Home Original page

Merge pull request #37 from coderaiser/fix/vulnerability · micromatch/braces@a5851e5

11

'use strict';

2233

const stringify = require('./stringify');

4+

const {isCorrectBraces, validateInput} = require('./validate-input');

4556

/**

67

* Constants

78

*/

89910

const {

1011

MAX_LENGTH,

12+

MAX_SYMBOLS,

1113

CHAR_BACKSLASH, /* \ */

1214

CHAR_BACKTICK, /* ` */

1315

CHAR_COMMA, /* , */

@@ -34,6 +36,11 @@ const parse = (input, options = {}) => {

3436

}

35373638

let opts = options || {};

39+40+

validateInput(input, {

41+

maxSymbols: opts.maxSymbols || MAX_SYMBOLS,

42+

});

43+3744

let max = typeof opts.maxLength === 'number' ? Math.min(MAX_LENGTH, opts.maxLength) : MAX_LENGTH;

3845

if (input.length > max) {

3946

throw new SyntaxError(`Input length (${input.length}), exceeds max characters (${max})`);

@@ -304,30 +311,43 @@ const parse = (input, options = {}) => {

304311

push({ type: 'text', value });

305312

}

306313314+

flattenBlocks(stack)

315+

markImbalancedBraces(ast);

316+

push({ type: 'eos' });

317+318+

return ast;

319+

};

320+321+

module.exports = parse;

322+323+

function markImbalancedBraces({nodes}) {

307324

// Mark imbalanced braces and brackets as invalid

325+

for (const node of nodes) {

326+

if (!node.nodes && !node.invalid) {

327+

if (node.type === 'open') node.isOpen = true;

328+

if (node.type === 'close') node.isClose = true;

329+

if (!node.nodes) node.type = 'text';

330+331+

node.invalid = true;

332+

}

333+334+

delete node.parent;

335+

delete node.prev;

336+

}

337+

}

338+339+

function flattenBlocks(stack) {

340+

let block;

308341

do {

309342

block = stack.pop();

310343311-

if (block.type !== 'root') {

312-

block.nodes.forEach(node => {

313-

if (!node.nodes) {

314-

if (node.type === 'open') node.isOpen = true;

315-

if (node.type === 'close') node.isClose = true;

316-

if (!node.nodes) node.type = 'text';

317-

node.invalid = true;

318-

}

319-

});

344+

if (block.type === 'root')

345+

continue;

320346321-

// get the location of the block on parent.nodes (block's siblings)

322-

let parent = stack[stack.length - 1];

323-

let index = parent.nodes.indexOf(block);

324-

// replace the (invalid) block with it's nodes

325-

parent.nodes.splice(index, 1, ...block.nodes);

326-

}

347+

// get the location of the block on parent.nodes (block's siblings)

348+

let parent = stack.at(-1);

349+

let index = parent.nodes.indexOf(block);

350+

// replace the (invalid) block with its nodes

351+

parent.nodes.splice(index, 1, ...block.nodes);

327352

} while (stack.length > 0);

328-329-

push({ type: 'eos' });

330-

return ast;

331-

};

332-333-

module.exports = parse;

353+

}