Skip to content

Commit 16a68ab

Browse files
okuryuredonkulus
okuryu
authored and
redonkulus
committed
Merge pull request from GHSA-h9rv-jmmf-4pgx 
1 parent 3bab6de commit 16a68ab

File tree

4 files changed

+71
-178
lines changed

4 files changed

+71
-178
lines changed

index.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -188,7 +188,7 @@ module.exports = function serialize(obj, options) {
188188
}
189189

190190
if (type === 'R') {
191-
return regexps[valueIndex].toString();
191+
return "new RegExp(\"" + regexps[valueIndex].source + "\", \"" + regexps[valueIndex].flags + "\")";
192192
}
193193

194194
if (type === 'M') {

package-lock.json

Lines changed: 53 additions & 165 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "serialize-javascript",
3-
"version": "2.1.0",
3+
"version": "2.1.1",
44
"description": "Serialize JavaScript to a superset of JSON that includes regular expressions and functions.",
55
"main": "index.js",
66
"scripts": {

test/unit/serialize.js

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -251,7 +251,7 @@ describe('serialize( obj )', function () {
251251
describe('regexps', function () {
252252
it('should serialize constructed regexps', function () {
253253
var re = new RegExp('asdf');
254-
expect(serialize(re)).to.be.a('string').equal('/asdf/');
254+
expect(serialize(re)).to.be.a('string').equal('new RegExp("asdf", "")');
255255
});
256256

257257
it('should deserialize constructed regexps', function () {
@@ -262,7 +262,7 @@ describe('serialize( obj )', function () {
262262

263263
it('should serialize literal regexps', function () {
264264
var re = /asdf/;
265-
expect(serialize(re)).to.be.a('string').equal('/asdf/');
265+
expect(serialize(re)).to.be.a('string').equal('new RegExp("asdf", "")');
266266
});
267267

268268
it('should deserialize literal regexps', function () {
@@ -273,7 +273,7 @@ describe('serialize( obj )', function () {
273273

274274
it('should serialize regexps with flags', function () {
275275
var re = /^asdf$/gi;
276-
expect(serialize(re)).to.equal('/^asdf$/gi');
276+
expect(serialize(re)).to.equal('new RegExp("^asdf$", "gi")');
277277
});
278278

279279
it('should deserialize regexps with flags', function () {
@@ -285,17 +285,22 @@ describe('serialize( obj )', function () {
285285
});
286286

287287
it('should serialize regexps with escaped chars', function () {
288-
expect(serialize(/\..*/)).to.equal('/\\..*/');
289-
expect(serialize(new RegExp('\\..*'))).to.equal('/\\..*/');
288+
expect(serialize(/\..*/)).to.equal('new RegExp("\\..*", "")');
289+
expect(serialize(new RegExp('\\..*'))).to.equal('new RegExp("\\..*", "")');
290290
});
291291

292292
it('should deserialize regexps with escaped chars', function () {
293293
var re = eval(serialize(/\..*/));
294294
expect(re).to.be.a('RegExp');
295-
expect(re.source).to.equal('\\..*');
295+
expect(re.source).to.equal('..*');
296296
re = eval(serialize(new RegExp('\\..*')));
297297
expect(re).to.be.a('RegExp');
298-
expect(re.source).to.equal('\\..*');
298+
expect(re.source).to.equal('..*');
299+
});
300+
301+
it('should serialize dangerous regexps', function () {
302+
var re = /[</script><script>alert('xss')//]/
303+
expect(serialize(re)).to.be.a('string').equal('new RegExp("[<\\/script><script>alert(\'xss\')\\/\\/]", "")');
299304
});
300305
});
301306

@@ -332,8 +337,8 @@ describe('serialize( obj )', function () {
332337
['a', 123],
333338
[regexKey, 456]
334339
]);
335-
expect(serialize(m)).to.be.a('string').equal('new Map([["a",123],[/.*/,456]])');
336-
expect(serialize({t: [m]})).to.be.a('string').equal('{"t":[new Map([["a",123],[/.*/,456]])]}');
340+
expect(serialize(m)).to.be.a('string').equal('new Map([["a",123],[new RegExp(".*", ""),456]])');
341+
expect(serialize({t: [m]})).to.be.a('string').equal('{"t":[new Map([["a",123],[new RegExp(".*", ""),456]])]}');
337342
});
338343

339344
it('should deserialize a map', function () {
@@ -354,8 +359,8 @@ describe('serialize( obj )', function () {
354359
123,
355360
regex
356361
]);
357-
expect(serialize(m)).to.be.a('string').equal('new Set(["a",123,/.*/])');
358-
expect(serialize({t: [m]})).to.be.a('string').equal('{"t":[new Set(["a",123,/.*/])]}');
362+
expect(serialize(m)).to.be.a('string').equal('new Set(["a",123,new RegExp(".*", "")])');
363+
expect(serialize({t: [m]})).to.be.a('string').equal('{"t":[new Set(["a",123,new RegExp(".*", "")])]}');
359364
});
360365

361366
it('should deserialize a set', function () {

0 commit comments

Comments
 (0)