Require xml2js `>=0.5.0` to address CVE-2023-0842

2023-04-11 13:33:36 +01:00 · 2023-04-11 13:33:36 +01:00 · c2b5d643fd
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@ -6045,9 +6045,9 @@
      }
    },
    "node_modules/xml2js": {
-      "version": "0.4.23",
-      "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz",
-      "integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==",
+      "version": "0.5.0",
+      "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz",
+      "integrity": "sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==",
      "dependencies": {
        "sax": ">=0.6.0",
        "xmlbuilder": "~11.0.0"
--- a/node_modules/xml2js/README.md
+++ b/node_modules/xml2js/README.md
@ -113,7 +113,7 @@ var xml = '<foo></foo>';

 // With parser
 var parser = new xml2js.Parser(/* options */);
-parser.parseStringPromise(data).then(function (result) {
+parser.parseStringPromise(xml).then(function (result) {
  console.dir(result);
  console.log('Done');
 })
@ -122,7 +122,7 @@ parser.parseStringPromise(data).then(function (result) {
 });

 // Without parser
-xml2js.parseStringPromise(data /*, options */).then(function (result) {
+xml2js.parseStringPromise(xml /*, options */).then(function (result) {
  console.dir(result);
  console.log('Done');
 })
@ -180,6 +180,16 @@ var obj = {name: "Super", Surname: "Man", age: 23};
 var builder = new xml2js.Builder();
 var xml = builder.buildObject(obj);
 ```
+will result in:
+
+```xml
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<root>
+  <name>Super</name>
+  <Surname>Man</Surname>
+  <age>23</age>
+</root>
+```

 At the moment, a one to one bi-directional conversion is guaranteed only for
 default configuration, except for `attrkey`, `charkey` and `explicitArray` options
@ -195,6 +205,11 @@ var obj = {root: {$: {id: "my id"}, _: "my inner text"}};
 var builder = new xml2js.Builder();
 var xml = builder.buildObject(obj);
 ```
+will result in:
+```xml
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<root id="my id">my inner text</root>
+```

 ### Adding xmlns attributes

@ -309,14 +324,18 @@ value})``. Possible options are:
    Version 0.1 default was `@`.
  * `charkey` (default: `_`): Prefix that is used to access the character
    content. Version 0.1 default was `#`.
-  * `explicitCharkey` (default: `false`)
+  * `explicitCharkey` (default: `false`) Determines whether or not to use 
+    a `charkey` prefix for elements with no attributes.
  * `trim` (default: `false`): Trim the whitespace at the beginning and end of
    text nodes.
  * `normalizeTags` (default: `false`): Normalize all tag names to lowercase.
  * `normalize` (default: `false`): Trim whitespaces inside text nodes.
  * `explicitRoot` (default: `true`): Set this if you want to get the root
    node in the resulting object.
-  * `emptyTag` (default: `''`): what will the value of empty nodes be.
+  * `emptyTag` (default: `''`): what will the value of empty nodes be. In case
+  you want to use an empty object as a default value, it is better to provide a factory
+   function `() => ({})` instead. Without this function a plain object would
+  become a shared reference across all occurrences with unwanted behavior.
  * `explicitArray` (default: `true`): Always put child nodes in an array if
    true; otherwise an array is created only if there is more than one.
  * `ignoreAttrs` (default: `false`): Ignore all XML attributes and only create
--- a/node_modules/xml2js/lib/parser.js
+++ b/node_modules/xml2js/lib/parser.js
@ -141,14 +141,14 @@
      this.saxParser.onopentag = (function(_this) {
        return function(node) {
          var key, newValue, obj, processedKey, ref;
-          obj = {};
+          obj = Object.create(null);
          obj[charkey] = "";
          if (!_this.options.ignoreAttrs) {
            ref = node.attributes;
            for (key in ref) {
              if (!hasProp.call(ref, key)) continue;
              if (!(attrkey in obj) && !_this.options.mergeAttrs) {
-                obj[attrkey] = {};
+                obj[attrkey] = Object.create(null);
              }
              newValue = _this.options.attrValueProcessors ? processItem(_this.options.attrValueProcessors, node.attributes[key], key) : node.attributes[key];
              processedKey = _this.options.attrNameProcessors ? processItem(_this.options.attrNameProcessors, key) : key;
@ -198,7 +198,11 @@
            }
          }
          if (isEmpty(obj)) {
-            obj = _this.options.emptyTag !== '' ? _this.options.emptyTag : emptyStr;
+            if (typeof _this.options.emptyTag === 'function') {
+              obj = _this.options.emptyTag();
+            } else {
+              obj = _this.options.emptyTag !== '' ? _this.options.emptyTag : emptyStr;
+            }
          }
          if (_this.options.validator != null) {
            xpath = "/" + ((function() {
@ -222,7 +226,7 @@
          }
          if (_this.options.explicitChildren && !_this.options.mergeAttrs && typeof obj === 'object') {
            if (!_this.options.preserveChildrenOrder) {
-              node = {};
+              node = Object.create(null);
              if (_this.options.attrkey in obj) {
                node[_this.options.attrkey] = obj[_this.options.attrkey];
                delete obj[_this.options.attrkey];
@ -237,7 +241,7 @@
              obj = node;
            } else if (s) {
              s[_this.options.childkey] = s[_this.options.childkey] || [];
-              objClone = {};
+              objClone = Object.create(null);
              for (key in obj) {
                if (!hasProp.call(obj, key)) continue;
                objClone[key] = obj[key];
@ -254,7 +258,7 @@
          } else {
            if (_this.options.explicitRoot) {
              old = obj;
-              obj = {};
+              obj = Object.create(null);
              obj[nodeName] = old;
            }
            _this.resultObject = obj;
--- a/node_modules/xml2js/package.json
+++ b/node_modules/xml2js/package.json
@ -6,7 +6,7 @@
    "json"
  ],
  "homepage": "https://github.com/Leonidas-from-XIV/node-xml2js",
-  "version": "0.4.23",
+  "version": "0.5.0",
  "author": "Marek Kubica <marek@xivilization.net> (https://xivilization.net)",
  "contributors": [
    "maqr <maqr.lollerskates@gmail.com> (https://github.com/maqr)",
@ -53,7 +53,8 @@
    "David Wood <david.p.wood@gmail.com> (http://codesleuth.co.uk/)",
    "Nicolas Maquet (https://github.com/nmaquet)",
    "Lovell Fuller (http://lovell.info/)",
-    "d3adc0d3 (https://github.com/d3adc0d3)"
+    "d3adc0d3 (https://github.com/d3adc0d3)",
+    "James Crosby (https://github.com/autopulated)"
  ],
  "main": "./lib/xml2js",
  "files": [
--- a/package-lock.json
+++ b/package-lock.json
@ -6101,9 +6101,9 @@
      }
    },
    "node_modules/xml2js": {
-      "version": "0.4.23",
-      "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz",
-      "integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==",
+      "version": "0.5.0",
+      "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz",
+      "integrity": "sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==",
      "dependencies": {
        "sax": ">=0.6.0",
        "xmlbuilder": "~11.0.0"
--- a/package.json
+++ b/package.json
@ -73,5 +73,8 @@
    "removeNPMAbsolutePaths": "3.0.0",
    "sinon": "^15.0.1",
    "typescript": "^5.0.2"
+  },
+  "overrides": {
+    "xml2js": ">=0.5.0"
  }
 }