode 100644 semgrep-native-report.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 0449694..d90c527 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # Changelog -## [1.3.18](https://github.com/contentstack/contentstack-utils-javascript/tree/v1.3.17) (2025-02-17) +## [1.3.19](https://github.com/contentstack/contentstack-utils-javascript/tree/v1.3.19) (2025-02-24) + - Fix: Added fix for html injection in keys and values of attributes + +## [1.3.18](https://github.com/contentstack/contentstack-utils-javascript/tree/v1.3.18) (2025-02-17) - Fix: Added fix for html injection ## [1.3.17](https://github.com/contentstack/contentstack-utils-javascript/tree/v1.3.17) (2025-02-11) diff --git a/package-lock.json b/package-lock.json index af29222..b345ab4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,19 +1,19 @@ { "name": "@contentstack/utils", - "version": "1.3.18", + "version": "1.3.19", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@contentstack/utils", - "version": "1.3.18", + "version": "1.3.19", "license": "MIT", "devDependencies": { "@babel/preset-env": "^7.26.0", "@commitlint/cli": "^17.8.1", "@commitlint/config-conventional": "^17.8.1", "@types/jest": "^26.0.24", - "babel-core": "^6.26.3", + "babel-core": "^4.7.16", "babel-jest": "^29.7.0", "babel-loader": "8.4.1", "babel-preset-es2015": "^6.24.1", @@ -21,7 +21,7 @@ "eslint": "^8.57.1", "husky": "^8.0.3", "jest": "^29.7.0", - "jest-coverage-badges": "^1.1.2", + "jest-coverage-badges": "^1.0.0", "jest-environment-jsdom": "^29.7.0", "jest-html-reporters": "^2.1.7", "jest-junit": "^15.0.0", @@ -3163,6 +3163,13 @@ "node": ">=0.4.0" } }, + "node_modules/acorn-babel": { + "version": "0.11.1-38", + "resolved": "https://registry.npmjs.org/acorn-babel/-/acorn-babel-0.11.1-38.tgz", + "integrity": "sha512-lsXiveYSiYLMo9flCOZRtfW/txWHGLvrqvpQ/aVIHmwxSFXagy94crhyAmSJ1qttKmSuPU9SmmIFJqdbr3nS0Q==", + "deprecated": "Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.", + "dev": true + }, "node_modules/acorn-globals": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/acorn-globals/-/acorn-globals-7.0.1.tgz", @@ -3253,6 +3260,16 @@ "ajv": "^8.8.2" } }, + "node_modules/amdefine": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/amdefine/-/amdefine-1.0.1.tgz", + "integrity": "sha512-S2Hw0TtNkMJhIabBwIojKL9YHO5T0n5eNqWJ7Lrlel/zDbftQpxpapi8tZs3X1HWa+u+QeydGmzzNU0m09+Rcg==", + "dev": true, + "license": "BSD-3-Clause OR MIT", + "engines": { + "node": ">=0.4.2" + } + }, "node_modules/ansi-escapes": { "version": "4.3.2", "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-4.3.2.tgz", @@ -3335,6 +3352,16 @@ "node": ">=0.10.0" } }, + "node_modules/ast-types": { + "version": "0.7.8", + "resolved": "https://registry.npmjs.org/ast-types/-/ast-types-0.7.8.tgz", + "integrity": "sha512-RIOpVnVlltB6PcBJ5BMLx+H+6JJ/zjDGU0t7f0L6c2M1dqcK92VQopLBlPQ9R80AVXelfqYgjcPLtHtDbNFg0Q==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, "node_modules/async": { "version": "3.2.6", "resolved": "https://registry.npmjs.org/async/-/async-3.2.6.tgz", @@ -3450,37 +3477,91 @@ } }, "node_modules/babel-core": { - "version": "6.26.3", - "resolved": "https://registry.npmjs.org/babel-core/-/babel-core-6.26.3.tgz", - "integrity": "sha512-6jyFLuDmeidKmUEb3NM+/yawG0M2bDZ9Z1qbZP59cyHLz8kYGKYwpJP0UwUKKUiTRNvxfLesJnTedqczP7cTDA==", + "version": "4.7.16", + "resolved": "https://registry.npmjs.org/babel-core/-/babel-core-4.7.16.tgz", + "integrity": "sha512-5hqGMIR3OyeSBCVHfgAG/4orbv83tDncIvQke7ZBYrJkVhydEraUNTgvj8r0cIDSJqIRJPFqp6DqGkyCi8Pwzg==", + "dev": true, + "dependencies": { + "acorn-babel": "0.11.1-38", + "ast-types": "~0.7.0", + "chalk": "^1.0.0", + "commander": "^2.6.0", + "convert-source-map": "^0.5.0", + "core-js": "^0.6.1", + "debug": "^2.1.1", + "detect-indent": "^3.0.0", + "estraverse": "^1.9.1", + "esutils": "^1.1.6", + "fs-readdir-recursive": "^0.1.0", + "globals": "^6.2.0", + "is-integer": "^1.0.4", + "js-tokens": "1.0.0", + "leven": "^1.0.1", + "line-numbers": "0.2.0", + "lodash": "^3.2.0", + "output-file-sync": "^1.1.0", + "path-is-absolute": "^1.0.0", + "private": "^0.1.6", + "regenerator-babel": "0.8.13-2", + "regexpu": "^1.1.2", + "repeating": "^1.1.2", + "shebang-regex": "^1.0.0", + "slash": "^1.0.0", + "source-map": "^0.4.0", + "source-map-support": "^0.2.9", + "to-fast-properties": "^1.0.0", + "trim-right": "^1.0.0" + } + }, + "node_modules/babel-core/node_modules/ansi-regex": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz", + "integrity": "sha512-TIGnTpdo+E3+pCyAluZvtED5p5wCqLdezCyhPZzKPcxvFplEt4i+W7OONCKgeZFT3+y5NZZfOOS/Bdcanm1MYA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/babel-core/node_modules/ansi-styles": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz", + "integrity": "sha512-kmCevFghRiWM7HB5zTPULl4r9bVFSWjz62MhqizDGUrq2NWuNMQyuv4tHHoKJHs69M/MF64lEcHdYIocrdWQYA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/babel-core/node_modules/chalk": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.3.tgz", + "integrity": "sha512-U3lRVLMSlsCfjqYPbLyVv11M9CPW4I728d6TCKMAOJueEeB9/8o+eSsMnxPJD+Q+K909sdESg7C+tIkoH6on1A==", "dev": true, "license": "MIT", "dependencies": { - "babel-code-frame": "^6.26.0", - "babel-generator": "^6.26.0", - "babel-helpers": "^6.24.1", - "babel-messages": "^6.23.0", - "babel-register": "^6.26.0", - "babel-runtime": "^6.26.0", - "babel-template": "^6.26.0", - "babel-traverse": "^6.26.0", - "babel-types": "^6.26.0", - "babylon": "^6.18.0", - "convert-source-map": "^1.5.1", - "debug": "^2.6.9", - "json5": "^0.5.1", - "lodash": "^4.17.4", - "minimatch": "^3.0.4", - "path-is-absolute": "^1.0.1", - "private": "^0.1.8", - "slash": "^1.0.0", - "source-map": "^0.5.7" + "ansi-styles": "^2.2.1", + "escape-string-regexp": "^1.0.2", + "has-ansi": "^2.0.0", + "strip-ansi": "^3.0.0", + "supports-color": "^2.0.0" + }, + "engines": { + "node": ">=0.10.0" } }, "node_modules/babel-core/node_modules/convert-source-map": { - "version": "1.9.0", - "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.9.0.tgz", - "integrity": "sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A==", + "version": "0.5.1", + "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-0.5.1.tgz", + "integrity": "sha512-Iy5Wc88cL36uxzlUog0yy4LHumGb5NAyGxgXn2ec9YAcN5qka4wcOK7I5PRLBOarS8nmZd9WfvnLItF70QLtfQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/babel-core/node_modules/core-js": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/core-js/-/core-js-0.6.1.tgz", + "integrity": "sha512-ANdRS9QdyvvVCqMD7gvDhgI5T+/t5FELQB1ZLN94oCDXTJLwt4Q1o6Nbc1wnVrhl6QPyJ5mv0k8hMCdAFLNbLg==", + "deprecated": "core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.", "dev": true, "license": "MIT" }, @@ -3493,47 +3574,76 @@ "ms": "2.0.0" } }, - "node_modules/babel-core/node_modules/json5": { - "version": "0.5.1", - "resolved": "https://registry.npmjs.org/json5/-/json5-0.5.1.tgz", - "integrity": "sha512-4xrs1aW+6N5DalkqSVA8fxh458CXvR99WU8WLKmq4v8eWAL86Xo3BVqyd3SkA9wEVjCMqyvvRRkshAdOnBp5rw==", + "node_modules/babel-core/node_modules/escape-string-regexp": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz", + "integrity": "sha512-vbRorB5FUQWvla16U8R/qgaFIya2qGzwDrNmCZuYKrbdSUMG6I1ZCGQRefkRVhuOkIGVne7BQ35DSfo1qvJqFg==", "dev": true, "license": "MIT", - "bin": { - "json5": "lib/cli.js" + "engines": { + "node": ">=0.8.0" } }, + "node_modules/babel-core/node_modules/esutils": { + "version": "1.1.6", + "resolved": "https://registry.npmjs.org/esutils/-/esutils-1.1.6.tgz", + "integrity": "sha512-RG1ZkUT7iFJG9LSHr7KDuuMSlujfeTtMNIcInURxKAxhMtwQhI3NrQhz26gZQYlsYZQKzsnwtpKrFKj9K9Qu1A==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/babel-core/node_modules/globals": { + "version": "6.4.1", + "resolved": "https://registry.npmjs.org/globals/-/globals-6.4.1.tgz", + "integrity": "sha512-Lh7H0bYRNBMc2CapY+TYsCzcSM4HWHGFoQORuEcePk3y3IhpaZmFSJDirhNYSwq8QeHvaCqV/tHI2bdUhYryuw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/babel-core/node_modules/js-tokens": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-1.0.0.tgz", + "integrity": "sha512-5CoKISU6nrMoXKNWUumMLSdO4N6GctX7Vfjlja801H14CxTeozlq0OC1tTJLCi6Nqjd3qXj7UAUzkgwH0+aezA==", + "dev": true, + "license": "MIT" + }, + "node_modules/babel-core/node_modules/lodash": { + "version": "3.10.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz", + "integrity": "sha512-9mDDwqVIma6OZX79ZlDACZl8sBm0TEnkf99zV3iMA4GzkIT/9hiqP5mY0HoT1iNLCrKc/R1HByV+yJfRWVJryQ==", + "dev": true, + "license": "MIT" + }, "node_modules/babel-core/node_modules/ms": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", "dev": true }, - "node_modules/babel-generator": { - "version": "6.26.1", - "resolved": "https://registry.npmjs.org/babel-generator/-/babel-generator-6.26.1.tgz", - "integrity": "sha512-HyfwY6ApZj7BYTcJURpM5tznulaBvyio7/0d4zFOeMPUmfxkCjHocCuoLa2SAGzBI8AREcH3eP3758F672DppA==", + "node_modules/babel-core/node_modules/strip-ansi": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz", + "integrity": "sha512-VhumSSbBqDTP8p2ZLKj40UjBCV4+v8bUSEpUb4KjRgWk9pbqGF4REFj6KEagidb2f/M6AzC0EmFyDNGaw9OCzg==", "dev": true, "license": "MIT", "dependencies": { - "babel-messages": "^6.23.0", - "babel-runtime": "^6.26.0", - "babel-types": "^6.26.0", - "detect-indent": "^4.0.0", - "jsesc": "^1.3.0", - "lodash": "^4.17.4", - "source-map": "^0.5.7", - "trim-right": "^1.0.1" + "ansi-regex": "^2.0.0" + }, + "engines": { + "node": ">=0.10.0" } }, - "node_modules/babel-generator/node_modules/jsesc": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-1.3.0.tgz", - "integrity": "sha512-Mke0DA0QjUWuJlhsE0ZPPhYiJkRap642SmI/4ztCFaUs6V2AiH1sfecc+57NgaryfAA2VR3v6O+CSjC1jZJKOA==", + "node_modules/babel-core/node_modules/supports-color": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz", + "integrity": "sha512-KKNVtd6pCYgPIKU4cp2733HWYCpplQhddZLBUryaAHou723x+FRzQ5Df824Fj+IyyuiQTRoub4SnIFfIcrp70g==", "dev": true, "license": "MIT", - "bin": { - "jsesc": "bin/jsesc" + "engines": { + "node": ">=0.8.0" } }, "node_modules/babel-helper-call-delegate": { @@ -3628,17 +3738,6 @@ "babel-types": "^6.24.1" } }, - "node_modules/babel-helpers": { - "version": "6.24.1", - "resolved": "https://registry.npmjs.org/babel-helpers/-/babel-helpers-6.24.1.tgz", - "integrity": "sha512-n7pFrqQm44TCYvrCDb0MqabAF+JUBq+ijBvNMUxpkLjJaAu32faIexewMumrH5KLLJ1HDyT0PTEqRyAe/GwwuQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "babel-runtime": "^6.22.0", - "babel-template": "^6.24.1" - } - }, "node_modules/babel-jest": { "version": "29.7.0", "resolved": "https://registry.npmjs.org/babel-jest/-/babel-jest-29.7.0.tgz", @@ -4126,22 +4225,6 @@ "@babel/core": "^7.0.0" } }, - "node_modules/babel-register": { - "version": "6.26.0", - "resolved": "https://registry.npmjs.org/babel-register/-/babel-register-6.26.0.tgz", - "integrity": "sha512-veliHlHX06wjaeY8xNITbveXSiI+ASFnOqvne/LaIJIqOWi2Ogmj91KOugEz/hoh/fwMhXNBJPCv8Xaz5CyM4A==", - "dev": true, - "license": "MIT", - "dependencies": { - "babel-core": "^6.26.0", - "babel-runtime": "^6.26.0", - "core-js": "^2.5.0", - "home-or-tmp": "^2.0.0", - "lodash": "^4.17.4", - "mkdirp": "^0.5.1", - "source-map-support": "^0.4.15" - } - }, "node_modules/babel-runtime": { "version": "6.26.0", "resolved": "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.26.0.tgz", @@ -4693,6 +4776,48 @@ "integrity": "sha512-W9pAhw0ja1Edb5GVdIF1mjZw/ASI0AlShXM83UUGe2DVr5TdAPEA1OA8m/g8zWp9x6On7gqufY+FatDbC3MDQg==", "dev": true }, + "node_modules/commoner": { + "version": "0.10.8", + "resolved": "https://registry.npmjs.org/commoner/-/commoner-0.10.8.tgz", + "integrity": "sha512-3/qHkNMM6o/KGXHITA14y78PcfmXh4+AOCJpSoF73h4VY1JpdGv3CHMS5+JW6SwLhfJt4RhNmLAa7+RRX/62EQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "commander": "^2.5.0", + "detective": "^4.3.1", + "glob": "^5.0.15", + "graceful-fs": "^4.1.2", + "iconv-lite": "^0.4.5", + "mkdirp": "^0.5.0", + "private": "^0.1.6", + "q": "^1.1.2", + "recast": "^0.11.17" + }, + "bin": { + "commonize": "bin/commonize" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/commoner/node_modules/glob": { + "version": "5.0.15", + "resolved": "https://registry.npmjs.org/glob/-/glob-5.0.15.tgz", + "integrity": "sha512-c9IPMazfRITpmAAKi22dK1VKxGDX9ehhqfABDriL/lzO92xcUKEJPQHrVA/2YHSNFB4iFlykVmWvwo48nr3OxA==", + "deprecated": "Glob versions prior to v9 are no longer supported", + "dev": true, + "license": "ISC", + "dependencies": { + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "2 || 3", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + } + }, "node_modules/compare-func": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/compare-func/-/compare-func-2.0.0.tgz", @@ -5125,6 +5250,16 @@ "node": ">=8" } }, + "node_modules/defined": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/defined/-/defined-1.0.1.tgz", + "integrity": "sha512-hsBd2qSVCRE+5PmNdHt1uzyrFu5d3RwmFDKzyNZMFq/EwDNJF7Ee5+D5oEKF0hU6LhtoUF1macFvOe4AskQC1Q==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", @@ -5144,13 +5279,18 @@ } }, "node_modules/detect-indent": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/detect-indent/-/detect-indent-4.0.0.tgz", - "integrity": "sha512-BDKtmHlOzwI7iRuEkhzsnPoi5ypEhWAJB5RvHWe1kMr06js3uK5B3734i3ui5Yd+wOJV1cpE4JnivPD283GU/A==", + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/detect-indent/-/detect-indent-3.0.1.tgz", + "integrity": "sha512-xo3WP66SNbr1Eim85s/qyH0ZL8PQUwp86HWm0S1l8WnJ/zjT6T3w1nwNA0yOZeuvOemupEYvpvF6BIdYRuERJQ==", "dev": true, "license": "MIT", "dependencies": { - "repeating": "^2.0.0" + "get-stdin": "^4.0.1", + "minimist": "^1.1.0", + "repeating": "^1.1.0" + }, + "bin": { + "detect-indent": "cli.js" }, "engines": { "node": ">=0.10.0" @@ -5165,6 +5305,30 @@ "node": ">=8" } }, + "node_modules/detective": { + "version": "4.7.1", + "resolved": "https://registry.npmjs.org/detective/-/detective-4.7.1.tgz", + "integrity": "sha512-H6PmeeUcZloWtdt4DAkFyzFL94arpHr3NOwwmVILFiy+9Qd4JTxxXrzfyGk/lmct2qVGBwTSwSXagqu2BxmWig==", + "dev": true, + "license": "MIT", + "dependencies": { + "acorn": "^5.2.1", + "defined": "^1.0.0" + } + }, + "node_modules/detective/node_modules/acorn": { + "version": "5.7.4", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz", + "integrity": "sha512-1D++VG7BhrtvQpNbBzovKNc1FLGGEE/oGe7b9xJm/RFHMBeUaUGpluV9RLjZa47YFdPcDAenEYuq9pQPcMdLJg==", + "dev": true, + "license": "MIT", + "bin": { + "acorn": "bin/acorn" + }, + "engines": { + "node": ">=0.4.0" + } + }, "node_modules/diff": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz", @@ -5561,6 +5725,19 @@ "node": ">=4" } }, + "node_modules/esprima-fb": { + "version": "15001.1001.0-dev-harmony-fb", + "resolved": "https://registry.npmjs.org/esprima-fb/-/esprima-fb-15001.1001.0-dev-harmony-fb.tgz", + "integrity": "sha512-m7OsYzocA8OQ3+9CxmhIv7NPHtyDR2ixaLCO7kLZ+YH+xQ/BpaZmll9EXmc+kBxzWA8BRBXbNEuEQqQ6vfsgDw==", + "dev": true, + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=0.4.0" + } + }, "node_modules/esquery": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.6.0.tgz", @@ -5603,6 +5780,15 @@ "node": ">=4.0" } }, + "node_modules/estraverse": { + "version": "1.9.3", + "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-1.9.3.tgz", + "integrity": "sha512-25w1fMXQrGdoquWnScXZGckOv+Wes+JDnuN/+7ex3SauFRS72r2lFDec0EKPt2YD1wUJ/IrfEex+9yp4hfSOJA==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/estree-walker": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-1.0.1.tgz", @@ -5944,6 +6130,13 @@ "node": ">=14.14" } }, + "node_modules/fs-readdir-recursive": { + "version": "0.1.2", + "resolved": "https://registry.npmjs.org/fs-readdir-recursive/-/fs-readdir-recursive-0.1.2.tgz", + "integrity": "sha512-//yfxmYAazrsyb/rgeYDNFXFTuPYTGYirp5QHFSH8h/LaNUoP5bQAa2ikstdK1PR/bFd1CIlQLpUq6/u6UVfSw==", + "dev": true, + "license": "MIT" + }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", @@ -6000,6 +6193,16 @@ "node": ">=8.0.0" } }, + "node_modules/get-stdin": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-4.0.1.tgz", + "integrity": "sha512-F5aQMywwJ2n85s4hJPTT9RPxGmubonuB10MNYo17/xph174n2MIR33HRguhzVag10O/npM7SPk73LMZNP+FaWw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/get-stream": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-6.0.1.tgz", @@ -6197,20 +6400,6 @@ "node": ">= 0.4" } }, - "node_modules/home-or-tmp": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/home-or-tmp/-/home-or-tmp-2.0.0.tgz", - "integrity": "sha512-ycURW7oUxE2sNiPVw1HVEFsW+ecOpJ5zaj7eC0RlwhibhRBod20muUN8qu/gzx956YrLolVvs1MTXwKgC2rVEg==", - "dev": true, - "license": "MIT", - "dependencies": { - "os-homedir": "^1.0.0", - "os-tmpdir": "^1.0.1" - }, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/homedir-polyfill": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/homedir-polyfill/-/homedir-polyfill-1.0.3.tgz", @@ -6571,6 +6760,16 @@ "node": ">=0.10.0" } }, + "node_modules/is-integer": { + "version": "1.0.7", + "resolved": "https://registry.npmjs.org/is-integer/-/is-integer-1.0.7.tgz", + "integrity": "sha512-RPQc/s9yBHSvpi+hs9dYiJ2cuFeU6x3TyyIp8O2H6SKEltIvJOzRj9ToyvcStDvPR/pS4rxgr1oBFajQjZ2Szg==", + "dev": true, + "license": "WTFPL OR ISC", + "dependencies": { + "is-finite": "^1.0.0" + } + }, "node_modules/is-interactive": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-interactive/-/is-interactive-1.0.0.tgz", @@ -7063,13 +7262,11 @@ } }, "node_modules/jest-coverage-badges": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/jest-coverage-badges/-/jest-coverage-badges-1.1.2.tgz", - "integrity": "sha512-44A7i2xR6os8+fWk8ZRM6W4fKiD2jwKOLU9eB3iTIIWACd9RbdvmiCNpQZTOsUBhKvz7aQ/ASFhu5JOEhWUOlg==", + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/jest-coverage-badges/-/jest-coverage-badges-1.0.0.tgz", + "integrity": "sha512-2PzLRTBMYxaRtDy3gAfVhzZcP5MGb90vzS/6v23tR67J7ejh2D6rGlGvl3IF0LJxqKKJlWSxkTNTzgXMsDb9ug==", "dev": true, - "dependencies": { - "mkdirp": "0.5.1" - }, + "license": "MIT", "bin": { "jest-coverage-badges": "cli.js" }, @@ -8166,6 +8363,27 @@ "node": ">=6" } }, + "node_modules/left-pad": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/left-pad/-/left-pad-0.0.3.tgz", + "integrity": "sha512-Qli5dSpAXQOSw1y/M+uBKT37rj6iZAQMz6Uy5/ZYGIhBLS/ODRHqL4XIDvSAtYpjfia0XKNztlPFa806TWw5Gw==", + "deprecated": "use String.prototype.padStart()", + "dev": true, + "license": "WTFPL" + }, + "node_modules/leven": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/leven/-/leven-1.0.2.tgz", + "integrity": "sha512-U3eIzC2mMAOMOuoJ25sA3eyraoBwndpQyYgBq5dyqrMTpvMg9l9X/ucFHxv622YcCg179WWqleoF7rSzfYrV+Q==", + "dev": true, + "license": "MIT", + "bin": { + "leven": "cli.js" + }, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/levn": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz", @@ -8179,6 +8397,17 @@ "node": ">= 0.8.0" } }, + "node_modules/line-numbers": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/line-numbers/-/line-numbers-0.2.0.tgz", + "integrity": "sha512-wC1rUVNh6LmK/imDbCvrfB4qLLUiMuLWvihs+twrERITLhc6aBMIb2+0TqL03sZLuKuO5aRoYTw5wcNCe0d7mw==", + "deprecated": "Copy its ~20 LOC directly into your code instead.", + "dev": true, + "license": "MIT", + "dependencies": { + "left-pad": "0.0.3" + } + }, "node_modules/lines-and-columns": { "version": "1.2.4", "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz", @@ -8534,24 +8763,18 @@ } }, "node_modules/mkdirp": { - "version": "0.5.1", - "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz", - "integrity": "sha512-SknJC52obPfGQPnjIkXbmA6+5H15E+fR+E4iR2oQ3zzCLbd7/ONua69R/Gw7AgkTLsRG+r5fzksYwWe1AgTyWA==", - "deprecated": "Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)", + "version": "0.5.6", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", + "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dev": true, + "license": "MIT", "dependencies": { - "minimist": "0.0.8" + "minimist": "^1.2.6" }, "bin": { "mkdirp": "bin/cmd.js" } }, - "node_modules/mkdirp/node_modules/minimist": { - "version": "0.0.8", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", - "integrity": "sha512-miQKw5Hv4NS1Psg2517mV4e4dYNaO3++hjAvLOAzKqZ61rH8NS1SK+vbfBWZ5PY/Me/bEWhUwqMghEW5Fb9T7Q==", - "dev": true - }, "node_modules/ms": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", @@ -8643,6 +8866,16 @@ "integrity": "sha512-F1I/bimDpj3ncaNDhfyMWuFqmQDBwDB0Fogc2qpL3BWvkQteFD/8BzWuIRl83rq0DXfm8SGt/HFhLXZyljTXcQ==", "dev": true }, + "node_modules/object-assign": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", + "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", @@ -8724,16 +8957,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/os-homedir": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/os-homedir/-/os-homedir-1.0.2.tgz", - "integrity": "sha512-B5JU3cabzk8c67mRRd3ECmROafjYMXbuzlwtqdM8IbS8ktlTix8aFGb2bAGKrSRIlnfKwovGUUr72JUPyOb6kQ==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/os-tmpdir": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz", @@ -8743,6 +8966,18 @@ "node": ">=0.10.0" } }, + "node_modules/output-file-sync": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/output-file-sync/-/output-file-sync-1.1.2.tgz", + "integrity": "sha512-uQLlclru4xpCi+tfs80l3QF24KL81X57ELNMy7W/dox+JTtxUf1bLyQ8968fFCmSqqbokjW0kn+WBIlO+rSkNg==", + "dev": true, + "license": "MIT", + "dependencies": { + "graceful-fs": "^4.1.4", + "mkdirp": "^0.5.1", + "object-assign": "^4.1.0" + } + }, "node_modules/p-limit": { "version": "3.1.0", "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz", @@ -9089,6 +9324,18 @@ } ] }, + "node_modules/q": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/q/-/q-1.5.1.tgz", + "integrity": "sha512-kV/CThkXo6xyFEZUugw/+pIOywXcDbFYgSct5cT3gqlbkBE1SJdwy6UQoZvodiWF/ckQLZyDE/Bu1M6gVu5lVw==", + "deprecated": "You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.\n\n(For a CapTP with native promises, see @endo/eventual-send and @endo/captp)", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.6.0", + "teleport": ">=0.2.0" + } + }, "node_modules/querystringify": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz", @@ -9283,6 +9530,56 @@ "node": ">= 6" } }, + "node_modules/recast": { + "version": "0.11.23", + "resolved": "https://registry.npmjs.org/recast/-/recast-0.11.23.tgz", + "integrity": "sha512-+nixG+3NugceyR8O1bLU45qs84JgI3+8EauyRZafLgC9XbdAOIVgwV1Pe2da0YzGo62KzWoZwUpVEQf6qNAXWA==", + "dev": true, + "license": "MIT", + "dependencies": { + "ast-types": "0.9.6", + "esprima": "~3.1.0", + "private": "~0.1.5", + "source-map": "~0.5.0" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/recast/node_modules/ast-types": { + "version": "0.9.6", + "resolved": "https://registry.npmjs.org/ast-types/-/ast-types-0.9.6.tgz", + "integrity": "sha512-qEdtR2UH78yyHX/AUNfXmJTlM48XoFZKBdwi1nzkI1mJL21cmbu0cvjxjpkXJ5NENMq42H+hNs8VLJcqXLerBQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/recast/node_modules/esprima": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-3.1.3.tgz", + "integrity": "sha512-AWwVMNxwhN8+NIPQzAQZCm7RkLC4RbM3B1OobMuyp3i+w73X57KCKaVIxaRZb+DYCojq7rspo+fmuQfAboyhFg==", + "dev": true, + "license": "BSD-2-Clause", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/recast/node_modules/source-map": { + "version": "0.5.7", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz", + "integrity": "sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==", + "dev": true, + "license": "BSD-3-Clause", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/redent": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/redent/-/redent-3.0.0.tgz", @@ -9314,6 +9611,26 @@ "node": ">=4" } }, + "node_modules/regenerator-babel": { + "version": "0.8.13-2", + "resolved": "https://registry.npmjs.org/regenerator-babel/-/regenerator-babel-0.8.13-2.tgz", + "integrity": "sha512-p9bDgu0IMJgzXVzOl141aoME05C/z4h6miYY+8Sen7VJd5QMVfhOgik3AEL9rRB8xoXhU099tjnASwjOmEoyoQ==", + "deprecated": "Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.", + "dev": true, + "license": "BSD", + "dependencies": { + "ast-types": "~0.7.0", + "commoner": "~0.10.0", + "private": "~0.1.5", + "through": "~2.3.6" + }, + "bin": { + "regenerator-babel": "bin/regenerator" + }, + "engines": { + "node": ">= 0.6" + } + }, "node_modules/regenerator-runtime": { "version": "0.11.1", "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.11.1.tgz", @@ -9329,6 +9646,23 @@ "@babel/runtime": "^7.8.4" } }, + "node_modules/regexpu": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/regexpu/-/regexpu-1.3.0.tgz", + "integrity": "sha512-OqpQCTCcVM6k9IbzxLjNN6TRj3NV7qF4L8zUqsNoeAmmIZp8wH1tdZnn0vNXE2tGNU4ho0xTZWk3FmahOtyMRA==", + "dev": true, + "license": "MIT", + "dependencies": { + "esprima": "^2.6.0", + "recast": "^0.10.10", + "regenerate": "^1.2.1", + "regjsgen": "^0.2.0", + "regjsparser": "^0.1.4" + }, + "bin": { + "regexpu": "bin/regexpu" + } + }, "node_modules/regexpu-core": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/regexpu-core/-/regexpu-core-6.2.0.tgz", @@ -9376,6 +9710,56 @@ "regjsparser": "bin/parser" } }, + "node_modules/regexpu/node_modules/ast-types": { + "version": "0.8.15", + "resolved": "https://registry.npmjs.org/ast-types/-/ast-types-0.8.15.tgz", + "integrity": "sha512-8WsusRFHT6D2CpPTCLLLeIp4dN4pMEgmVX/jaSBsbMFObktStNdGOE1ZW4x8V/RABr1VtqruQgpabZyvzrrrww==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/regexpu/node_modules/esprima": { + "version": "2.7.3", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-2.7.3.tgz", + "integrity": "sha512-OarPfz0lFCiW4/AV2Oy1Rp9qu0iusTKqykwTspGCZtPxmF81JR4MmIebvF1F9+UOKth2ZubLQ4XGGaU+hSn99A==", + "dev": true, + "license": "BSD-2-Clause", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/regexpu/node_modules/recast": { + "version": "0.10.43", + "resolved": "https://registry.npmjs.org/recast/-/recast-0.10.43.tgz", + "integrity": "sha512-GC1g4P336t8WOpzVGFOo83m14xQfHbVqe+eDus+4oubobkWb/kONwMWSG6+K3BUtBOoUdUU+GT9kmNCSOBv9+g==", + "dev": true, + "license": "MIT", + "dependencies": { + "ast-types": "0.8.15", + "esprima-fb": "~15001.1001.0-dev-harmony-fb", + "private": "~0.1.5", + "source-map": "~0.5.0" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/regexpu/node_modules/source-map": { + "version": "0.5.7", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz", + "integrity": "sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==", + "dev": true, + "license": "BSD-3-Clause", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/regjsgen": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/regjsgen/-/regjsgen-0.2.0.tgz", @@ -9404,14 +9788,17 @@ } }, "node_modules/repeating": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/repeating/-/repeating-2.0.1.tgz", - "integrity": "sha512-ZqtSMuVybkISo2OWvqvm7iHSWngvdaW3IpsT9/uP8v4gMi591LY6h35wdOfvQdWCKFWZWm2Y1Opp4kV7vQKT6A==", + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/repeating/-/repeating-1.1.3.tgz", + "integrity": "sha512-Nh30JLeMHdoI+AsQ5eblhZ7YlTsM9wiJQe/AHIunlK3KWzvXhXb36IJ7K1IOeRjIOtzMjdUHjwXUFxKJoPTSOg==", "dev": true, "license": "MIT", "dependencies": { "is-finite": "^1.0.0" }, + "bin": { + "repeating": "cli.js" + }, "engines": { "node": ">=0.10.0" } @@ -9869,6 +10256,16 @@ "node": ">=8" } }, + "node_modules/shebang-regex": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-1.0.0.tgz", + "integrity": "sha512-wpoSFAxys6b2a2wHZ1XpDSgD7N9iVjg29Ph9uV/uaP9Ex/KXlkTZTeddxDPSYQpgvzKLGJke2UU0AzoGCjNIvQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/signal-exit": { "version": "3.0.7", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", @@ -9891,13 +10288,16 @@ } }, "node_modules/source-map": { - "version": "0.5.7", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz", - "integrity": "sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==", + "version": "0.4.4", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.4.4.tgz", + "integrity": "sha512-Y8nIfcb1s/7DcobUz1yOO1GSp7gyL+D9zLHDehT7iRESqGSxjJ448Sg7rvfgsRJCnKLdSl11uGf0s9X80cH0/A==", "dev": true, "license": "BSD-3-Clause", + "dependencies": { + "amdefine": ">=0.0.4" + }, "engines": { - "node": ">=0.10.0" + "node": ">=0.8.0" } }, "node_modules/source-map-resolve": { @@ -9912,13 +10312,24 @@ } }, "node_modules/source-map-support": { - "version": "0.4.18", - "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.4.18.tgz", - "integrity": "sha512-try0/JqxPLF9nOjvSta7tVondkP5dwgyLDjVoyMDlmjugT2lRZ1OfsrYTkCd2hkDnJTKRbO/Rl3orm8vlsUzbA==", + "version": "0.2.10", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.2.10.tgz", + "integrity": "sha512-gGKOSat73z0V8wBKo9AGxZZyekczBireh1hHktbt+kb9acsCB5OfVCF2DCWlztcQ3r5oNN7f2BL0B2xOcoJ/DQ==", "dev": true, - "license": "MIT", "dependencies": { - "source-map": "^0.5.6" + "source-map": "0.1.32" + } + }, + "node_modules/source-map-support/node_modules/source-map": { + "version": "0.1.32", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.1.32.tgz", + "integrity": "sha512-htQyLrrRLkQ87Zfrir4/yN+vAUd6DNjVayEjTSHXu29AYQJw57I4/xEL/M6p6E/woPNJwvZt6rVlzc7gFEJccQ==", + "dev": true, + "dependencies": { + "amdefine": ">=0.0.4" + }, + "engines": { + "node": ">=0.8.0" } }, "node_modules/spdx-correct": { @@ -10612,18 +11023,6 @@ "node": ">=4" } }, - "node_modules/tslint/node_modules/mkdirp": { - "version": "0.5.6", - "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", - "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", - "dev": true, - "dependencies": { - "minimist": "^1.2.6" - }, - "bin": { - "mkdirp": "bin/cmd.js" - } - }, "node_modules/tslint/node_modules/semver": { "version": "5.7.2", "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz", diff --git a/package.json b/package.json index 7dfc8b4..fec07d4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@contentstack/utils", - "version": "1.3.18", + "version": "1.3.19", "description": "Contentstack utilities for Javascript", "main": "dist/index.es.js", "types": "dist/types/index.d.ts", @@ -38,7 +38,7 @@ "@commitlint/cli": "^17.8.1", "@commitlint/config-conventional": "^17.8.1", "@types/jest": "^26.0.24", - "babel-core": "^6.26.3", + "babel-core": "^4.7.16", "babel-jest": "^29.7.0", "babel-loader": "8.4.1", "babel-preset-es2015": "^6.24.1", @@ -46,7 +46,7 @@ "eslint": "^8.57.1", "husky": "^8.0.3", "jest": "^29.7.0", - "jest-coverage-badges": "^1.1.2", + "jest-coverage-badges": "^1.0.0", "jest-environment-jsdom": "^29.7.0", "jest-html-reporters": "^2.1.7", "jest-junit": "^15.0.0", diff --git a/semgrep-native-report.json b/semgrep-native-report.json new file mode 100644 index 0000000..07363cd --- /dev/null +++ b/semgrep-native-report.json @@ -0,0 +1 @@ +{"version":"1.107.0","results":[],"errors":[],"paths":{"scanned":[".commitlintrc.json",".github/workflows/check-branch.yml",".github/workflows/ci.yml",".github/workflows/code.cov.yml",".github/workflows/codeql-analysis.yml",".github/workflows/jira.yml",".github/workflows/npm-publish.yml",".github/workflows/sast-scan.yml",".github/workflows/sca-scan.yml",".gitignore",".husky/commit-msg",".husky/pre-commit",".npmignore",".prettierrc",".talismanrc","CHANGELOG.md","CODEOWNERS","LICENSE","README.md","SECURITY.md","__test__/attributes-to-string.test.ts","__test__/default-node-options.test.ts","__test__/default-options.test.ts","__test__/embedded-types.test.ts","__test__/entry-editable.test.ts","__test__/find-embedded-objects.test.ts","__test__/find-render-content.test.ts","__test__/gql/gql-json-to-html.test.ts","__test__/html-to-json.test.ts","__test__/json-to-html.test.ts","__test__/mock/asset-mock.ts","__test__/mock/embedded-object-mock.ts","__test__/mock/entry-editable-mock.ts","__test__/mock/entry-mock.ts","__test__/mock/entry-multiple-rich-text-content.ts","__test__/mock/gql-asset-url-update-mock.ts","__test__/mock/gql-json-element-mock.ts","__test__/mock/json-element-mock-result.ts","__test__/mock/json-element-mock.ts","__test__/mock/render-options.ts","__test__/node/mark-types.test.ts","__test__/node/node-initialise.test.ts","__test__/node/node-types.test.ts","__test__/reference-to-html.test.ts","__test__/regex-match.test.ts","__test__/render-embedded-to-html.test.ts","__test__/string-extension.test.ts","__test__/text-node-to-html.test.ts","__test__/updateAssetURLForGQL.test.ts","babel.config.js","jest.config.ts","package-lock.json","package.json","rollup.config.js","src/Models/embedded-object.ts","src/Models/json-rte-model.ts","src/Models/metadata-model.ts","src/Models/test.ts","src/embedded-types/style-type.ts","src/entry-editable.ts","src/extensions/index.ts","src/gql.ts","src/helper/enumerate-entries.ts","src/helper/find-embeded-object.ts","src/helper/find-render-content.ts","src/helper/html-to-json.ts","src/helper/regex-match.ts","src/helper/sanitize.ts","src/index.ts","src/json-to-html.ts","src/nodes/document.ts","src/nodes/mark-type.ts","src/nodes/node-type.ts","src/nodes/node.ts","src/nodes/text-node.ts","src/options/default-node-options.ts","src/options/default-options.ts","src/options/index.ts","src/render-embedded-objects.ts","src/updateAssetURLForGQL.ts","tsconfig.json","tslint.json"]},"skipped_rules":[]} \ No newline at end of file From 1deab62089efd1c42aba989659d413a7d7923138 Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Wed, 19 Feb 2025 13:18:24 +0530 Subject: [PATCH 4/5] fix(attributes): ignore attributes key with forbidden characters --- __test__/attributes-to-string.test.ts | 14 +++++++++++++- src/Models/metadata-model.ts | 11 +++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/__test__/attributes-to-string.test.ts b/__test__/attributes-to-string.test.ts index ca64f53..8229e2f 100644 --- a/__test__/attributes-to-string.test.ts +++ b/__test__/attributes-to-string.test.ts @@ -63,7 +63,7 @@ describe('Attributes to String', () => { const resultString = attributeToString(attr); - expect(resultString).toEqual(' style=\"text-align:left; \" rows=\"4\" cols=\"2\" colWidths=\"250, 250\" <ls=\""></p><h1>test</h1><p class="\"') + expect(resultString).toEqual(' style=\"text-align:left; \" rows=\"4\" cols=\"2\" colWidths=\"250, 250\"') done(); }); it('Should handle object attribute values correctly', done => { @@ -125,4 +125,16 @@ describe('Attributes to String', () => { expect(resultString).toEqual(' safeKey="<script>alert(xss)</script>"'); done(); }); + it('Should ignore attributes with forbidden characters in keys', done => { + const attr = { + "validKey": "safeValue", + 'in"valid': "should be ignored", + "another>invalid": "should also be ignored" + } as Attributes; + + const resultString = attributeToString(attr); + + expect(resultString).toEqual(' validKey="safeValue"'); + done(); + }); }) \ No newline at end of file diff --git a/src/Models/metadata-model.ts b/src/Models/metadata-model.ts index dd95c3b..5c9655a 100644 --- a/src/Models/metadata-model.ts +++ b/src/Models/metadata-model.ts @@ -60,11 +60,7 @@ export function attributeToString(attributes: Attributes): string { let result = ''; for (const key in attributes) { if (Object.prototype.hasOwnProperty.call(attributes, key)) { - // Sanitize the key to prevent HTML injection - const sanitizedKey = replaceHtmlEntities(key); - - // Skip keys that contain forbidden characters (even after sanitization) - if (forbiddenAttrChars.some(char => sanitizedKey.includes(char))) { + if (forbiddenAttrChars.some(char => key.includes(char))) { continue; } let value = attributes[key]; @@ -76,14 +72,13 @@ export function attributeToString(attributes: Attributes): string { if (Object.prototype.hasOwnProperty.call(value, subKey)) { const subValue = value[subKey]; if (subValue != null && subValue !== '') { - elementString += `${replaceHtmlEntities(subKey)}:${replaceHtmlEntities(String(subValue))}; `; + elementString += `${subKey}:${subValue}; `; } } } value = elementString; } - // Sanitize the value to prevent HTML injection - result += ` ${sanitizedKey}="${replaceHtmlEntities(String(value))}"`; + result += ` ${key}="${replaceHtmlEntities(String(value))}"`; } } return result; From 9661d22190bc6446719ff7c6aaedbc8d1f420b84 Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Wed, 19 Feb 2025 13:20:56 +0530 Subject: [PATCH 5/5] chore(report): remove semgrep native report file --- semgrep-native-report.json | 1 - 1 file changed, 1 deletion(-) delete mode 100644 semgrep-native-report.json diff --git a/semgrep-native-report.json b/semgrep-native-report.json deleted file mode 100644 index 07363cd..0000000 --- a/semgrep-native-report.json +++ /dev/null @@ -1 +0,0 @@ -{"version":"1.107.0","results":[],"errors":[],"paths":{"scanned":[".commitlintrc.json",".github/workflows/check-branch.yml",".github/workflows/ci.yml",".github/workflows/code.cov.yml",".github/workflows/codeql-analysis.yml",".github/workflows/jira.yml",".github/workflows/npm-publish.yml",".github/workflows/sast-scan.yml",".github/workflows/sca-scan.yml",".gitignore",".husky/commit-msg",".husky/pre-commit",".npmignore",".prettierrc",".talismanrc","CHANGELOG.md","CODEOWNERS","LICENSE","README.md","SECURITY.md","__test__/attributes-to-string.test.ts","__test__/default-node-options.test.ts","__test__/default-options.test.ts","__test__/embedded-types.test.ts","__test__/entry-editable.test.ts","__test__/find-embedded-objects.test.ts","__test__/find-render-content.test.ts","__test__/gql/gql-json-to-html.test.ts","__test__/html-to-json.test.ts","__test__/json-to-html.test.ts","__test__/mock/asset-mock.ts","__test__/mock/embedded-object-mock.ts","__test__/mock/entry-editable-mock.ts","__test__/mock/entry-mock.ts","__test__/mock/entry-multiple-rich-text-content.ts","__test__/mock/gql-asset-url-update-mock.ts","__test__/mock/gql-json-element-mock.ts","__test__/mock/json-element-mock-result.ts","__test__/mock/json-element-mock.ts","__test__/mock/render-options.ts","__test__/node/mark-types.test.ts","__test__/node/node-initialise.test.ts","__test__/node/node-types.test.ts","__test__/reference-to-html.test.ts","__test__/regex-match.test.ts","__test__/render-embedded-to-html.test.ts","__test__/string-extension.test.ts","__test__/text-node-to-html.test.ts","__test__/updateAssetURLForGQL.test.ts","babel.config.js","jest.config.ts","package-lock.json","package.json","rollup.config.js","src/Models/embedded-object.ts","src/Models/json-rte-model.ts","src/Models/metadata-model.ts","src/Models/test.ts","src/embedded-types/style-type.ts","src/entry-editable.ts","src/extensions/index.ts","src/gql.ts","src/helper/enumerate-entries.ts","src/helper/find-embeded-object.ts","src/helper/find-render-content.ts","src/helper/html-to-json.ts","src/helper/regex-match.ts","src/helper/sanitize.ts","src/index.ts","src/json-to-html.ts","src/nodes/document.ts","src/nodes/mark-type.ts","src/nodes/node-type.ts","src/nodes/node.ts","src/nodes/text-node.ts","src/options/default-node-options.ts","src/options/default-options.ts","src/options/index.ts","src/render-embedded-objects.ts","src/updateAssetURLForGQL.ts","tsconfig.json","tslint.json"]},"skipped_rules":[]} \ No newline at end of file