github
/
codeql-action
зеркало из https://github.com/github/codeql-action.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Require xml2js `>=0.5.0` to address CVE-2023-0842

This commit is contained in:
Henry Mercer 2023-04-11 13:33:36 +01:00
Родитель 9c13316a15
Коммит c2b5d643fd
6 изменённых файлов: 45 добавлений и 18 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
node_modules/.package-lock.json сгенерированный поставляемый
Просмотреть файл

@ -6045,9 +6045,9 @@
} }
}, },
"node_modules/xml2js": { "node_modules/xml2js": {
"version": "0.4.23", "version": "0.5.0",
"resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz", "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz",
"integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==", "integrity": "sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==",
"dependencies": { "dependencies": {
"sax": ">=0.6.0", "sax": ">=0.6.0",
"xmlbuilder": "~11.0.0" "xmlbuilder": "~11.0.0"

27
node_modules/xml2js/README.md сгенерированный поставляемый
Просмотреть файл

@ -113,7 +113,7 @@ var xml = '<foo></foo>';
// With parser // With parser
var parser = new xml2js.Parser(/* options */); var parser = new xml2js.Parser(/* options */);
parser.parseStringPromise(data).then(function (result) { parser.parseStringPromise(xml).then(function (result) {
console.dir(result); console.dir(result);
console.log('Done'); console.log('Done');
}) })
@ -122,7 +122,7 @@ parser.parseStringPromise(data).then(function (result) {
}); });
// Without parser // Without parser
xml2js.parseStringPromise(data /*, options */).then(function (result) { xml2js.parseStringPromise(xml /*, options */).then(function (result) {
console.dir(result); console.dir(result);
console.log('Done'); console.log('Done');
}) })
@ -180,6 +180,16 @@ var obj = {name: "Super", Surname: "Man", age: 23};
var builder = new xml2js.Builder(); var builder = new xml2js.Builder();
var xml = builder.buildObject(obj); var xml = builder.buildObject(obj);
``` ```
will result in:
```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<root>
<name>Super</name>
<Surname>Man</Surname>
<age>23</age>
</root>
```
At the moment, a one to one bi-directional conversion is guaranteed only for At the moment, a one to one bi-directional conversion is guaranteed only for
default configuration, except for `attrkey`, `charkey` and `explicitArray` options default configuration, except for `attrkey`, `charkey` and `explicitArray` options
@ -195,6 +205,11 @@ var obj = {root: {$: {id: "my id"}, _: "my inner text"}};
var builder = new xml2js.Builder(); var builder = new xml2js.Builder();
var xml = builder.buildObject(obj); var xml = builder.buildObject(obj);
``` ```
will result in:
```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<root id="my id">my inner text</root>
```
### Adding xmlns attributes ### Adding xmlns attributes
@ -309,14 +324,18 @@ value})``. Possible options are:
Version 0.1 default was `@`. Version 0.1 default was `@`.
* `charkey` (default: `_`): Prefix that is used to access the character * `charkey` (default: `_`): Prefix that is used to access the character
content. Version 0.1 default was `#`. content. Version 0.1 default was `#`.
* `explicitCharkey` (default: `false`) * `explicitCharkey` (default: `false`) Determines whether or not to use
a `charkey` prefix for elements with no attributes.
* `trim` (default: `false`): Trim the whitespace at the beginning and end of * `trim` (default: `false`): Trim the whitespace at the beginning and end of
text nodes. text nodes.
* `normalizeTags` (default: `false`): Normalize all tag names to lowercase. * `normalizeTags` (default: `false`): Normalize all tag names to lowercase.
* `normalize` (default: `false`): Trim whitespaces inside text nodes. * `normalize` (default: `false`): Trim whitespaces inside text nodes.
* `explicitRoot` (default: `true`): Set this if you want to get the root * `explicitRoot` (default: `true`): Set this if you want to get the root
node in the resulting object. node in the resulting object.
* `emptyTag` (default: `''`): what will the value of empty nodes be. * `emptyTag` (default: `''`): what will the value of empty nodes be. In case
you want to use an empty object as a default value, it is better to provide a factory
function `() => ({})` instead. Without this function a plain object would
become a shared reference across all occurrences with unwanted behavior.
* `explicitArray` (default: `true`): Always put child nodes in an array if * `explicitArray` (default: `true`): Always put child nodes in an array if
true; otherwise an array is created only if there is more than one. true; otherwise an array is created only if there is more than one.
* `ignoreAttrs` (default: `false`): Ignore all XML attributes and only create * `ignoreAttrs` (default: `false`): Ignore all XML attributes and only create

16
node_modules/xml2js/lib/parser.js сгенерированный поставляемый
Просмотреть файл

@ -141,14 +141,14 @@
this.saxParser.onopentag = (function(_this) { this.saxParser.onopentag = (function(_this) {
return function(node) { return function(node) {
var key, newValue, obj, processedKey, ref; var key, newValue, obj, processedKey, ref;
obj = {}; obj = Object.create(null);
obj[charkey] = ""; obj[charkey] = "";
if (!_this.options.ignoreAttrs) { if (!_this.options.ignoreAttrs) {
ref = node.attributes; ref = node.attributes;
for (key in ref) { for (key in ref) {
if (!hasProp.call(ref, key)) continue; if (!hasProp.call(ref, key)) continue;
if (!(attrkey in obj) && !_this.options.mergeAttrs) { if (!(attrkey in obj) && !_this.options.mergeAttrs) {
obj[attrkey] = {}; obj[attrkey] = Object.create(null);
} }
newValue = _this.options.attrValueProcessors ? processItem(_this.options.attrValueProcessors, node.attributes[key], key) : node.attributes[key]; newValue = _this.options.attrValueProcessors ? processItem(_this.options.attrValueProcessors, node.attributes[key], key) : node.attributes[key];
processedKey = _this.options.attrNameProcessors ? processItem(_this.options.attrNameProcessors, key) : key; processedKey = _this.options.attrNameProcessors ? processItem(_this.options.attrNameProcessors, key) : key;
@ -198,7 +198,11 @@
} }
} }
if (isEmpty(obj)) { if (isEmpty(obj)) {
obj = _this.options.emptyTag !== '' ? _this.options.emptyTag : emptyStr; if (typeof _this.options.emptyTag === 'function') {
obj = _this.options.emptyTag();
} else {
obj = _this.options.emptyTag !== '' ? _this.options.emptyTag : emptyStr;
}
} }
if (_this.options.validator != null) { if (_this.options.validator != null) {
xpath = "/" + ((function() { xpath = "/" + ((function() {
@ -222,7 +226,7 @@
} }
if (_this.options.explicitChildren && !_this.options.mergeAttrs && typeof obj === 'object') { if (_this.options.explicitChildren && !_this.options.mergeAttrs && typeof obj === 'object') {
if (!_this.options.preserveChildrenOrder) { if (!_this.options.preserveChildrenOrder) {
node = {}; node = Object.create(null);
if (_this.options.attrkey in obj) { if (_this.options.attrkey in obj) {
node[_this.options.attrkey] = obj[_this.options.attrkey]; node[_this.options.attrkey] = obj[_this.options.attrkey];
delete obj[_this.options.attrkey]; delete obj[_this.options.attrkey];
@ -237,7 +241,7 @@
obj = node; obj = node;
} else if (s) { } else if (s) {
s[_this.options.childkey] = s[_this.options.childkey] || []; s[_this.options.childkey] = s[_this.options.childkey] || [];
objClone = {}; objClone = Object.create(null);
for (key in obj) { for (key in obj) {
if (!hasProp.call(obj, key)) continue; if (!hasProp.call(obj, key)) continue;
objClone[key] = obj[key]; objClone[key] = obj[key];
@ -254,7 +258,7 @@
} else { } else {
if (_this.options.explicitRoot) { if (_this.options.explicitRoot) {
old = obj; old = obj;
obj = {}; obj = Object.create(null);
obj[nodeName] = old; obj[nodeName] = old;
} }
_this.resultObject = obj; _this.resultObject = obj;

5
node_modules/xml2js/package.json сгенерированный поставляемый
Просмотреть файл

@ -6,7 +6,7 @@
"json" "json"
], ],
"homepage": "https://github.com/Leonidas-from-XIV/node-xml2js", "homepage": "https://github.com/Leonidas-from-XIV/node-xml2js",
"version": "0.4.23", "version": "0.5.0",
"author": "Marek Kubica <marek@xivilization.net> (https://xivilization.net)", "author": "Marek Kubica <marek@xivilization.net> (https://xivilization.net)",
"contributors": [ "contributors": [
"maqr <maqr.lollerskates@gmail.com> (https://github.com/maqr)", "maqr <maqr.lollerskates@gmail.com> (https://github.com/maqr)",
@ -53,7 +53,8 @@
"David Wood <david.p.wood@gmail.com> (http://codesleuth.co.uk/)", "David Wood <david.p.wood@gmail.com> (http://codesleuth.co.uk/)",
"Nicolas Maquet (https://github.com/nmaquet)", "Nicolas Maquet (https://github.com/nmaquet)",
"Lovell Fuller (http://lovell.info/)", "Lovell Fuller (http://lovell.info/)",
"d3adc0d3 (https://github.com/d3adc0d3)" "d3adc0d3 (https://github.com/d3adc0d3)",
"James Crosby (https://github.com/autopulated)"
], ],
"main": "./lib/xml2js", "main": "./lib/xml2js",
"files": [ "files": [

6
package-lock.json сгенерированный
Просмотреть файл

@ -6101,9 +6101,9 @@
} }
}, },
"node_modules/xml2js": { "node_modules/xml2js": {
"version": "0.4.23", "version": "0.5.0",
"resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.4.23.tgz", "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.5.0.tgz",
"integrity": "sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==", "integrity": "sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==",
"dependencies": { "dependencies": {
"sax": ">=0.6.0", "sax": ">=0.6.0",
"xmlbuilder": "~11.0.0" "xmlbuilder": "~11.0.0"

3
package.json
Просмотреть файл

@ -73,5 +73,8 @@
"removeNPMAbsolutePaths": "3.0.0", "removeNPMAbsolutePaths": "3.0.0",
"sinon": "^15.0.1", "sinon": "^15.0.1",
"typescript": "^5.0.2" "typescript": "^5.0.2"
},
"overrides": {
"xml2js": ">=0.5.0"
} }
} }