From e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61 Mon Sep 17 00:00:00 2001 From: Alex Kocharin Date: Fri, 5 Apr 2019 16:19:13 +0300 Subject: [PATCH 01/24] Fix possible code execution in (already unsafe) load() ... when object with executable toString() property is used as a map key --- lib/js-yaml/loader.js | 19 +++++++++++++++++-- test/issues/0480-date.yml | 1 + test/issues/0480-fn-array.yml | 4 ++++ test/issues/0480-fn.yml | 1 + test/issues/0480-fn2.yml | 1 + test/issues/0480.js | 34 ++++++++++++++++++++++++++++++++++ 6 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 test/issues/0480-date.yml create mode 100644 test/issues/0480-fn-array.yml create mode 100644 test/issues/0480-fn.yml create mode 100644 test/issues/0480-fn2.yml create mode 100644 test/issues/0480.js diff --git a/lib/js-yaml/loader.js b/lib/js-yaml/loader.js index 433ee211..2815c955 100644 --- a/lib/js-yaml/loader.js +++ b/lib/js-yaml/loader.js @@ -30,6 +30,8 @@ var PATTERN_TAG_HANDLE = /^(?:!|!!|![a-z\-]+!)$/i; var PATTERN_TAG_URI = /^(?:!|[^,\[\]\{\}])(?:%[0-9a-f]{2}|[0-9a-z\-#;\/\?:@&=\+\$,_\.!~\*'\(\)\[\]])*$/i; +function _class(obj) { return Object.prototype.toString.call(obj); } + function is_EOL(c) { return (c === 0x0A/* LF */) || (c === 0x0D/* CR */); } @@ -287,16 +289,29 @@ function storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valu // The output is a plain object here, so keys can only be strings. // We need to convert keyNode to a string, but doing so can hang the process - // (deeply nested arrays that explode exponentially using aliases) or execute - // code via toString. + // (deeply nested arrays that explode exponentially using aliases). if (Array.isArray(keyNode)) { + keyNode = Array.prototype.slice.call(keyNode); + for (index = 0, quantity = keyNode.length; index < quantity; index += 1) { if (Array.isArray(keyNode[index])) { throwError(state, 'nested arrays are not supported inside keys'); } + + if (typeof keyNode === 'object' && _class(keyNode[index]) === '[object Object]') { + keyNode[index] = '[object Object]'; + } } } + // Avoid code execution in load() via toString property + // (still use its own toString for arrays, timestamps, + // and whatever user schema extensions happen to have @@toStringTag) + if (typeof keyNode === 'object' && _class(keyNode) === '[object Object]') { + keyNode = '[object Object]'; + } + + keyNode = String(keyNode); if (_result === null) { diff --git a/test/issues/0480-date.yml b/test/issues/0480-date.yml new file mode 100644 index 00000000..3fcac6e0 --- /dev/null +++ b/test/issues/0480-date.yml @@ -0,0 +1 @@ +{ ! '2019-04-05T12:00:43.467Z': 123 } diff --git a/test/issues/0480-fn-array.yml b/test/issues/0480-fn-array.yml new file mode 100644 index 00000000..2e151bf5 --- /dev/null +++ b/test/issues/0480-fn-array.yml @@ -0,0 +1,4 @@ +? [ + 123, + { toString: ! 'function (){throw new Error("code execution")}' } +] : key diff --git a/test/issues/0480-fn.yml b/test/issues/0480-fn.yml new file mode 100644 index 00000000..68412be5 --- /dev/null +++ b/test/issues/0480-fn.yml @@ -0,0 +1 @@ +{ toString: ! 'function (){throw new Error("code execution")}' } : key diff --git a/test/issues/0480-fn2.yml b/test/issues/0480-fn2.yml new file mode 100644 index 00000000..6efd250d --- /dev/null +++ b/test/issues/0480-fn2.yml @@ -0,0 +1 @@ +{ __proto__: { toString: ! 'function(){throw new Error("code execution")}' } } : key diff --git a/test/issues/0480.js b/test/issues/0480.js new file mode 100644 index 00000000..bd9f4180 --- /dev/null +++ b/test/issues/0480.js @@ -0,0 +1,34 @@ +'use strict'; + + +var assert = require('assert'); +var yaml = require('../../'); +var readFileSync = require('fs').readFileSync; + + +test('Should not execute code when object with toString property is used as a key', function () { + var data = yaml.load(readFileSync(require('path').join(__dirname, '/0480-fn.yml'), 'utf8')); + + assert.deepEqual(data, { '[object Object]': 'key' }); +}); + +test('Should not execute code when object with __proto__ property is used as a key', function () { + var data = yaml.load(readFileSync(require('path').join(__dirname, '/0480-fn2.yml'), 'utf8')); + + assert.deepEqual(data, { '[object Object]': 'key' }); +}); + +test('Should not execute code when object inside array is used as a key', function () { + var data = yaml.load(readFileSync(require('path').join(__dirname, '/0480-fn-array.yml'), 'utf8')); + + assert.deepEqual(data, { '123,[object Object]': 'key' }); +}); + +// this test does not guarantee in any way proper handling of date objects, +// it just keeps old behavior whenever possible +test('Should leave non-plain objects as is', function () { + var data = yaml.load(readFileSync(require('path').join(__dirname, '/0480-date.yml'), 'utf8')); + + assert.deepEqual(Object.keys(data).length, 1); + assert(/2019/.test(Object.keys(data)[0])); +}); From da8ecf24b63d2307015e75ee8bd1da1977071e35 Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Fri, 5 Apr 2019 19:13:28 +0300 Subject: [PATCH 02/24] Browser files rebuild --- dist/js-yaml.js | 21 ++++++++++++++++++--- dist/js-yaml.min.js | 2 +- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/dist/js-yaml.js b/dist/js-yaml.js index b9e80da6..fad044a4 100644 --- a/dist/js-yaml.js +++ b/dist/js-yaml.js @@ -1,4 +1,4 @@ -/* js-yaml 3.13.0 https://github.com/nodeca/js-yaml */(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.jsyaml = f()}})(function(){var define,module,exports;return (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof require&&require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u="function"==typeof require&&require,i=0;i=i.flowLevel;switch(H(r,n,i.indent,t,function(e){return function(e,t){var n,i;for(n=0,i=e.implicitTypes.length;n"+V(r,i.indent)+Z(L(function(t,n){var e,i,r=/(\n+)([^\n]*)/g,o=function(){var e=t.indexOf("\n");return e=-1!==e?e:t.length,r.lastIndex=e,z(t.slice(0,e),n)}(),a="\n"===t[0]||" "===t[0];for(;i=r.exec(t);){var s=i[1],c=i[2];e=" "===c[0],o+=s+(a||e||""===c?"":"\n")+z(c,n),a=e}return o}(r,t),e));case $:return'"'+function(e){for(var t,n,i,r="",o=0;ot&&o tag resolver accepts not "'+c+'" style');i=s.represent[c](t,c)}e.dump=i}return!0}return!1}function Q(e,t,n,i,r,o){e.tag=null,e.dump=n,J(e,n,!1)||J(e,n,!0);var a=p.call(e.dump);i&&(i=e.flowLevel<0||e.flowLevel>t);var s,c,u="[object Object]"===a||"[object Array]"===a;if(u&&(c=-1!==(s=e.duplicates.indexOf(n))),(null!==e.tag&&"?"!==e.tag||c||2!==e.indent&&0 "+e.dump)}return!0}function X(e,t){var n,i,r=[],o=[];for(function e(t,n,i){var r,o,a;if(null!==t&&"object"==typeof t)if(-1!==(o=n.indexOf(t)))-1===i.indexOf(o)&&i.push(o);else if(n.push(t),Array.isArray(t))for(o=0,a=t.length;o>10),56320+(e-65536&1023))}for(var M=new Array(256),T=new Array(256),d=0;d<256;d++)M[d]=f(d)?1:0,T[d]=f(d);function h(e,t){this.input=e,this.filename=t.filename||null,this.schema=t.schema||a,this.onWarning=t.onWarning||null,this.legacy=t.legacy||!1,this.json=t.json||!1,this.listener=t.listener||null,this.implicitTypes=this.schema.compiledImplicit,this.typeMap=this.schema.compiledTypeMap,this.length=e.length,this.position=0,this.line=0,this.lineStart=0,this.lineIndent=0,this.documents=[]}function m(e,t){return new i(t,new r(e.filename,e.input,e.position,e.line,e.position-e.lineStart))}function L(e,t){throw m(e,t)}function D(e,t){e.onWarning&&e.onWarning.call(null,m(e,t))}var U={YAML:function(e,t,n){var i,r,o;null!==e.version&&L(e,"duplication of %YAML directive"),1!==n.length&&L(e,"YAML directive accepts exactly one argument"),null===(i=/^([0-9]+)\.([0-9]+)$/.exec(n[0]))&&L(e,"ill-formed argument of the YAML directive"),r=parseInt(i[1],10),o=parseInt(i[2],10),1!==r&&L(e,"unacceptable YAML version of the document"),e.version=n[0],e.checkLineBreaks=o<2,1!==o&&2!==o&&D(e,"unsupported YAML version of the document")},TAG:function(e,t,n){var i,r;2!==n.length&&L(e,"TAG directive accepts exactly two arguments"),i=n[0],r=n[1],l.test(i)||L(e,"ill-formed tag handle (first argument) of the TAG directive"),y.call(e.tagMap,i)&&L(e,'there is a previously declared suffix for "'+i+'" tag handle'),p.test(r)||L(e,"ill-formed tag prefix (second argument) of the TAG directive"),e.tagMap[i]=r}};function q(e,t,n,i){var r,o,a,s;if(tt)&&0!==i)L(e,"bad indentation of a sequence entry");else if(e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt)&&(V(e,t,b,!0,r)&&(m?d=e.result:h=e.result),m||(R(e,l,p,f,d,h,o,a),f=d=h=null),P(e,!0,-1),s=e.input.charCodeAt(e.position)),e.lineIndent>t&&0!==s)L(e,"bad indentation of a mapping entry");else if(e.lineIndentu&&(u=e.lineIndent),j(o))l++;else{if(e.lineIndent=t){a=!0,l=e.input.charCodeAt(e.position);continue}e.position=o,e.line=s,e.lineStart=c,e.lineIndent=u;break}}a&&(q(e,r,o,!1),K(e,e.line-s),r=o=e.position,a=!1),I(l)||(o=e.position+1),l=e.input.charCodeAt(++e.position)}return q(e,r,o,!1),!!e.result||(e.kind=p,e.result=f,!1)}(e,p,x===n)&&(m=!0,null===e.tag&&(e.tag="?")):(m=!0,null===e.tag&&null===e.anchor||L(e,"alias node should not have any properties")),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):0===d&&(m=s&&$(e,f))),null!==e.tag&&"!"!==e.tag)if("?"===e.tag){for(c=0,u=e.implicitTypes.length;c tag; it should be "'+l.kind+'", not "'+e.kind+'"'),l.resolve(e.result)?(e.result=l.construct(e.result),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):L(e,"cannot resolve a node with !<"+e.tag+"> explicit tag")):L(e,"unknown tag !<"+e.tag+">");return null!==e.listener&&e.listener("close",e),null!==e.tag||null!==e.anchor||m}function Z(e){var t,n,i,r,o=e.position,a=!1;for(e.version=null,e.checkLineBreaks=e.legacy,e.tagMap={},e.anchorMap={};0!==(r=e.input.charCodeAt(e.position))&&(P(e,!0,-1),r=e.input.charCodeAt(e.position),!(0t/2-1){n=" ... ",i+=5;break}for(r="",o=this.position;ot/2-1){r=" ... ",o-=5;break}return a=this.buffer.slice(i,o),s.repeat(" ",e)+n+a+r+"\n"+s.repeat(" ",e+this.position-i+n.length)+"^"},i.prototype.toString=function(e){var t,n="";return this.name&&(n+='in "'+this.name+'" '),n+="at line "+(this.line+1)+", column "+(this.column+1),e||(t=this.getSnippet())&&(n+=":\n"+t),n},t.exports=i},{"./common":2}],7:[function(e,t,n){"use strict";var i=e("./common"),r=e("./exception"),o=e("./type");function a(e,t,i){var r=[];return e.include.forEach(function(e){i=a(e,t,i)}),e[t].forEach(function(n){i.forEach(function(e,t){e.tag===n.tag&&e.kind===n.kind&&r.push(t)}),i.push(n)}),i.filter(function(e,t){return-1===r.indexOf(t)})}function s(e){this.include=e.include||[],this.implicit=e.implicit||[],this.explicit=e.explicit||[],this.implicit.forEach(function(e){if(e.loadKind&&"scalar"!==e.loadKind)throw new r("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.")}),this.compiledImplicit=a(this,"implicit",[]),this.compiledExplicit=a(this,"explicit",[]),this.compiledTypeMap=function(){var e,t,n={scalar:{},sequence:{},mapping:{},fallback:{}};function i(e){n[e.kind][e.tag]=n.fallback[e.tag]=e}for(e=0,t=arguments.length;e>16&255),s.push(a>>8&255),s.push(255&a)),a=a<<6|o.indexOf(i.charAt(t));return 0==(n=r%4*6)?(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)):18==n?(s.push(a>>10&255),s.push(a>>2&255)):12==n&&s.push(a>>4&255),c?c.from?c.from(s):new c(s):s},predicate:function(e){return c&&c.isBuffer(e)},represent:function(e){var t,n,i="",r=0,o=e.length,a=u;for(t=0;t>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]),r=(r<<8)+e[t];return 0==(n=o%3)?(i+=a[r>>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]):2==n?(i+=a[r>>10&63],i+=a[r>>4&63],i+=a[r<<2&63],i+=a[64]):1==n&&(i+=a[r>>2&63],i+=a[r<<4&63],i+=a[64],i+=a[64]),i}})},{"../type":13}],15:[function(e,t,n){"use strict";var i=e("../type");t.exports=new i("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t=e.length;return 4===t&&("true"===e||"True"===e||"TRUE"===e)||5===t&&("false"===e||"False"===e||"FALSE"===e)},construct:function(e){return"true"===e||"True"===e||"TRUE"===e},predicate:function(e){return"[object Boolean]"===Object.prototype.toString.call(e)},represent:{lowercase:function(e){return e?"true":"false"},uppercase:function(e){return e?"TRUE":"FALSE"},camelcase:function(e){return e?"True":"False"}},defaultStyle:"lowercase"})},{"../type":13}],16:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type"),o=new RegExp("^(?:[-+]?(?:0|[1-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?[0-9][0-9_]*(?::[0-5]?[0-9])+\\.[0-9_]*|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var a=/^[-+]?[0-9]+e/;t.exports=new r("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(e){return null!==e&&!(!o.test(e)||"_"===e[e.length-1])},construct:function(e){var t,n,i,r;return n="-"===(t=e.replace(/_/g,"").toLowerCase())[0]?-1:1,r=[],0<="+-".indexOf(t[0])&&(t=t.slice(1)),".inf"===t?1==n?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===t?NaN:0<=t.indexOf(":")?(t.split(":").forEach(function(e){r.unshift(parseFloat(e,10))}),t=0,i=1,r.forEach(function(e){t+=e*i,i*=60}),n*t):n*parseFloat(t,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&(e%1!=0||i.isNegativeZero(e))},represent:function(e,t){var n;if(isNaN(e))switch(t){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===e)switch(t){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===e)switch(t){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(i.isNegativeZero(e))return"-0.0";return n=e.toString(10),a.test(n)?n.replace("e",".e"):n},defaultStyle:"lowercase"})},{"../common":2,"../type":13}],17:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type");function o(e){return 48<=e&&e<=57||65<=e&&e<=70||97<=e&&e<=102}function a(e){return 48<=e&&e<=55}function s(e){return 48<=e&&e<=57}t.exports=new r("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n=e.length,i=0,r=!1;if(!n)return!1;if("-"!==(t=e[i])&&"+"!==t||(t=e[++i]),"0"===t){if(i+1===n)return!0;if("b"===(t=e[++i])){for(i++;i=i.flowLevel;switch(H(r,n,i.indent,t,function(e){return function(e,t){var n,i;for(n=0,i=e.implicitTypes.length;n"+V(r,i.indent)+Z(L(function(t,n){var e,i,r=/(\n+)([^\n]*)/g,o=function(){var e=t.indexOf("\n");return e=-1!==e?e:t.length,r.lastIndex=e,z(t.slice(0,e),n)}(),a="\n"===t[0]||" "===t[0];for(;i=r.exec(t);){var s=i[1],c=i[2];e=" "===c[0],o+=s+(a||e||""===c?"":"\n")+z(c,n),a=e}return o}(r,t),e));case $:return'"'+function(e){for(var t,n,i,r="",o=0;ot&&o tag resolver accepts not "'+c+'" style');i=s.represent[c](t,c)}e.dump=i}return!0}return!1}function Q(e,t,n,i,r,o){e.tag=null,e.dump=n,J(e,n,!1)||J(e,n,!0);var a=p.call(e.dump);i&&(i=e.flowLevel<0||e.flowLevel>t);var s,c,u="[object Object]"===a||"[object Array]"===a;if(u&&(c=-1!==(s=e.duplicates.indexOf(n))),(null!==e.tag&&"?"!==e.tag||c||2!==e.indent&&0 "+e.dump)}return!0}function X(e,t){var n,i,r=[],o=[];for(function e(t,n,i){var r,o,a;if(null!==t&&"object"==typeof t)if(-1!==(o=n.indexOf(t)))-1===i.indexOf(o)&&i.push(o);else if(n.push(t),Array.isArray(t))for(o=0,a=t.length;ot)&&0!==i)N(e,"bad indentation of a sequence entry");else if(e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt)&&($(e,t,b,!0,r)&&(m?d=e.result:h=e.result),m||(U(e,l,p,f,d,h,o,a),f=d=h=null),Y(e,!0,-1),s=e.input.charCodeAt(e.position)),e.lineIndent>t&&0!==s)N(e,"bad indentation of a mapping entry");else if(e.lineIndentl&&(l=e.lineIndent),j(o))p++;else{if(e.lineIndent>10),56320+(c-65536&1023)),e.position++}else N(e,"unknown escape sequence");n=i=e.position}else j(s)?(L(e,n,i,!0),B(e,Y(e,!1,t)),n=i=e.position):e.position===e.lineStart&&R(e)?N(e,"unexpected end of the document within a double quoted scalar"):(e.position++,i=e.position)}N(e,"unexpected end of the stream within a double quoted scalar")}(e,p)?m=!0:!function(e){var t,n,i;if(42!==(i=e.input.charCodeAt(e.position)))return!1;for(i=e.input.charCodeAt(++e.position),t=e.position;0!==i&&!I(i)&&!O(i);)i=e.input.charCodeAt(++e.position);return e.position===t&&N(e,"name of an alias node must contain at least one character"),n=e.input.slice(t,e.position),e.anchorMap.hasOwnProperty(n)||N(e,'unidentified alias "'+n+'"'),e.result=e.anchorMap[n],Y(e,!0,-1),!0}(e)?function(e,t,n){var i,r,o,a,s,c,u,l,p=e.kind,f=e.result;if(I(l=e.input.charCodeAt(e.position))||O(l)||35===l||38===l||42===l||33===l||124===l||62===l||39===l||34===l||37===l||64===l||96===l)return!1;if((63===l||45===l)&&(I(i=e.input.charCodeAt(e.position+1))||n&&O(i)))return!1;for(e.kind="scalar",e.result="",r=o=e.position,a=!1;0!==l;){if(58===l){if(I(i=e.input.charCodeAt(e.position+1))||n&&O(i))break}else if(35===l){if(I(e.input.charCodeAt(e.position-1)))break}else{if(e.position===e.lineStart&&R(e)||n&&O(l))break;if(j(l)){if(s=e.line,c=e.lineStart,u=e.lineIndent,Y(e,!1,-1),e.lineIndent>=t){a=!0,l=e.input.charCodeAt(e.position);continue}e.position=o,e.line=s,e.lineStart=c,e.lineIndent=u;break}}a&&(L(e,r,o,!1),B(e,e.line-s),r=o=e.position,a=!1),S(l)||(o=e.position+1),l=e.input.charCodeAt(++e.position)}return L(e,r,o,!1),!!e.result||(e.kind=p,e.result=f,!1)}(e,p,x===n)&&(m=!0,null===e.tag&&(e.tag="?")):(m=!0,null===e.tag&&null===e.anchor||N(e,"alias node should not have any properties")),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):0===d&&(m=s&&P(e,f))),null!==e.tag&&"!"!==e.tag)if("?"===e.tag){for(c=0,u=e.implicitTypes.length;c tag; it should be "'+l.kind+'", not "'+e.kind+'"'),l.resolve(e.result)?(e.result=l.construct(e.result),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):N(e,"cannot resolve a node with !<"+e.tag+"> explicit tag")):N(e,"unknown tag !<"+e.tag+">");return null!==e.listener&&e.listener("close",e),null!==e.tag||null!==e.anchor||m}function H(e){var t,n,i,r,o=e.position,a=!1;for(e.version=null,e.checkLineBreaks=e.legacy,e.tagMap={},e.anchorMap={};0!==(r=e.input.charCodeAt(e.position))&&(Y(e,!0,-1),r=e.input.charCodeAt(e.position),!(0t/2-1){n=" ... ",i+=5;break}for(r="",o=this.position;ot/2-1){r=" ... ",o-=5;break}return a=this.buffer.slice(i,o),s.repeat(" ",e)+n+a+r+"\n"+s.repeat(" ",e+this.position-i+n.length)+"^"},i.prototype.toString=function(e){var t,n="";return this.name&&(n+='in "'+this.name+'" '),n+="at line "+(this.line+1)+", column "+(this.column+1),e||(t=this.getSnippet())&&(n+=":\n"+t),n},t.exports=i},{"./common":2}],7:[function(e,t,n){"use strict";var i=e("./common"),r=e("./exception"),o=e("./type");function a(e,t,i){var r=[];return e.include.forEach(function(e){i=a(e,t,i)}),e[t].forEach(function(n){i.forEach(function(e,t){e.tag===n.tag&&e.kind===n.kind&&r.push(t)}),i.push(n)}),i.filter(function(e,t){return-1===r.indexOf(t)})}function s(e){this.include=e.include||[],this.implicit=e.implicit||[],this.explicit=e.explicit||[],this.implicit.forEach(function(e){if(e.loadKind&&"scalar"!==e.loadKind)throw new r("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.")}),this.compiledImplicit=a(this,"implicit",[]),this.compiledExplicit=a(this,"explicit",[]),this.compiledTypeMap=function(){var e,t,n={scalar:{},sequence:{},mapping:{},fallback:{}};function i(e){n[e.kind][e.tag]=n.fallback[e.tag]=e}for(e=0,t=arguments.length;e>16&255),s.push(a>>8&255),s.push(255&a)),a=a<<6|o.indexOf(i.charAt(t));return 0==(n=r%4*6)?(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)):18==n?(s.push(a>>10&255),s.push(a>>2&255)):12==n&&s.push(a>>4&255),c?c.from?c.from(s):new c(s):s},predicate:function(e){return c&&c.isBuffer(e)},represent:function(e){var t,n,i="",r=0,o=e.length,a=u;for(t=0;t>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]),r=(r<<8)+e[t];return 0==(n=o%3)?(i+=a[r>>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]):2==n?(i+=a[r>>10&63],i+=a[r>>4&63],i+=a[r<<2&63],i+=a[64]):1==n&&(i+=a[r>>2&63],i+=a[r<<4&63],i+=a[64],i+=a[64]),i}})},{"../type":13}],15:[function(e,t,n){"use strict";var i=e("../type");t.exports=new i("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t=e.length;return 4===t&&("true"===e||"True"===e||"TRUE"===e)||5===t&&("false"===e||"False"===e||"FALSE"===e)},construct:function(e){return"true"===e||"True"===e||"TRUE"===e},predicate:function(e){return"[object Boolean]"===Object.prototype.toString.call(e)},represent:{lowercase:function(e){return e?"true":"false"},uppercase:function(e){return e?"TRUE":"FALSE"},camelcase:function(e){return e?"True":"False"}},defaultStyle:"lowercase"})},{"../type":13}],16:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type"),o=new RegExp("^(?:[-+]?(?:0|[1-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?[0-9][0-9_]*(?::[0-5]?[0-9])+\\.[0-9_]*|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var a=/^[-+]?[0-9]+e/;t.exports=new r("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(e){return null!==e&&!(!o.test(e)||"_"===e[e.length-1])},construct:function(e){var t,n,i,r;return n="-"===(t=e.replace(/_/g,"").toLowerCase())[0]?-1:1,r=[],0<="+-".indexOf(t[0])&&(t=t.slice(1)),".inf"===t?1==n?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===t?NaN:0<=t.indexOf(":")?(t.split(":").forEach(function(e){r.unshift(parseFloat(e,10))}),t=0,i=1,r.forEach(function(e){t+=e*i,i*=60}),n*t):n*parseFloat(t,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&(e%1!=0||i.isNegativeZero(e))},represent:function(e,t){var n;if(isNaN(e))switch(t){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===e)switch(t){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===e)switch(t){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(i.isNegativeZero(e))return"-0.0";return n=e.toString(10),a.test(n)?n.replace("e",".e"):n},defaultStyle:"lowercase"})},{"../common":2,"../type":13}],17:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type");t.exports=new r("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i,r,o=e.length,a=0,s=!1;if(!o)return!1;if("-"!==(t=e[a])&&"+"!==t||(t=e[++a]),"0"===t){if(a+1===o)return!0;if("b"===(t=e[++a])){for(a++;a Date: Fri, 5 Apr 2019 19:13:53 +0300 Subject: [PATCH 03/24] 3.13.1 released --- CHANGELOG.md | 6 ++++++ package.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42c0acdb..3f1cc985 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +3.13.1 / 2019-04-05 +------------------- + +- Fix possible code execution in (already unsafe) `.load()`, #480. + + 3.13.0 / 2019-03-20 ------------------- diff --git a/package.json b/package.json index 9f605d3b..4eefe04e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "js-yaml", - "version": "3.13.0", + "version": "3.13.1", "description": "YAML 1.2 parser and serializer", "keywords": [ "yaml", From 7d507cba6ddc7ef82d270a12b2a9b6c00a741fa7 Mon Sep 17 00:00:00 2001 From: Fabio Spampinato Date: Wed, 10 Jul 2019 23:00:48 +0200 Subject: [PATCH 04/24] =?UTF-8?q?Readme:=20clarified=20=E2=80=9CsafeLoad?= =?UTF-8?q?=E2=80=9D=20return=20type?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 03a9e5ae..43f56bf9 100644 --- a/README.md +++ b/README.md @@ -95,9 +95,9 @@ try { ### safeLoad (string [ , options ]) -**Recommended loading way.** Parses `string` as single YAML document. Returns a JavaScript -object or throws `YAMLException` on error. By default, does not support regexps, -functions and undefined. This method is safe for untrusted data. +**Recommended loading way.** Parses `string` as single YAML document. Returns either a +plain object, a string or `undefined`, or throws `YAMLException` on error. By default, does +not support regexps, functions and undefined. This method is safe for untrusted data. options: From 2334c9b41915e00416f03bb671d34f69666f6b3d Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Fri, 26 Jul 2019 07:03:55 +0300 Subject: [PATCH 05/24] Create FUNDING.yml --- .github/FUNDING.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..935374fd --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +tidelift: "npm/js-yaml" From 1d88bd13ab3efb4af0941381317c8555e968b13c Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Thu, 22 Aug 2019 03:37:35 +0300 Subject: [PATCH 06/24] README cleanup --- README.md | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/README.md b/README.md index 43f56bf9..12f3f663 100644 --- a/README.md +++ b/README.md @@ -289,26 +289,3 @@ So, the following YAML document cannot be loaded. baz: bat *anchor: duplicate key ``` - - -Breaking changes in 2.x.x -> 3.x.x ----------------------------------- - -If you have not used __custom__ tags or loader classes and not loaded yaml -files via `require()`, no changes are needed. Just upgrade the library. - -Otherwise, you should: - -1. Replace all occurrences of `require('xxxx.yml')` by `fs.readFileSync()` + - `yaml.safeLoad()`. -2. rewrite your custom tags constructors and custom loader - classes, to conform the new API. See - [examples](https://github.com/nodeca/js-yaml/tree/master/examples) and - [wiki](https://github.com/nodeca/js-yaml/wiki) for details. - - -License -------- - -View the [LICENSE](https://github.com/nodeca/js-yaml/blob/master/LICENSE) file -(MIT). From 3db03f295865cf58ec9f4257894b55a6ad52e9ed Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Thu, 22 Aug 2019 03:40:04 +0300 Subject: [PATCH 07/24] README: add Tidelift link --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 12f3f663..d6a9a89d 100644 --- a/README.md +++ b/README.md @@ -289,3 +289,10 @@ So, the following YAML document cannot be loaded. baz: bat *anchor: duplicate key ``` + + +Support js-yaml +--------------- + +You can support this project via [Tidelift subscription](https://tidelift.com/subscription/pkg/npm-js-yaml?utm_source=npm-js-yaml&utm_medium=referral&utm_campaign=readme). + From ae24505aba351d4875dab4f2a9c1b2b93ae15cf5 Mon Sep 17 00:00:00 2001 From: Martijn Cuppens Date: Fri, 23 Aug 2019 10:35:36 +0200 Subject: [PATCH 08/24] Use `const` where appropriate --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d6a9a89d..c72e7ce5 100644 --- a/README.md +++ b/README.md @@ -80,12 +80,12 @@ your own tags), see [wiki](https://github.com/nodeca/js-yaml/wiki) and info. ``` javascript -yaml = require('js-yaml'); -fs = require('fs'); +const yaml = require('js-yaml'); +const fs = require('fs'); // Get document, or throw exception on error try { - var doc = yaml.safeLoad(fs.readFileSync('/home/ixti/example.yml', 'utf8')); + const doc = yaml.safeLoad(fs.readFileSync('/home/ixti/example.yml', 'utf8')); console.log(doc); } catch (e) { console.log(e); @@ -135,7 +135,7 @@ The core schema also has no such restrictions. It allows binary notation for int must additionally validate object structure to avoid injections: ``` javascript -var untrusted_code = '"toString": ! "function (){very_evil_thing();}"'; +const untrusted_code = '"toString": ! "function (){very_evil_thing();}"'; // I'm just converting that string, what could possibly go wrong? require('js-yaml').load(untrusted_code) + '' @@ -148,7 +148,7 @@ Same as `safeLoad()`, but understands multi-document sources. Applies `iterator` to each document if specified, or returns array of documents. ``` javascript -var yaml = require('js-yaml'); +const yaml = require('js-yaml'); yaml.safeLoadAll(data, function (doc) { console.log(doc); From 2fcb465bfaeb2105a8165e34600edd6e9ad61b7b Mon Sep 17 00:00:00 2001 From: Murtaza Jafferji Date: Wed, 16 Oct 2019 19:53:32 -0700 Subject: [PATCH 09/24] Add equals sign to list of unsafe values for plain styling (#519) --- lib/js-yaml/dumper.js | 4 +++- test/issues/0519.js | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 test/issues/0519.js diff --git a/lib/js-yaml/dumper.js b/lib/js-yaml/dumper.js index 86f34794..77ba64cb 100644 --- a/lib/js-yaml/dumper.js +++ b/lib/js-yaml/dumper.js @@ -23,6 +23,7 @@ var CHAR_ASTERISK = 0x2A; /* * */ var CHAR_COMMA = 0x2C; /* , */ var CHAR_MINUS = 0x2D; /* - */ var CHAR_COLON = 0x3A; /* : */ +var CHAR_EQUALS = 0x3D; /* = */ var CHAR_GREATER_THAN = 0x3E; /* > */ var CHAR_QUESTION = 0x3F; /* ? */ var CHAR_COMMERCIAL_AT = 0x40; /* @ */ @@ -220,12 +221,13 @@ function isPlainSafeFirst(c) { && c !== CHAR_RIGHT_SQUARE_BRACKET && c !== CHAR_LEFT_CURLY_BRACKET && c !== CHAR_RIGHT_CURLY_BRACKET - // | “#” | “&” | “*” | “!” | “|” | “>” | “'” | “"” + // | “#” | “&” | “*” | “!” | “|” | “=” | “>” | “'” | “"” && c !== CHAR_SHARP && c !== CHAR_AMPERSAND && c !== CHAR_ASTERISK && c !== CHAR_EXCLAMATION && c !== CHAR_VERTICAL_LINE + && c !== CHAR_EQUALS && c !== CHAR_GREATER_THAN && c !== CHAR_SINGLE_QUOTE && c !== CHAR_DOUBLE_QUOTE diff --git a/test/issues/0519.js b/test/issues/0519.js new file mode 100644 index 00000000..ce9f77bd --- /dev/null +++ b/test/issues/0519.js @@ -0,0 +1,11 @@ +'use strict'; + +var assert = require('assert'); +var yaml = require('../../'); + +test('Dumper should add quotes around equals sign', function () { + // pyyaml fails with unquoted `=` + // https://yaml-online-parser.appspot.com/?yaml=%3D%0A&type=json + assert.strictEqual(yaml.load(yaml.dump('=')), '='); + assert.strictEqual(yaml.dump('='), "'='\n"); +}); From 667b3a1c1757a81dc209bc8e9cf9e812ebefd226 Mon Sep 17 00:00:00 2001 From: Igor Bereznyak Date: Mon, 21 Oct 2019 21:04:29 +0300 Subject: [PATCH 10/24] dumper: don't quote strings with # without need --- lib/js-yaml/dumper.js | 29 ++++++++++++++++++++++++----- test/issues/0521.js | 23 +++++++++++++++++++++++ test/issues/0521.yml | 3 +++ 3 files changed, 50 insertions(+), 5 deletions(-) create mode 100644 test/issues/0521.js create mode 100644 test/issues/0521.yml diff --git a/lib/js-yaml/dumper.js b/lib/js-yaml/dumper.js index 77ba64cb..0f5666e3 100644 --- a/lib/js-yaml/dumper.js +++ b/lib/js-yaml/dumper.js @@ -12,6 +12,7 @@ var _hasOwnProperty = Object.prototype.hasOwnProperty; var CHAR_TAB = 0x09; /* Tab */ var CHAR_LINE_FEED = 0x0A; /* LF */ +var CHAR_CARRIAGE_RETURN = 0x0D; /* CR */ var CHAR_SPACE = 0x20; /* Space */ var CHAR_EXCLAMATION = 0x21; /* ! */ var CHAR_DOUBLE_QUOTE = 0x22; /* " */ @@ -189,8 +190,23 @@ function isPrintable(c) { || (0x10000 <= c && c <= 0x10FFFF); } +// [34] ns-char ::= nb-char - s-white +// [27] nb-char ::= c-printable - b-char - c-byte-order-mark +// [26] b-char ::= b-line-feed | b-carriage-return +// [24] b-line-feed ::= #xA /* LF */ +// [25] b-carriage-return ::= #xD /* CR */ +// [3] c-byte-order-mark ::= #xFEFF +function isNsChar(c) { + return isPrintable(c) && !isWhitespace(c) + // byte-order-mark + && c !== 0xFEFF + // b-char + && c !== CHAR_CARRIAGE_RETURN + && c !== CHAR_LINE_FEED; +} + // Simplified test for values allowed after the first character in plain style. -function isPlainSafe(c) { +function isPlainSafe(c, prev) { // Uses a subset of nb-char - c-flow-indicator - ":" - "#" // where nb-char ::= c-printable - b-char - c-byte-order-mark. return isPrintable(c) && c !== 0xFEFF @@ -201,8 +217,9 @@ function isPlainSafe(c) { && c !== CHAR_LEFT_CURLY_BRACKET && c !== CHAR_RIGHT_CURLY_BRACKET // - ":" - "#" + // /* An ns-char preceding */ "#" && c !== CHAR_COLON - && c !== CHAR_SHARP; + && ((c !== CHAR_SHARP) || (prev && isNsChar(prev))); } // Simplified test for values allowed as the first character in plain style. @@ -258,7 +275,7 @@ var STYLE_PLAIN = 1, // STYLE_FOLDED => a line > lineWidth and can be folded (and lineWidth != -1). function chooseScalarStyle(string, singleLineOnly, indentPerLevel, lineWidth, testAmbiguousType) { var i; - var char; + var char, prev_char; var hasLineBreak = false; var hasFoldableLine = false; // only checked if shouldTrackWidth var shouldTrackWidth = lineWidth !== -1; @@ -274,7 +291,8 @@ function chooseScalarStyle(string, singleLineOnly, indentPerLevel, lineWidth, te if (!isPrintable(char)) { return STYLE_DOUBLE; } - plain = plain && isPlainSafe(char); + prev_char = i > 0 ? string.charCodeAt(i - 1) : null; + plain = plain && isPlainSafe(char, prev_char); } } else { // Case: block styles permitted. @@ -293,7 +311,8 @@ function chooseScalarStyle(string, singleLineOnly, indentPerLevel, lineWidth, te } else if (!isPrintable(char)) { return STYLE_DOUBLE; } - plain = plain && isPlainSafe(char); + prev_char = i > 0 ? string.charCodeAt(i - 1) : null; + plain = plain && isPlainSafe(char, prev_char); } // in case the end is missing a \n hasFoldableLine = hasFoldableLine || (shouldTrackWidth && diff --git a/test/issues/0521.js b/test/issues/0521.js new file mode 100644 index 00000000..a952c184 --- /dev/null +++ b/test/issues/0521.js @@ -0,0 +1,23 @@ +'use strict'; + + +var assert = require('assert'); +var yaml = require('../../'); +var readFileSync = require('fs').readFileSync; + + +test('Don\'t quote strings with # without need', function () { + var data = yaml.safeLoad(readFileSync(require('path').join(__dirname, '/0521.yml'), 'utf8')); + + var sample = { + 'http://example.com/page#anchor': 'no#quotes#required', + 'parameter#fallback': 'quotes #required', + 'foo #bar': 'key is quoted' + }; + + assert.deepEqual( + yaml.dump(sample), + yaml.dump(data) + ); + +}); diff --git a/test/issues/0521.yml b/test/issues/0521.yml new file mode 100644 index 00000000..38e2505e --- /dev/null +++ b/test/issues/0521.yml @@ -0,0 +1,3 @@ +http://example.com/page#anchor: no#quotes#required +parameter#fallback: 'quotes #required' +'foo #bar': key is quoted From b565e1a70370a7dcb1c5af37a12d55e84c494a80 Mon Sep 17 00:00:00 2001 From: Tom MacWright Date: Fri, 1 Nov 2019 12:15:02 -0700 Subject: [PATCH 11/24] Add unpkg and jsdelivr fields to point to browser build --- package.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package.json b/package.json index 4eefe04e..dd5bd4a5 100644 --- a/package.json +++ b/package.json @@ -26,6 +26,8 @@ "bin": { "js-yaml": "bin/js-yaml.js" }, + "unpkg": "dist/js-yaml.min.js", + "jsdelivr": "dist/js-yaml.min.js", "dependencies": { "argparse": "^1.0.7", "esprima": "^4.0.0" From aeb68285db2a919fc6174f5a65caf141c74e1ef5 Mon Sep 17 00:00:00 2001 From: Alex Kocharin Date: Mon, 4 Nov 2019 17:39:14 +0300 Subject: [PATCH 12/24] Check the node type for ! tag in case user manually specifies it --- lib/js-yaml/loader.js | 14 ++++++++++---- test/issues/0525-2.js | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 test/issues/0525-2.js diff --git a/lib/js-yaml/loader.js b/lib/js-yaml/loader.js index 2815c955..3af04dcc 100644 --- a/lib/js-yaml/loader.js +++ b/lib/js-yaml/loader.js @@ -1393,13 +1393,19 @@ function composeNode(state, parentIndent, nodeContext, allowToSeek, allowCompact if (state.tag !== null && state.tag !== '!') { if (state.tag === '?') { + // Implicit resolving is not allowed for non-scalar types, and '?' + // non-specific tag is only automatically assigned to plain scalars. + // + // We only need to check kind conformity in case user explicitly assigns '?' + // tag, for example like this: "! [0]" + // + if (state.result !== null && state.kind !== 'scalar') { + throwError(state, 'unacceptable node kind for ! tag; it should be "scalar", not "' + state.kind + '"'); + } + for (typeIndex = 0, typeQuantity = state.implicitTypes.length; typeIndex < typeQuantity; typeIndex += 1) { type = state.implicitTypes[typeIndex]; - // Implicit resolving is not allowed for non-scalar types, and '?' - // non-specific tag is only assigned to plain scalars. So, it isn't - // needed to check for 'kind' conformity. - if (type.resolve(state.result)) { // `state.result` updated in resolver if matched state.result = type.construct(state.result); state.tag = type.tag; diff --git a/test/issues/0525-2.js b/test/issues/0525-2.js new file mode 100644 index 00000000..3e4169ad --- /dev/null +++ b/test/issues/0525-2.js @@ -0,0 +1,16 @@ +'use strict'; + + +var assert = require('assert'); +var yaml = require('../../'); + + +test('Should check kind type when resolving ! tag', function () { + try { + yaml.safeLoad('! [0]'); + } catch (err) { + assert(err.stack.startsWith('YAMLException: unacceptable node kind for ! tag')); + return; + } + assert.fail(null, null, 'Expected an error to be thrown'); +}); From 33c2236d702fee430cac27ab41d75069b6647765 Mon Sep 17 00:00:00 2001 From: Alex Kocharin Date: Mon, 4 Nov 2019 20:44:23 +0300 Subject: [PATCH 13/24] Verify that there are no null-bytes in input --- lib/js-yaml/loader.js | 7 +++++++ test/issues/0525-1.js | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 test/issues/0525-1.js diff --git a/lib/js-yaml/loader.js b/lib/js-yaml/loader.js index 3af04dcc..e33b6c9a 100644 --- a/lib/js-yaml/loader.js +++ b/lib/js-yaml/loader.js @@ -1569,6 +1569,13 @@ function loadDocuments(input, options) { var state = new State(input, options); + var nullpos = input.indexOf('\0'); + + if (nullpos !== -1) { + state.position = nullpos; + throwError(state, 'null byte is not allowed in input'); + } + // Use 0 as string terminator. That significantly simplifies bounds check. state.input += '\0'; diff --git a/test/issues/0525-1.js b/test/issues/0525-1.js new file mode 100644 index 00000000..72e6a355 --- /dev/null +++ b/test/issues/0525-1.js @@ -0,0 +1,16 @@ +'use strict'; + + +var assert = require('assert'); +var yaml = require('../../'); + + +test('Should throw if there is a null-byte in input', function () { + try { + yaml.safeLoad('foo\0bar'); + } catch (err) { + assert(err.stack.startsWith('YAMLException: null byte is not allowed in input')); + return; + } + assert.fail(null, null, 'Expected an error to be thrown'); +}); From 8fb29059223b5f700dec4ea09b3d5550cd3a8e32 Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Tue, 5 Nov 2019 04:55:24 +0300 Subject: [PATCH 14/24] changelog format update --- CHANGELOG.md | 470 +++++++++++++++++++++++++++------------------------ 1 file changed, 253 insertions(+), 217 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f1cc985..b465c4ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,278 +1,257 @@ -3.13.1 / 2019-04-05 -------------------- +# Changelog -- Fix possible code execution in (already unsafe) `.load()`, #480. +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -3.13.0 / 2019-03-20 -------------------- +## [3.13.1] - 2019-04-05 +### Security +- Fix possible code execution in (already unsafe) `.load()`, #480. + +## [3.13.0] - 2019-03-20 +### Security - Security fix: `safeLoad()` can hang when arrays with nested refs used as key. Now throws exception for nested arrays. #475. -3.12.2 / 2019-02-26 -------------------- - +## [3.12.2] - 2019-02-26 +### Fixed - Fix `noArrayIndent` option for root level, #468. -3.12.1 / 2019-01-05 -------------------- - +## [3.12.1] - 2019-01-05 +### Added - Added `noArrayIndent` option, #432. -3.12.0 / 2018-06-02 -------------------- - +## [3.12.0] - 2018-06-02 +### Changed - Support arrow functions without a block statement, #421. -3.11.0 / 2018-03-05 -------------------- - -- Fix dump in bin/octal/hex formats for negative integers, #399. +## [3.11.0] - 2018-03-05 +### Added - Add arrow functions suport for `!!js/function`. +### Fixed +- Fix dump in bin/octal/hex formats for negative integers, #399. -3.10.0 / 2017-09-10 -------------------- +## [3.10.0] - 2017-09-10 +### Fixed - Fix `condenseFlow` output (quote keys for sure, instead of spaces), #371, #370. - Dump astrals as codepoints instead of surrogate pair, #368. -3.9.1 / 2017-07-08 ------------------- - +## [3.9.1] - 2017-07-08 +### Fixed - Ensure stack is present for custom errors in node 7.+, #351. -3.9.0 / 2017-07-08 ------------------- - +## [3.9.0] - 2017-07-08 +### Added - Add `condenseFlow` option (to create pretty URL query params), #346. -- Support array return from safeLoadAll/loadAll, #350. +### Fixed +- Support array return from safeLoadAll/loadAll, #350. -3.8.4 / 2017-05-08 ------------------- +## [3.8.4] - 2017-05-08 +### Fixed - Dumper: prevent space after dash for arrays that wrap, #343. -3.8.3 / 2017-04-05 ------------------- - +## [3.8.3] - 2017-04-05 +### Fixed - Should not allow numbers to begin and end with underscore, #335. -3.8.2 / 2017-03-02 ------------------- - +## [3.8.2] - 2017-03-02 +### Fixed - Fix `!!float 123` (integers) parse, #333. - Don't allow leading zeros in floats (except 0, 0.xxx). - Allow positive exponent without sign in floats. -3.8.1 / 2017-02-07 ------------------- - +## [3.8.1] - 2017-02-07 +### Changed - Maintenance: update browserified build. -3.8.0 / 2017-02-07 ------------------- - +## [3.8.0] - 2017-02-07 +### Fixed - Fix reported position for `duplicated mapping key` errors. Now points to block start instead of block end. (#243, thanks to @shockey). -3.7.0 / 2016-11-12 ------------------- - -- Fix parsing of quotes followed by newlines (#304, thanks to @dplepage). +## [3.7.0] - 2016-11-12 +### Added - Support polymorphism for tags (#300, thanks to @monken). +### Fixed +- Fix parsing of quotes followed by newlines (#304, thanks to @dplepage). -3.6.1 / 2016-05-11 ------------------- +## [3.6.1] - 2016-05-11 +### Fixed - Fix output cut on a pipe, #286. -3.6.0 / 2016-04-16 ------------------- - +## [3.6.0] - 2016-04-16 +### Fixed - Dumper rewrite, fix multiple bugs with trailing `\n`. Big thanks to @aepsilon! - Loader: fix leading/trailing newlines in block scalars, @aepsilon. -3.5.5 / 2016-03-17 ------------------- - +## [3.5.5] - 2016-03-17 +### Fixed - Date parse fix: don't allow dates with on digit in month and day, #268. -3.5.4 / 2016-03-09 ------------------- - +## [3.5.4] - 2016-03-09 +### Added - `noCompatMode` for dumper, to disable quoting YAML 1.1 values. -3.5.3 / 2016-02-11 ------------------- - +## [3.5.3] - 2016-02-11 +### Changed - Maintenance release. -3.5.2 / 2016-01-11 ------------------- - +## [3.5.2] - 2016-01-11 +### Changed - Maintenance: missed comma in bower config. -3.5.1 / 2016-01-11 ------------------- - +## [3.5.1] - 2016-01-11 +### Changed - Removed `inherit` dependency, #239. - Better browserify workaround for esprima load. - Demo rewrite. -3.5.0 / 2016-01-10 ------------------- - +## [3.5.0] - 2016-01-10 +### Fixed - Dumper. Fold strings only, #217. - Dumper. `norefs` option, to clone linked objects, #229. - Loader. Throw a warning for duplicate keys, #166. - Improved browserify support (mark `esprima` & `Buffer` excluded). -3.4.6 / 2015-11-26 ------------------- - +## [3.4.6] - 2015-11-26 +### Changed - Use standalone `inherit` to keep browserified files clear. -3.4.5 / 2015-11-23 ------------------- - +## [3.4.5] - 2015-11-23 +### Added - Added `lineWidth` option to dumper. -3.4.4 / 2015-11-21 ------------------- - +## [3.4.4] - 2015-11-21 +### Fixed - Fixed floats dump (missed dot for scientific format), #220. - Allow non-printable characters inside quoted scalars, #192. -3.4.3 / 2015-10-10 ------------------- - +## [3.4.3] - 2015-10-10 +### Changed - Maintenance release - deps bump (esprima, argparse). -3.4.2 / 2015-09-09 ------------------- - +## [3.4.2] - 2015-09-09 +### Fixed - Fixed serialization of duplicated entries in sequences, #205. Thanks to @vogelsgesang. -3.4.1 / 2015-09-05 ------------------- - +## [3.4.1] - 2015-09-05 +### Fixed - Fixed stacktrace handling in generated errors, for browsers (FF/IE). -3.4.0 / 2015-08-23 ------------------- - -- Fixed multiline keys dump, #197. Thanks to @tcr. -- Don't throw on warnongs anymore. Use `onWarning` option to catch. +## [3.4.0] - 2015-08-23 +### Changed +- Don't throw on warnings anymore. Use `onWarning` option to catch. - Throw error on unknown tags (was warning before). -- Fixed heading line breaks in some scalars (regression). - Reworked internals of error class. +### Fixed +- Fixed multiline keys dump, #197. Thanks to @tcr. +- Fixed heading line breaks in some scalars (regression). -3.3.1 / 2015-05-13 ------------------- +## [3.3.1] - 2015-05-13 +### Added - Added `.sortKeys` dumper option, thanks to @rjmunro. -- Fixed astral characters support, #191. +### Fixed +- Fixed astral characters support, #191. -3.3.0 / 2015-04-26 ------------------- +## [3.3.0] - 2015-04-26 +### Changed - Significantly improved long strings formatting in dumper, thanks to @isaacs. - Strip BOM if exists. -3.2.7 / 2015-02-19 ------------------- - +## [3.2.7] - 2015-02-19 +### Changed - Maintenance release. - Updated dependencies. - HISTORY.md -> CHANGELOG.md -3.2.6 / 2015-02-07 ------------------- - +## [3.2.6] - 2015-02-07 +### Fixed - Fixed encoding of UTF-16 surrogate pairs. (e.g. "\U0001F431" CAT FACE). - Fixed demo dates dump (#113, thanks to @Hypercubed). -3.2.5 / 2014-12-28 ------------------- - +## [3.2.5] - 2014-12-28 +### Fixed - Fixed resolving of all built-in types on empty nodes. - Fixed invalid warning on empty lines within quoted scalars and flow collections. - Fixed bug: Tag on an empty node didn't resolve in some cases. -3.2.4 / 2014-12-19 ------------------- - +## [3.2.4] - 2014-12-19 +### Fixed - Fixed resolving of !!null tag on an empty node. -3.2.3 / 2014-11-08 ------------------- - +## [3.2.3] - 2014-11-08 +### Fixed - Implemented dumping of objects with circular and cross references. - Partially fixed aliasing of constructed objects. (see issue #141 for details) -3.2.2 / 2014-09-07 ------------------- - +## [3.2.2] - 2014-09-07 +### Fixed - Fixed infinite loop on unindented block scalars. - Rewritten base64 encode/decode in binary type, to keep code licence clear. -3.2.1 / 2014-08-24 ------------------- - +## [3.2.1] - 2014-08-24 +### Fixed - Nothig new. Just fix npm publish error. -3.2.0 / 2014-08-24 ------------------- - +## [3.2.0] - 2014-08-24 +### Added - Added input piping support to CLI. -- Fixed typo, that could cause hand on initial indent (#139). +### Fixed +- Fixed typo, that could cause hand on initial indent (#139). -3.1.0 / 2014-07-07 ------------------- +## [3.1.0] - 2014-07-07 +### Changed - 1.5x-2x speed boost. - Removed deprecated `require('xxx.yml')` support. - Significant code cleanup and refactoring. @@ -285,127 +264,112 @@ - Bugfixes. -3.0.2 / 2014-02-27 ------------------- - +## [3.0.2] - 2014-02-27 +### Fixed - Fixed bug: "constructor" string parsed as `null`. -3.0.1 / 2013-12-22 ------------------- - +## [3.0.1] - 2013-12-22 +### Fixed - Fixed parsing of literal scalars. (issue #108) - Prevented adding unnecessary spaces in object dumps. (issue #68) - Fixed dumping of objects with very long (> 1024 in length) keys. -3.0.0 / 2013-12-16 ------------------- - +## [3.0.0] - 2013-12-16 +### Changed - Refactored code. Changed API for custom types. - Removed output colors in CLI, dump json by default. -- Removed big dependencies from browser version (esprima, buffer) - - load `esprima` manually, if !!js/function needed - - !!bin now returns Array in browser +- Removed big dependencies from browser version (esprima, buffer). Load `esprima` manually, if `!!js/function` needed. `!!bin` now returns Array in browser - AMD support. - Don't quote dumped strings because of `-` & `?` (if not first char). - __Deprecated__ loading yaml files via `require()`, as not recommended behaviour for node. -2.1.3 / 2013-10-16 ------------------- - +## [2.1.3] - 2013-10-16 +### Fixed - Fix wrong loading of empty block scalars. -2.1.2 / 2013-10-07 ------------------- - +## [2.1.2] - 2013-10-07 +### Fixed - Fix unwanted line breaks in folded scalars. -2.1.1 / 2013-10-02 ------------------- - +## [2.1.1] - 2013-10-02 +### Fixed - Dumper now respects deprecated booleans syntax from YAML 1.0/1.1 - Fixed reader bug in JSON-like sequences/mappings. -2.1.0 / 2013-06-05 ------------------- - +## [2.1.0] - 2013-06-05 +### Added - Add standard YAML schemas: Failsafe (`FAILSAFE_SCHEMA`), JSON (`JSON_SCHEMA`) and Core (`CORE_SCHEMA`). +- Add `skipInvalid` dumper option. + +### Changed - Rename `DEFAULT_SCHEMA` to `DEFAULT_FULL_SCHEMA` and `SAFE_SCHEMA` to `DEFAULT_SAFE_SCHEMA`. -- Bug fix: export `NIL` constant from the public interface. -- Add `skipInvalid` dumper option. - Use `safeLoad` for `require` extension. +### Fixed +- Bug fix: export `NIL` constant from the public interface. -2.0.5 / 2013-04-26 ------------------- +## [2.0.5] - 2013-04-26 +### Security - Close security issue in !!js/function constructor. Big thanks to @nealpoole for security audit. -2.0.4 / 2013-04-08 ------------------- - +## [2.0.4] - 2013-04-08 +### Changed - Updated .npmignore to reduce package size -2.0.3 / 2013-02-26 ------------------- - +## [2.0.3] - 2013-02-26 +### Fixed - Fixed dumping of empty arrays ans objects. ([] and {} instead of null) -2.0.2 / 2013-02-15 ------------------- - +## [2.0.2] - 2013-02-15 +### Fixed - Fixed input validation: tabs are printable characters. -2.0.1 / 2013-02-09 ------------------- - +## [2.0.1] - 2013-02-09 +### Fixed - Fixed error, when options not passed to function cass -2.0.0 / 2013-02-09 ------------------- - +## [2.0.0] - 2013-02-09 +### Changed - Full rewrite. New architecture. Fast one-stage parsing. - Changed custom types API. - Added YAML dumper. -1.0.3 / 2012-11-05 ------------------- - +## [1.0.3] - 2012-11-05 +### Fixed - Fixed utf-8 files loading. -1.0.2 / 2012-08-02 ------------------- - +## [1.0.2] - 2012-08-02 +### Fixed - Pull out hand-written shims. Use ES5-Shims for old browsers support. See #44. - Fix timstamps incorectly parsed in local time when no time part specified. -1.0.1 / 2012-07-07 ------------------- - +## [1.0.1] - 2012-07-07 +### Fixed - Fixes `TypeError: 'undefined' is not an object` under Safari. Thanks Phuong. - Fix timestamps incorrectly parsed in local time. Thanks @caolan. Closes #46. -1.0.0 / 2012-07-01 ------------------- - +## [1.0.0] - 2012-07-01 +### Changed - `y`, `yes`, `n`, `no`, `on`, `off` are not converted to Booleans anymore. Fixes #42. - `require(filename)` now returns a single document and throws an Error if @@ -413,89 +377,161 @@ - CLI was merged back from js-yaml.bin -0.3.7 / 2012-02-28 ------------------- - +## [0.3.7] - 2012-02-28 +### Fixed - Fix export of `addConstructor()`. Closes #39. -0.3.6 / 2012-02-22 ------------------- - +## [0.3.6] - 2012-02-22 +### Changed - Removed AMD parts - too buggy to use. Need help to rewrite from scratch -- Removed YUI compressor warning (renamed `double` variable). Closes #40. +### Fixed +- Removed YUI compressor warning (renamed `double` variable). Closes #40. -0.3.5 / 2012-01-10 ------------------- +## [0.3.5] - 2012-01-10 +### Fixed - Workagound for .npmignore fuckup under windows. Thanks to airportyh. -0.3.4 / 2011-12-24 ------------------- - +## [0.3.4] - 2011-12-24 +### Fixed - Fixes str[] for oldIEs support. - Adds better has change support for browserified demo. - improves compact output of Error. Closes #33. -0.3.3 / 2011-12-20 ------------------- +## [0.3.3] - 2011-12-20 +### Added +- adds `compact` stringification of Errors. +### Changed - jsyaml executable moved to separate module. -- adds `compact` stringification of Errors. -0.3.2 / 2011-12-16 ------------------- +## [0.3.2] - 2011-12-16 +### Added +- Added jsyaml executable. +- Added !!js/function support. Closes #12. +### Fixed - Fixes ug with block style scalars. Closes #26. - All sources are passing JSLint now. - Fixes bug in Safari. Closes #28. - Fixes bug in Opers. Closes #29. - Improves browser support. Closes #20. -- Added jsyaml executable. -- Added !!js/function support. Closes #12. - -0.3.1 / 2011-11-18 ------------------- +## [0.3.1] - 2011-11-18 +### Added - Added AMD support for browserified version. -- Wrapped browserified js-yaml into closure. -- Fixed the resolvement of non-specific tags. Closes #17. - Added permalinks for online demo YAML snippets. Now we have YPaste service, lol. - Added !!js/regexp and !!js/undefined types. Partially solves #12. + +### Changed +- Wrapped browserified js-yaml into closure. + +### Fixed +- Fixed the resolvement of non-specific tags. Closes #17. - Fixed !!set mapping. - Fixed month parse in dates. Closes #19. -0.3.0 / 2011-11-09 ------------------- - -- Removed JS.Class dependency. Closes #3. +## [0.3.0] - 2011-11-09 +### Added - Added browserified version. Closes #13. - Added live demo of browserified version. - Ported some of the PyYAML tests. See #14. -- Fixed timestamp bug when fraction was given. +### Fixed +- Removed JS.Class dependency. Closes #3. +- Fixed timestamp bug when fraction was given. -0.2.2 / 2011-11-06 ------------------- +## [0.2.2] - 2011-11-06 +### Fixed - Fixed crash on docs without ---. Closes #8. -- Fixed miltiline string parse +- Fixed multiline string parse - Fixed tests/comments for using array as key -0.2.1 / 2011-11-02 ------------------- - +## [0.2.1] - 2011-11-02 +### Fixed - Fixed short file read (<4k). Closes #9. -0.2.0 / 2011-11-02 ------------------- - +## [0.2.0] - 2011-11-02 +### Changed - First public release + + +[3.13.1]: https://github.com/nodeca/js-yaml/compare/3.13.0...3.13.1 +[3.13.0]: https://github.com/nodeca/js-yaml/compare/3.12.2...3.13.0 +[3.12.2]: https://github.com/nodeca/js-yaml/compare/3.12.1...3.12.2 +[3.12.1]: https://github.com/nodeca/js-yaml/compare/3.12.0...3.12.1 +[3.12.0]: https://github.com/nodeca/js-yaml/compare/3.11.0...3.12.0 +[3.11.0]: https://github.com/nodeca/js-yaml/compare/3.10.0...3.11.0 +[3.10.0]: https://github.com/nodeca/js-yaml/compare/3.9.1...3.10.0 +[3.9.1]: https://github.com/nodeca/js-yaml/compare/3.9.0...3.9.1 +[3.9.0]: https://github.com/nodeca/js-yaml/compare/3.8.4...3.9.0 +[3.8.4]: https://github.com/nodeca/js-yaml/compare/3.8.3...3.8.4 +[3.8.3]: https://github.com/nodeca/js-yaml/compare/3.8.2...3.8.3 +[3.8.2]: https://github.com/nodeca/js-yaml/compare/3.8.1...3.8.2 +[3.8.1]: https://github.com/nodeca/js-yaml/compare/3.8.0...3.8.1 +[3.8.0]: https://github.com/nodeca/js-yaml/compare/3.7.0...3.8.0 +[3.7.0]: https://github.com/nodeca/js-yaml/compare/3.6.1...3.7.0 +[3.6.1]: https://github.com/nodeca/js-yaml/compare/3.6.0...3.6.1 +[3.6.0]: https://github.com/nodeca/js-yaml/compare/3.5.5...3.6.0 +[3.5.5]: https://github.com/nodeca/js-yaml/compare/3.5.4...3.5.5 +[3.5.4]: https://github.com/nodeca/js-yaml/compare/3.5.3...3.5.4 +[3.5.3]: https://github.com/nodeca/js-yaml/compare/3.5.2...3.5.3 +[3.5.2]: https://github.com/nodeca/js-yaml/compare/3.5.1...3.5.2 +[3.5.1]: https://github.com/nodeca/js-yaml/compare/3.5.0...3.5.1 +[3.5.0]: https://github.com/nodeca/js-yaml/compare/3.4.6...3.5.0 +[3.4.6]: https://github.com/nodeca/js-yaml/compare/3.4.5...3.4.6 +[3.4.5]: https://github.com/nodeca/js-yaml/compare/3.4.4...3.4.5 +[3.4.4]: https://github.com/nodeca/js-yaml/compare/3.4.3...3.4.4 +[3.4.3]: https://github.com/nodeca/js-yaml/compare/3.4.2...3.4.3 +[3.4.2]: https://github.com/nodeca/js-yaml/compare/3.4.1...3.4.2 +[3.4.1]: https://github.com/nodeca/js-yaml/compare/3.4.0...3.4.1 +[3.4.0]: https://github.com/nodeca/js-yaml/compare/3.3.1...3.4.0 +[3.3.1]: https://github.com/nodeca/js-yaml/compare/3.3.0...3.3.1 +[3.3.0]: https://github.com/nodeca/js-yaml/compare/3.2.7...3.3.0 +[3.2.7]: https://github.com/nodeca/js-yaml/compare/3.2.6...3.2.7 +[3.2.6]: https://github.com/nodeca/js-yaml/compare/3.2.5...3.2.6 +[3.2.5]: https://github.com/nodeca/js-yaml/compare/3.2.4...3.2.5 +[3.2.4]: https://github.com/nodeca/js-yaml/compare/3.2.3...3.2.4 +[3.2.3]: https://github.com/nodeca/js-yaml/compare/3.2.2...3.2.3 +[3.2.2]: https://github.com/nodeca/js-yaml/compare/3.2.1...3.2.2 +[3.2.1]: https://github.com/nodeca/js-yaml/compare/3.2.0...3.2.1 +[3.2.0]: https://github.com/nodeca/js-yaml/compare/3.1.0...3.2.0 +[3.1.0]: https://github.com/nodeca/js-yaml/compare/3.0.2...3.1.0 +[3.0.2]: https://github.com/nodeca/js-yaml/compare/3.0.1...3.0.2 +[3.0.1]: https://github.com/nodeca/js-yaml/compare/3.0.0...3.0.1 +[3.0.0]: https://github.com/nodeca/js-yaml/compare/2.1.3...3.0.0 +[2.1.3]: https://github.com/nodeca/js-yaml/compare/2.1.2...2.1.3 +[2.1.2]: https://github.com/nodeca/js-yaml/compare/2.1.1...2.1.2 +[2.1.1]: https://github.com/nodeca/js-yaml/compare/2.1.0...2.1.1 +[2.1.0]: https://github.com/nodeca/js-yaml/compare/2.0.5...2.1.0 +[2.0.5]: https://github.com/nodeca/js-yaml/compare/2.0.4...2.0.5 +[2.0.4]: https://github.com/nodeca/js-yaml/compare/2.0.3...2.0.4 +[2.0.3]: https://github.com/nodeca/js-yaml/compare/2.0.2...2.0.3 +[2.0.2]: https://github.com/nodeca/js-yaml/compare/2.0.1...2.0.2 +[2.0.1]: https://github.com/nodeca/js-yaml/compare/2.0.0...2.0.1 +[2.0.0]: https://github.com/nodeca/js-yaml/compare/1.0.3...2.0.0 +[1.0.3]: https://github.com/nodeca/js-yaml/compare/1.0.2...1.0.3 +[1.0.2]: https://github.com/nodeca/js-yaml/compare/1.0.1...1.0.2 +[1.0.1]: https://github.com/nodeca/js-yaml/compare/1.0.0...1.0.1 +[1.0.0]: https://github.com/nodeca/js-yaml/compare/0.3.7...1.0.0 +[0.3.7]: https://github.com/nodeca/js-yaml/compare/0.3.6...0.3.7 +[0.3.6]: https://github.com/nodeca/js-yaml/compare/0.3.5...0.3.6 +[0.3.5]: https://github.com/nodeca/js-yaml/compare/0.3.4...0.3.5 +[0.3.4]: https://github.com/nodeca/js-yaml/compare/0.3.3...0.3.4 +[0.3.3]: https://github.com/nodeca/js-yaml/compare/0.3.2...0.3.3 +[0.3.2]: https://github.com/nodeca/js-yaml/compare/0.3.1...0.3.2 +[0.3.1]: https://github.com/nodeca/js-yaml/compare/0.3.0...0.3.1 +[0.3.0]: https://github.com/nodeca/js-yaml/compare/0.2.2...0.3.0 +[0.2.2]: https://github.com/nodeca/js-yaml/compare/0.2.1...0.2.2 +[0.2.1]: https://github.com/nodeca/js-yaml/compare/0.2.0...0.2.1 +[0.2.0]: https://github.com/nodeca/js-yaml/releases/tag/0.2.0 From e569cc70ec9b41760d0d37b805a1d9b3ada519ca Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Tue, 5 Nov 2019 07:26:13 +0300 Subject: [PATCH 15/24] readme: update titelift info --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c72e7ce5..246e5635 100644 --- a/README.md +++ b/README.md @@ -291,8 +291,9 @@ So, the following YAML document cannot be loaded. ``` -Support js-yaml ---------------- +js-yaml for enterprise +---------------------- -You can support this project via [Tidelift subscription](https://tidelift.com/subscription/pkg/npm-js-yaml?utm_source=npm-js-yaml&utm_medium=referral&utm_campaign=readme). +Available as part of the Tidelift Subscription +The maintainers of js-yaml and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more.](https://tidelift.com/subscription/pkg/npm-js-yaml?utm_source=npm-js-yaml&utm_medium=referral&utm_campaign=enterprise&utm_term=repo) From 93fbf7d4ddecea60709c8379397247af28f11e10 Mon Sep 17 00:00:00 2001 From: Gabriele Coletta Date: Wed, 13 Nov 2019 21:39:39 +0100 Subject: [PATCH 16/24] fix issue 526 (wrong quote position writing condensed flow) --- lib/js-yaml/dumper.js | 4 +++- test/issues/0346.js | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/js-yaml/dumper.js b/lib/js-yaml/dumper.js index 0f5666e3..f3d4fd93 100644 --- a/lib/js-yaml/dumper.js +++ b/lib/js-yaml/dumper.js @@ -569,10 +569,12 @@ function writeFlowMapping(state, level, object) { pairBuffer; for (index = 0, length = objectKeyList.length; index < length; index += 1) { - pairBuffer = state.condenseFlow ? '"' : ''; + pairBuffer = ''; if (index !== 0) pairBuffer += ', '; + if (state.condenseFlow) pairBuffer += '"'; + objectKey = objectKeyList[index]; objectValue = object[objectKey]; diff --git a/test/issues/0346.js b/test/issues/0346.js index ccd75d5b..97519760 100644 --- a/test/issues/0346.js +++ b/test/issues/0346.js @@ -15,11 +15,11 @@ test('should not emit spaces in arrays in flow mode between entries using conden }); test('should not emit spaces between key: value and quote keys using condenseFlow: true', function () { - var object = { a: { b: 'c' } }; + var object = { a: { b: 'c', d: 'e' } }; var objectDump = yaml.dump(object, { flowLevel: 0, indent: 0, condenseFlow: true }); assert.equal( objectDump, - '{"a":{"b":c}}\n' + '{"a":{"b":c, "d":e}}\n' ); assert.deepEqual(yaml.load(objectDump), object); }); From 10be97ebbd588e68907e6c67e0b3843a4caab475 Mon Sep 17 00:00:00 2001 From: ExE Boss <3889017+ExE-Boss@users.noreply.github.com> Date: Sat, 16 May 2020 10:30:00 +0200 Subject: [PATCH 17/24] =?UTF-8?q?fix(loader):=20Add=C2=A0support=20for?= =?UTF-8?q?=C2=A0`safe/loadAll(input,=C2=A0options)`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/js-yaml/loader.js | 20 +++++++----- test/units/loader-parameters.js | 54 +++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 7 deletions(-) create mode 100644 test/units/loader-parameters.js diff --git a/lib/js-yaml/loader.js b/lib/js-yaml/loader.js index e33b6c9a..ef01386b 100644 --- a/lib/js-yaml/loader.js +++ b/lib/js-yaml/loader.js @@ -1593,13 +1593,18 @@ function loadDocuments(input, options) { function loadAll(input, iterator, options) { - var documents = loadDocuments(input, options), index, length; + if (iterator !== null && typeof iterator === 'object' && typeof options === 'undefined') { + options = iterator; + iterator = null; + } + + var documents = loadDocuments(input, options); if (typeof iterator !== 'function') { return documents; } - for (index = 0, length = documents.length; index < length; index += 1) { + for (var index = 0, length = documents.length; index < length; index += 1) { iterator(documents[index]); } } @@ -1618,12 +1623,13 @@ function load(input, options) { } -function safeLoadAll(input, output, options) { - if (typeof output === 'function') { - loadAll(input, output, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); - } else { - return loadAll(input, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); +function safeLoadAll(input, iterator, options) { + if (typeof iterator === 'object' && iterator !== null && typeof options === 'undefined') { + options = iterator; + iterator = null; } + + return loadAll(input, iterator, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); } diff --git a/test/units/loader-parameters.js b/test/units/loader-parameters.js new file mode 100644 index 00000000..56cf3997 --- /dev/null +++ b/test/units/loader-parameters.js @@ -0,0 +1,54 @@ +'use strict'; + +var assert = require('assert'); +var yaml = require('../..'); + +suite('loader parameters', function () { + var testStr = 'test: 1 \ntest: 2'; + var expected = [ { test: 2 } ]; + var result; + + test('loadAll(input, options)', function () { + result = yaml.loadAll(testStr, { json: true }); + assert.deepEqual(result, expected); + + result = []; + yaml.loadAll(testStr, function (doc) { + result.push(doc); + }, { json: true }); + assert.deepEqual(result, expected); + }); + + test('loadAll(input, null, options)', function () { + result = yaml.loadAll(testStr, null, { json: true }); + assert.deepEqual(result, expected); + + result = []; + yaml.loadAll(testStr, function (doc) { + result.push(doc); + }, { json: true }); + assert.deepEqual(result, expected); + }); + + test('safeLoadAll(input, options)', function () { + result = yaml.safeLoadAll(testStr, { json: true }); + assert.deepEqual(result, expected); + + result = []; + yaml.safeLoadAll(testStr, function (doc) { + result.push(doc); + }, { json: true }); + assert.deepEqual(result, expected); + }); + + test('safeLoadAll(input, null, options)', function () { + result = yaml.safeLoadAll(testStr, null, { json: true }); + assert.deepEqual(result, expected); + + result = []; + yaml.safeLoadAll(testStr, function (doc) { + result.push(doc); + }, { json: true }); + assert.deepEqual(result, expected); + }); +}); From 0c293491d903cddcd41b41c165bc45eeb9a8d720 Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Fri, 22 May 2020 20:55:50 +0300 Subject: [PATCH 18/24] Travis-CI: drop old nodejs versions --- .travis.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2eedb38b..887023d2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,2 @@ -sudo: false language: node_js -node_js: - - '4' - - '6' - - '8' +node_js: node From 6f7347396867b8dcfc042722c2aae810dfe4caae Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Fri, 22 May 2020 21:06:44 +0300 Subject: [PATCH 19/24] Dev deps bump --- lib/js-yaml/type/js/function.js | 3 ++- package.json | 6 +++--- support/demo_template/base64.js | 4 ++-- support/demo_template/demo.js | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/lib/js-yaml/type/js/function.js b/lib/js-yaml/type/js/function.js index 3604e233..8fab8c43 100644 --- a/lib/js-yaml/type/js/function.js +++ b/lib/js-yaml/type/js/function.js @@ -14,7 +14,8 @@ try { var _require = require; esprima = _require('esprima'); } catch (_) { - /*global window */ + /* eslint-disable no-redeclare */ + /* global window */ if (typeof window !== 'undefined') esprima = window.esprima; } diff --git a/package.json b/package.json index dd5bd4a5..ba2621fd 100644 --- a/package.json +++ b/package.json @@ -37,10 +37,10 @@ "benchmark": "^2.1.4", "browserify": "^16.2.2", "codemirror": "^5.13.4", - "eslint": "^4.1.1", - "fast-check": "1.1.3", + "eslint": "^7.0.0", + "fast-check": "^1.24.2", "istanbul": "^0.4.5", - "mocha": "^5.2.0", + "mocha": "^7.1.2", "uglify-js": "^3.0.1" }, "scripts": { diff --git a/support/demo_template/base64.js b/support/demo_template/base64.js index 572acc66..c0528ceb 100644 --- a/support/demo_template/base64.js +++ b/support/demo_template/base64.js @@ -30,8 +30,8 @@ 'use strict'; -/*global window*/ -/*eslint-disable no-bitwise*/ +/* eslint-env browser */ +/* eslint-disable no-bitwise */ function noop() {} diff --git a/support/demo_template/demo.js b/support/demo_template/demo.js index d388d5cb..6b5df324 100644 --- a/support/demo_template/demo.js +++ b/support/demo_template/demo.js @@ -1,6 +1,6 @@ -/*global window, document, location*/ 'use strict'; +/* eslint-env browser */ var jsyaml = require('../../'); var codemirror = require('codemirror'); From 7b25c83a6dc77097c2bf14bf714e168f60ee199b Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Fri, 22 May 2020 21:27:12 +0300 Subject: [PATCH 20/24] Browser files rebuild --- dist/js-yaml.js | 83 ++++++++++++++++++++++++++++++++++----------- dist/js-yaml.min.js | 2 +- 2 files changed, 64 insertions(+), 21 deletions(-) diff --git a/dist/js-yaml.js b/dist/js-yaml.js index fad044a4..d7287d47 100644 --- a/dist/js-yaml.js +++ b/dist/js-yaml.js @@ -1,4 +1,4 @@ -/* js-yaml 3.13.1 https://github.com/nodeca/js-yaml */(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.jsyaml = f()}})(function(){var define,module,exports;return (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof require&&require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u="function"==typeof require&&require,i=0;i */ var CHAR_QUESTION = 0x3F; /* ? */ var CHAR_COMMERCIAL_AT = 0x40; /* @ */ @@ -291,8 +293,23 @@ function isPrintable(c) { || (0x10000 <= c && c <= 0x10FFFF); } +// [34] ns-char ::= nb-char - s-white +// [27] nb-char ::= c-printable - b-char - c-byte-order-mark +// [26] b-char ::= b-line-feed | b-carriage-return +// [24] b-line-feed ::= #xA /* LF */ +// [25] b-carriage-return ::= #xD /* CR */ +// [3] c-byte-order-mark ::= #xFEFF +function isNsChar(c) { + return isPrintable(c) && !isWhitespace(c) + // byte-order-mark + && c !== 0xFEFF + // b-char + && c !== CHAR_CARRIAGE_RETURN + && c !== CHAR_LINE_FEED; +} + // Simplified test for values allowed after the first character in plain style. -function isPlainSafe(c) { +function isPlainSafe(c, prev) { // Uses a subset of nb-char - c-flow-indicator - ":" - "#" // where nb-char ::= c-printable - b-char - c-byte-order-mark. return isPrintable(c) && c !== 0xFEFF @@ -303,8 +320,9 @@ function isPlainSafe(c) { && c !== CHAR_LEFT_CURLY_BRACKET && c !== CHAR_RIGHT_CURLY_BRACKET // - ":" - "#" + // /* An ns-char preceding */ "#" && c !== CHAR_COLON - && c !== CHAR_SHARP; + && ((c !== CHAR_SHARP) || (prev && isNsChar(prev))); } // Simplified test for values allowed as the first character in plain style. @@ -323,12 +341,13 @@ function isPlainSafeFirst(c) { && c !== CHAR_RIGHT_SQUARE_BRACKET && c !== CHAR_LEFT_CURLY_BRACKET && c !== CHAR_RIGHT_CURLY_BRACKET - // | “#” | “&” | “*” | “!” | “|” | “>” | “'” | “"” + // | “#” | “&” | “*” | “!” | “|” | “=” | “>” | “'” | “"” && c !== CHAR_SHARP && c !== CHAR_AMPERSAND && c !== CHAR_ASTERISK && c !== CHAR_EXCLAMATION && c !== CHAR_VERTICAL_LINE + && c !== CHAR_EQUALS && c !== CHAR_GREATER_THAN && c !== CHAR_SINGLE_QUOTE && c !== CHAR_DOUBLE_QUOTE @@ -359,7 +378,7 @@ var STYLE_PLAIN = 1, // STYLE_FOLDED => a line > lineWidth and can be folded (and lineWidth != -1). function chooseScalarStyle(string, singleLineOnly, indentPerLevel, lineWidth, testAmbiguousType) { var i; - var char; + var char, prev_char; var hasLineBreak = false; var hasFoldableLine = false; // only checked if shouldTrackWidth var shouldTrackWidth = lineWidth !== -1; @@ -375,7 +394,8 @@ function chooseScalarStyle(string, singleLineOnly, indentPerLevel, lineWidth, te if (!isPrintable(char)) { return STYLE_DOUBLE; } - plain = plain && isPlainSafe(char); + prev_char = i > 0 ? string.charCodeAt(i - 1) : null; + plain = plain && isPlainSafe(char, prev_char); } } else { // Case: block styles permitted. @@ -394,7 +414,8 @@ function chooseScalarStyle(string, singleLineOnly, indentPerLevel, lineWidth, te } else if (!isPrintable(char)) { return STYLE_DOUBLE; } - plain = plain && isPlainSafe(char); + prev_char = i > 0 ? string.charCodeAt(i - 1) : null; + plain = plain && isPlainSafe(char, prev_char); } // in case the end is missing a \n hasFoldableLine = hasFoldableLine || (shouldTrackWidth && @@ -651,10 +672,12 @@ function writeFlowMapping(state, level, object) { pairBuffer; for (index = 0, length = objectKeyList.length; index < length; index += 1) { - pairBuffer = state.condenseFlow ? '"' : ''; + pairBuffer = ''; if (index !== 0) pairBuffer += ', '; + if (state.condenseFlow) pairBuffer += '"'; + objectKey = objectKeyList[index]; objectValue = object[objectKey]; @@ -2370,13 +2393,19 @@ function composeNode(state, parentIndent, nodeContext, allowToSeek, allowCompact if (state.tag !== null && state.tag !== '!') { if (state.tag === '?') { + // Implicit resolving is not allowed for non-scalar types, and '?' + // non-specific tag is only automatically assigned to plain scalars. + // + // We only need to check kind conformity in case user explicitly assigns '?' + // tag, for example like this: "! [0]" + // + if (state.result !== null && state.kind !== 'scalar') { + throwError(state, 'unacceptable node kind for ! tag; it should be "scalar", not "' + state.kind + '"'); + } + for (typeIndex = 0, typeQuantity = state.implicitTypes.length; typeIndex < typeQuantity; typeIndex += 1) { type = state.implicitTypes[typeIndex]; - // Implicit resolving is not allowed for non-scalar types, and '?' - // non-specific tag is only assigned to plain scalars. So, it isn't - // needed to check for 'kind' conformity. - if (type.resolve(state.result)) { // `state.result` updated in resolver if matched state.result = type.construct(state.result); state.tag = type.tag; @@ -2540,6 +2569,13 @@ function loadDocuments(input, options) { var state = new State(input, options); + var nullpos = input.indexOf('\0'); + + if (nullpos !== -1) { + state.position = nullpos; + throwError(state, 'null byte is not allowed in input'); + } + // Use 0 as string terminator. That significantly simplifies bounds check. state.input += '\0'; @@ -2557,13 +2593,18 @@ function loadDocuments(input, options) { function loadAll(input, iterator, options) { - var documents = loadDocuments(input, options), index, length; + if (iterator !== null && typeof iterator === 'object' && typeof options === 'undefined') { + options = iterator; + iterator = null; + } + + var documents = loadDocuments(input, options); if (typeof iterator !== 'function') { return documents; } - for (index = 0, length = documents.length; index < length; index += 1) { + for (var index = 0, length = documents.length; index < length; index += 1) { iterator(documents[index]); } } @@ -2582,12 +2623,13 @@ function load(input, options) { } -function safeLoadAll(input, output, options) { - if (typeof output === 'function') { - loadAll(input, output, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); - } else { - return loadAll(input, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); +function safeLoadAll(input, iterator, options) { + if (typeof iterator === 'object' && iterator !== null && typeof options === 'undefined') { + options = iterator; + iterator = null; } + + return loadAll(input, iterator, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); } @@ -3462,7 +3504,8 @@ try { var _require = require; esprima = _require('esprima'); } catch (_) { - /*global window */ + /* eslint-disable no-redeclare */ + /* global window */ if (typeof window !== 'undefined') esprima = window.esprima; } diff --git a/dist/js-yaml.min.js b/dist/js-yaml.min.js index 0623500e..f72401ea 100644 --- a/dist/js-yaml.min.js +++ b/dist/js-yaml.min.js @@ -1 +1 @@ -!function(e){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=e();else if("function"==typeof define&&define.amd)define([],e);else{("undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this).jsyaml=e()}}(function(){return function o(a,s,c){function u(t,e){if(!s[t]){if(!a[t]){var n="function"==typeof require&&require;if(!e&&n)return n(t,!0);if(l)return l(t,!0);var i=new Error("Cannot find module '"+t+"'");throw i.code="MODULE_NOT_FOUND",i}var r=s[t]={exports:{}};a[t][0].call(r.exports,function(e){return u(a[t][1][e]||e)},r,r.exports,o,a,s,c)}return s[t].exports}for(var l="function"==typeof require&&require,e=0;e=i.flowLevel;switch(H(r,n,i.indent,t,function(e){return function(e,t){var n,i;for(n=0,i=e.implicitTypes.length;n"+V(r,i.indent)+Z(L(function(t,n){var e,i,r=/(\n+)([^\n]*)/g,o=function(){var e=t.indexOf("\n");return e=-1!==e?e:t.length,r.lastIndex=e,z(t.slice(0,e),n)}(),a="\n"===t[0]||" "===t[0];for(;i=r.exec(t);){var s=i[1],c=i[2];e=" "===c[0],o+=s+(a||e||""===c?"":"\n")+z(c,n),a=e}return o}(r,t),e));case $:return'"'+function(e){for(var t,n,i,r="",o=0;ot&&o tag resolver accepts not "'+c+'" style');i=s.represent[c](t,c)}e.dump=i}return!0}return!1}function Q(e,t,n,i,r,o){e.tag=null,e.dump=n,J(e,n,!1)||J(e,n,!0);var a=p.call(e.dump);i&&(i=e.flowLevel<0||e.flowLevel>t);var s,c,u="[object Object]"===a||"[object Array]"===a;if(u&&(c=-1!==(s=e.duplicates.indexOf(n))),(null!==e.tag&&"?"!==e.tag||c||2!==e.indent&&0 "+e.dump)}return!0}function X(e,t){var n,i,r=[],o=[];for(function e(t,n,i){var r,o,a;if(null!==t&&"object"==typeof t)if(-1!==(o=n.indexOf(t)))-1===i.indexOf(o)&&i.push(o);else if(n.push(t),Array.isArray(t))for(o=0,a=t.length;ot)&&0!==i)N(e,"bad indentation of a sequence entry");else if(e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt)&&($(e,t,b,!0,r)&&(m?d=e.result:h=e.result),m||(U(e,l,p,f,d,h,o,a),f=d=h=null),Y(e,!0,-1),s=e.input.charCodeAt(e.position)),e.lineIndent>t&&0!==s)N(e,"bad indentation of a mapping entry");else if(e.lineIndentl&&(l=e.lineIndent),j(o))p++;else{if(e.lineIndent>10),56320+(c-65536&1023)),e.position++}else N(e,"unknown escape sequence");n=i=e.position}else j(s)?(L(e,n,i,!0),B(e,Y(e,!1,t)),n=i=e.position):e.position===e.lineStart&&R(e)?N(e,"unexpected end of the document within a double quoted scalar"):(e.position++,i=e.position)}N(e,"unexpected end of the stream within a double quoted scalar")}(e,p)?m=!0:!function(e){var t,n,i;if(42!==(i=e.input.charCodeAt(e.position)))return!1;for(i=e.input.charCodeAt(++e.position),t=e.position;0!==i&&!I(i)&&!O(i);)i=e.input.charCodeAt(++e.position);return e.position===t&&N(e,"name of an alias node must contain at least one character"),n=e.input.slice(t,e.position),e.anchorMap.hasOwnProperty(n)||N(e,'unidentified alias "'+n+'"'),e.result=e.anchorMap[n],Y(e,!0,-1),!0}(e)?function(e,t,n){var i,r,o,a,s,c,u,l,p=e.kind,f=e.result;if(I(l=e.input.charCodeAt(e.position))||O(l)||35===l||38===l||42===l||33===l||124===l||62===l||39===l||34===l||37===l||64===l||96===l)return!1;if((63===l||45===l)&&(I(i=e.input.charCodeAt(e.position+1))||n&&O(i)))return!1;for(e.kind="scalar",e.result="",r=o=e.position,a=!1;0!==l;){if(58===l){if(I(i=e.input.charCodeAt(e.position+1))||n&&O(i))break}else if(35===l){if(I(e.input.charCodeAt(e.position-1)))break}else{if(e.position===e.lineStart&&R(e)||n&&O(l))break;if(j(l)){if(s=e.line,c=e.lineStart,u=e.lineIndent,Y(e,!1,-1),e.lineIndent>=t){a=!0,l=e.input.charCodeAt(e.position);continue}e.position=o,e.line=s,e.lineStart=c,e.lineIndent=u;break}}a&&(L(e,r,o,!1),B(e,e.line-s),r=o=e.position,a=!1),S(l)||(o=e.position+1),l=e.input.charCodeAt(++e.position)}return L(e,r,o,!1),!!e.result||(e.kind=p,e.result=f,!1)}(e,p,x===n)&&(m=!0,null===e.tag&&(e.tag="?")):(m=!0,null===e.tag&&null===e.anchor||N(e,"alias node should not have any properties")),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):0===d&&(m=s&&P(e,f))),null!==e.tag&&"!"!==e.tag)if("?"===e.tag){for(c=0,u=e.implicitTypes.length;c tag; it should be "'+l.kind+'", not "'+e.kind+'"'),l.resolve(e.result)?(e.result=l.construct(e.result),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):N(e,"cannot resolve a node with !<"+e.tag+"> explicit tag")):N(e,"unknown tag !<"+e.tag+">");return null!==e.listener&&e.listener("close",e),null!==e.tag||null!==e.anchor||m}function H(e){var t,n,i,r,o=e.position,a=!1;for(e.version=null,e.checkLineBreaks=e.legacy,e.tagMap={},e.anchorMap={};0!==(r=e.input.charCodeAt(e.position))&&(Y(e,!0,-1),r=e.input.charCodeAt(e.position),!(0t/2-1){n=" ... ",i+=5;break}for(r="",o=this.position;ot/2-1){r=" ... ",o-=5;break}return a=this.buffer.slice(i,o),s.repeat(" ",e)+n+a+r+"\n"+s.repeat(" ",e+this.position-i+n.length)+"^"},i.prototype.toString=function(e){var t,n="";return this.name&&(n+='in "'+this.name+'" '),n+="at line "+(this.line+1)+", column "+(this.column+1),e||(t=this.getSnippet())&&(n+=":\n"+t),n},t.exports=i},{"./common":2}],7:[function(e,t,n){"use strict";var i=e("./common"),r=e("./exception"),o=e("./type");function a(e,t,i){var r=[];return e.include.forEach(function(e){i=a(e,t,i)}),e[t].forEach(function(n){i.forEach(function(e,t){e.tag===n.tag&&e.kind===n.kind&&r.push(t)}),i.push(n)}),i.filter(function(e,t){return-1===r.indexOf(t)})}function s(e){this.include=e.include||[],this.implicit=e.implicit||[],this.explicit=e.explicit||[],this.implicit.forEach(function(e){if(e.loadKind&&"scalar"!==e.loadKind)throw new r("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.")}),this.compiledImplicit=a(this,"implicit",[]),this.compiledExplicit=a(this,"explicit",[]),this.compiledTypeMap=function(){var e,t,n={scalar:{},sequence:{},mapping:{},fallback:{}};function i(e){n[e.kind][e.tag]=n.fallback[e.tag]=e}for(e=0,t=arguments.length;e>16&255),s.push(a>>8&255),s.push(255&a)),a=a<<6|o.indexOf(i.charAt(t));return 0==(n=r%4*6)?(s.push(a>>16&255),s.push(a>>8&255),s.push(255&a)):18==n?(s.push(a>>10&255),s.push(a>>2&255)):12==n&&s.push(a>>4&255),c?c.from?c.from(s):new c(s):s},predicate:function(e){return c&&c.isBuffer(e)},represent:function(e){var t,n,i="",r=0,o=e.length,a=u;for(t=0;t>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]),r=(r<<8)+e[t];return 0==(n=o%3)?(i+=a[r>>18&63],i+=a[r>>12&63],i+=a[r>>6&63],i+=a[63&r]):2==n?(i+=a[r>>10&63],i+=a[r>>4&63],i+=a[r<<2&63],i+=a[64]):1==n&&(i+=a[r>>2&63],i+=a[r<<4&63],i+=a[64],i+=a[64]),i}})},{"../type":13}],15:[function(e,t,n){"use strict";var i=e("../type");t.exports=new i("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t=e.length;return 4===t&&("true"===e||"True"===e||"TRUE"===e)||5===t&&("false"===e||"False"===e||"FALSE"===e)},construct:function(e){return"true"===e||"True"===e||"TRUE"===e},predicate:function(e){return"[object Boolean]"===Object.prototype.toString.call(e)},represent:{lowercase:function(e){return e?"true":"false"},uppercase:function(e){return e?"TRUE":"FALSE"},camelcase:function(e){return e?"True":"False"}},defaultStyle:"lowercase"})},{"../type":13}],16:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type"),o=new RegExp("^(?:[-+]?(?:0|[1-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?[0-9][0-9_]*(?::[0-5]?[0-9])+\\.[0-9_]*|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var a=/^[-+]?[0-9]+e/;t.exports=new r("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(e){return null!==e&&!(!o.test(e)||"_"===e[e.length-1])},construct:function(e){var t,n,i,r;return n="-"===(t=e.replace(/_/g,"").toLowerCase())[0]?-1:1,r=[],0<="+-".indexOf(t[0])&&(t=t.slice(1)),".inf"===t?1==n?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===t?NaN:0<=t.indexOf(":")?(t.split(":").forEach(function(e){r.unshift(parseFloat(e,10))}),t=0,i=1,r.forEach(function(e){t+=e*i,i*=60}),n*t):n*parseFloat(t,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&(e%1!=0||i.isNegativeZero(e))},represent:function(e,t){var n;if(isNaN(e))switch(t){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===e)switch(t){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===e)switch(t){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(i.isNegativeZero(e))return"-0.0";return n=e.toString(10),a.test(n)?n.replace("e",".e"):n},defaultStyle:"lowercase"})},{"../common":2,"../type":13}],17:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type");t.exports=new r("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i,r,o=e.length,a=0,s=!1;if(!o)return!1;if("-"!==(t=e[a])&&"+"!==t||(t=e[++a]),"0"===t){if(a+1===o)return!0;if("b"===(t=e[++a])){for(a++;a=i.flowLevel;switch(V(r,n,i.indent,t,function(e){return function(e,t){for(var n=0,i=e.implicitTypes.length;n"+z(r,i.indent)+J(U(function(t,n){var e,i,r=/(\n+)([^\n]*)/g,o=function(){var e=-1!==(e=t.indexOf("\n"))?e:t.length;return r.lastIndex=e,Q(t.slice(0,e),n)}(),a="\n"===t[0]||" "===t[0];for(;i=r.exec(t);){var s=i[1],c=i[2];e=" "===c[0],o+=s+(a||e||""===c?"":"\n")+Q(c,n),a=e}return o}(r,t),e));case G:return'"'+function(e){for(var t,n,i,r="",o=0;ot&&o tag resolver accepts not "'+o+'" style');i=r.represent[o](t,o)}e.dump=i}return 1}}function ee(e,t,n,i,r,o){e.tag=null,e.dump=n,X(e,n,!1)||X(e,n,!0);var a=p.call(e.dump);i=i&&(e.flowLevel<0||e.flowLevel>t);var s,c,u="[object Object]"===a||"[object Array]"===a;if(u&&(c=-1!==(s=e.duplicates.indexOf(n))),(null!==e.tag&&"?"!==e.tag||c||2!==e.indent&&0 "+e.dump)}return 1}function te(e,t){var n,i,r=[],o=[];for(!function e(t,n,i){var r,o,a;if(null!==t&&"object"==typeof t)if(-1!==(o=n.indexOf(t)))-1===i.indexOf(o)&&i.push(o);else if(n.push(t),Array.isArray(t))for(o=0,a=t.length;o>10),56320+(s-65536&1023)),e.position++}else N(e,"unknown escape sequence");n=i=e.position}else O(p)?(L(e,n,i,!0),B(e,Y(e,!1,t)),n=i=e.position):e.position===e.lineStart&&R(e)?N(e,"unexpected end of the document within a double quoted scalar"):(e.position++,i=e.position)}N(e,"unexpected end of the stream within a double quoted scalar")}}function W(e,t){var n,i,r=e.tag,o=e.anchor,a=[],s=!1;for(null!==e.anchor&&(e.anchorMap[e.anchor]=a),i=e.input.charCodeAt(e.position);0!==i&&45===i&&F(e.input.charCodeAt(e.position+1));)if(s=!0,e.position++,Y(e,!0,-1)&&e.lineIndent<=t)a.push(null),i=e.input.charCodeAt(e.position);else if(n=e.line,K(e,t,A,!1,!0),a.push(e.result),Y(e,!0,-1),i=e.input.charCodeAt(e.position),(e.line===n||e.lineIndent>t)&&0!==i)N(e,"bad indentation of a sequence entry");else if(e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt)&&(K(e,t,b,!0,r)&&(m?d=e.result:h=e.result),m||(U(e,l,p,f,d,h,o,a),f=d=h=null),Y(e,!0,-1),s=e.input.charCodeAt(e.position)),e.lineIndent>t&&0!==s)N(e,"bad indentation of a mapping entry");else if(e.lineIndentu&&(u=e.lineIndent),O(f))l++;else{if(e.lineIndent=t){a=!0,f=e.input.charCodeAt(e.position);continue}e.position=o,e.line=s,e.lineStart=c,e.lineIndent=u;break}}a&&(L(e,r,o,!1),B(e,e.line-s),r=o=e.position,a=!1),E(f)||(o=e.position+1),f=e.input.charCodeAt(++e.position)}if(L(e,r,o,!1),e.result)return 1;e.kind=l,e.result=p}}(e,p,x===n)&&(m=!0,null===e.tag&&(e.tag="?")):(m=!0,null===e.tag&&null===e.anchor||N(e,"alias node should not have any properties")),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):0===d&&(m=s&&W(e,f))),null!==e.tag&&"!"!==e.tag)if("?"===e.tag){for(null!==e.result&&"scalar"!==e.kind&&N(e,'unacceptable node kind for ! tag; it should be "scalar", not "'+e.kind+'"'),c=0,u=e.implicitTypes.length;c tag; it should be "'+l.kind+'", not "'+e.kind+'"'),l.resolve(e.result)?(e.result=l.construct(e.result),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):N(e,"cannot resolve a node with !<"+e.tag+"> explicit tag")):N(e,"unknown tag !<"+e.tag+">");return null!==e.listener&&e.listener("close",e),null!==e.tag||null!==e.anchor||m}function $(e,t){t=t||{},0!==(e=String(e)).length&&(10!==e.charCodeAt(e.length-1)&&13!==e.charCodeAt(e.length-1)&&(e+="\n"),65279===e.charCodeAt(0)&&(e=e.slice(1)));var n=new h(e,t),i=e.indexOf("\0");for(-1!==i&&(n.position=i,N(n,"null byte is not allowed in input")),n.input+="\0";32===n.input.charCodeAt(n.position);)n.lineIndent+=1,n.position+=1;for(;n.positiont/2-1){n=" ... ",i+=5;break}for(r="",o=this.position;ot/2-1){r=" ... ",o-=5;break}return a=this.buffer.slice(i,o),s.repeat(" ",e)+n+a+r+"\n"+s.repeat(" ",e+this.position-i+n.length)+"^"},i.prototype.toString=function(e){var t,n="";return this.name&&(n+='in "'+this.name+'" '),n+="at line "+(this.line+1)+", column "+(this.column+1),e||(t=this.getSnippet())&&(n+=":\n"+t),n},t.exports=i},{"./common":2}],7:[function(e,t,n){"use strict";var r=e("./common"),o=e("./exception"),a=e("./type");function s(e,t,i){var r=[];return e.include.forEach(function(e){i=s(e,t,i)}),e[t].forEach(function(n){i.forEach(function(e,t){e.tag===n.tag&&e.kind===n.kind&&r.push(t)}),i.push(n)}),i.filter(function(e,t){return-1===r.indexOf(t)})}function c(e){this.include=e.include||[],this.implicit=e.implicit||[],this.explicit=e.explicit||[],this.implicit.forEach(function(e){if(e.loadKind&&"scalar"!==e.loadKind)throw new o("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.")}),this.compiledImplicit=s(this,"implicit",[]),this.compiledExplicit=s(this,"explicit",[]),this.compiledTypeMap=function(){var e,t,n={scalar:{},sequence:{},mapping:{},fallback:{}};function i(e){n[e.kind][e.tag]=n.fallback[e.tag]=e}for(e=0,t=arguments.length;e>16&255),a.push(o>>8&255),a.push(255&o)),o=o<<6|r.indexOf(n.charAt(s));return 0==(t=i%4*6)?(a.push(o>>16&255),a.push(o>>8&255),a.push(255&o)):18==t?(a.push(o>>10&255),a.push(o>>2&255)):12==t&&a.push(o>>4&255),c?c.from?c.from(a):new c(a):a},predicate:function(e){return c&&c.isBuffer(e)},represent:function(e){for(var t,n="",i=0,r=e.length,o=u,a=0;a>18&63],n+=o[i>>12&63],n+=o[i>>6&63],n+=o[63&i]),i=(i<<8)+e[a];return 0==(t=r%3)?(n+=o[i>>18&63],n+=o[i>>12&63],n+=o[i>>6&63],n+=o[63&i]):2==t?(n+=o[i>>10&63],n+=o[i>>4&63],n+=o[i<<2&63],n+=o[64]):1==t&&(n+=o[i>>2&63],n+=o[i<<4&63],n+=o[64],n+=o[64]),n}})},{"../type":13}],15:[function(e,t,n){"use strict";var i=e("../type");t.exports=new i("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t=e.length;return 4===t&&("true"===e||"True"===e||"TRUE"===e)||5===t&&("false"===e||"False"===e||"FALSE"===e)},construct:function(e){return"true"===e||"True"===e||"TRUE"===e},predicate:function(e){return"[object Boolean]"===Object.prototype.toString.call(e)},represent:{lowercase:function(e){return e?"true":"false"},uppercase:function(e){return e?"TRUE":"FALSE"},camelcase:function(e){return e?"True":"False"}},defaultStyle:"lowercase"})},{"../type":13}],16:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type"),o=new RegExp("^(?:[-+]?(?:0|[1-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?[0-9][0-9_]*(?::[0-5]?[0-9])+\\.[0-9_]*|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var a=/^[-+]?[0-9]+e/;t.exports=new r("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(e){return null!==e&&!(!o.test(e)||"_"===e[e.length-1])},construct:function(e){var t,n=e.replace(/_/g,"").toLowerCase(),i="-"===n[0]?-1:1,r=[];return 0<="+-".indexOf(n[0])&&(n=n.slice(1)),".inf"===n?1==i?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===n?NaN:0<=n.indexOf(":")?(n.split(":").forEach(function(e){r.unshift(parseFloat(e,10))}),n=0,t=1,r.forEach(function(e){n+=e*t,t*=60}),i*n):i*parseFloat(n,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&(e%1!=0||i.isNegativeZero(e))},represent:function(e,t){var n;if(isNaN(e))switch(t){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===e)switch(t){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===e)switch(t){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(i.isNegativeZero(e))return"-0.0";return n=e.toString(10),a.test(n)?n.replace("e",".e"):n},defaultStyle:"lowercase"})},{"../common":2,"../type":13}],17:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type");t.exports=new r("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i,r,o=e.length,a=0,s=!1;if(!o)return!1;if("-"!==(t=e[a])&&"+"!==t||(t=e[++a]),"0"===t){if(a+1===o)return!0;if("b"===(t=e[++a])){for(a++;a Date: Fri, 22 May 2020 21:27:48 +0300 Subject: [PATCH 21/24] 3.14.0 released --- CHANGELOG.md | 14 ++++++++++++++ package.json | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b465c4ac..b3513578 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,19 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [3.14.0] - 2020-05-22 +### Changed +- Support `safe/loadAll(input, options)` variant of call. +- CI: drop outdated nodejs versions. +- Dev deps bump. + +### Fixed +- Quote `=` in plain scalars #519. +- Check the node type for `!` tag in case user manually specifies it. +- Verify that there are no null-bytes in input. +- Fix wrong quote position when writing condensed flow, #526. + + ## [3.13.1] - 2019-04-05 ### Security - Fix possible code execution in (already unsafe) `.load()`, #480. @@ -466,6 +479,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - First public release +[3.14.0]: https://github.com/nodeca/js-yaml/compare/3.13.1...3.14.0 [3.13.1]: https://github.com/nodeca/js-yaml/compare/3.13.0...3.13.1 [3.13.0]: https://github.com/nodeca/js-yaml/compare/3.12.2...3.13.0 [3.12.2]: https://github.com/nodeca/js-yaml/compare/3.12.1...3.12.2 diff --git a/package.json b/package.json index ba2621fd..66aa7f00 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "js-yaml", - "version": "3.13.1", + "version": "3.14.0", "description": "YAML 1.2 parser and serializer", "keywords": [ "yaml", From 9586ebe23298427d26b3479979bd6499bf3a14c2 Mon Sep 17 00:00:00 2001 From: Alex Kocharin Date: Mon, 7 Dec 2020 16:15:02 +0300 Subject: [PATCH 22/24] Avoid calling hasOwnProperty of user-controlled objects --- CHANGELOG.md | 5 +++++ lib/js-yaml/loader.js | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3513578..979e0fd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [3.14.1] - 2020-12-07 +### Security +- Fix possible code execution in (already unsafe) `.load()` (in &anchor). + + ## [3.14.0] - 2020-05-22 ### Changed - Support `safe/loadAll(input, options)` variant of call. diff --git a/lib/js-yaml/loader.js b/lib/js-yaml/loader.js index ef01386b..d7484a59 100644 --- a/lib/js-yaml/loader.js +++ b/lib/js-yaml/loader.js @@ -1272,7 +1272,7 @@ function readAlias(state) { alias = state.input.slice(_position, state.position); - if (!state.anchorMap.hasOwnProperty(alias)) { + if (!_hasOwnProperty.call(state.anchorMap, alias)) { throwError(state, 'unidentified alias "' + alias + '"'); } From 094c0f7a79e6ff9e2b4d50b22686d2586894b58f Mon Sep 17 00:00:00 2001 From: Vitaly Puzrin Date: Mon, 7 Dec 2020 22:09:54 +0300 Subject: [PATCH 23/24] dist rebuild --- Makefile | 4 ++-- dist/js-yaml.js | 4 ++-- dist/js-yaml.min.js | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 5c24c2b6..ae0472c4 100644 --- a/Makefile +++ b/Makefile @@ -83,12 +83,12 @@ browserify: rm -rf ./dist mkdir dist # Browserify - ( echo -n "/* ${NPM_PACKAGE} ${NPM_VERSION} ${GITHUB_PROJ} */" ; \ + ( echo -n "/*! ${NPM_PACKAGE} ${NPM_VERSION} ${GITHUB_PROJ} */" ; \ ./node_modules/.bin/browserify -r ./ -s jsyaml \ ) > dist/js-yaml.js # Minify ./node_modules/.bin/uglifyjs dist/js-yaml.js -c -m \ - --preamble "/* ${NPM_PACKAGE} ${NPM_VERSION} ${GITHUB_PROJ} */" \ + --comments /^!/ \ > dist/js-yaml.min.js diff --git a/dist/js-yaml.js b/dist/js-yaml.js index d7287d47..78783207 100644 --- a/dist/js-yaml.js +++ b/dist/js-yaml.js @@ -1,4 +1,4 @@ -/* js-yaml 3.14.0 https://github.com/nodeca/js-yaml */(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.jsyaml = f()}})(function(){var define,module,exports;return (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof require&&require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u="function"==typeof require&&require,i=0;i=i.flowLevel;switch(V(r,n,i.indent,t,function(e){return function(e,t){for(var n=0,i=e.implicitTypes.length;n"+z(r,i.indent)+J(U(function(t,n){var e,i,r=/(\n+)([^\n]*)/g,o=function(){var e=-1!==(e=t.indexOf("\n"))?e:t.length;return r.lastIndex=e,Q(t.slice(0,e),n)}(),a="\n"===t[0]||" "===t[0];for(;i=r.exec(t);){var s=i[1],c=i[2];e=" "===c[0],o+=s+(a||e||""===c?"":"\n")+Q(c,n),a=e}return o}(r,t),e));case G:return'"'+function(e){for(var t,n,i,r="",o=0;ot&&o tag resolver accepts not "'+o+'" style');i=r.represent[o](t,o)}e.dump=i}return 1}}function ee(e,t,n,i,r,o){e.tag=null,e.dump=n,X(e,n,!1)||X(e,n,!0);var a=p.call(e.dump);i=i&&(e.flowLevel<0||e.flowLevel>t);var s,c,u="[object Object]"===a||"[object Array]"===a;if(u&&(c=-1!==(s=e.duplicates.indexOf(n))),(null!==e.tag&&"?"!==e.tag||c||2!==e.indent&&0 "+e.dump)}return 1}function te(e,t){var n,i,r=[],o=[];for(!function e(t,n,i){var r,o,a;if(null!==t&&"object"==typeof t)if(-1!==(o=n.indexOf(t)))-1===i.indexOf(o)&&i.push(o);else if(n.push(t),Array.isArray(t))for(o=0,a=t.length;o>10),56320+(s-65536&1023)),e.position++}else N(e,"unknown escape sequence");n=i=e.position}else O(p)?(L(e,n,i,!0),B(e,Y(e,!1,t)),n=i=e.position):e.position===e.lineStart&&R(e)?N(e,"unexpected end of the document within a double quoted scalar"):(e.position++,i=e.position)}N(e,"unexpected end of the stream within a double quoted scalar")}}function W(e,t){var n,i,r=e.tag,o=e.anchor,a=[],s=!1;for(null!==e.anchor&&(e.anchorMap[e.anchor]=a),i=e.input.charCodeAt(e.position);0!==i&&45===i&&F(e.input.charCodeAt(e.position+1));)if(s=!0,e.position++,Y(e,!0,-1)&&e.lineIndent<=t)a.push(null),i=e.input.charCodeAt(e.position);else if(n=e.line,K(e,t,A,!1,!0),a.push(e.result),Y(e,!0,-1),i=e.input.charCodeAt(e.position),(e.line===n||e.lineIndent>t)&&0!==i)N(e,"bad indentation of a sequence entry");else if(e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt?d=1:e.lineIndent===t?d=0:e.lineIndentt)&&(K(e,t,b,!0,r)&&(m?d=e.result:h=e.result),m||(U(e,l,p,f,d,h,o,a),f=d=h=null),Y(e,!0,-1),s=e.input.charCodeAt(e.position)),e.lineIndent>t&&0!==s)N(e,"bad indentation of a mapping entry");else if(e.lineIndentu&&(u=e.lineIndent),O(f))l++;else{if(e.lineIndent=t){a=!0,f=e.input.charCodeAt(e.position);continue}e.position=o,e.line=s,e.lineStart=c,e.lineIndent=u;break}}a&&(L(e,r,o,!1),B(e,e.line-s),r=o=e.position,a=!1),E(f)||(o=e.position+1),f=e.input.charCodeAt(++e.position)}if(L(e,r,o,!1),e.result)return 1;e.kind=l,e.result=p}}(e,p,x===n)&&(m=!0,null===e.tag&&(e.tag="?")):(m=!0,null===e.tag&&null===e.anchor||N(e,"alias node should not have any properties")),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):0===d&&(m=s&&W(e,f))),null!==e.tag&&"!"!==e.tag)if("?"===e.tag){for(null!==e.result&&"scalar"!==e.kind&&N(e,'unacceptable node kind for ! tag; it should be "scalar", not "'+e.kind+'"'),c=0,u=e.implicitTypes.length;c tag; it should be "'+l.kind+'", not "'+e.kind+'"'),l.resolve(e.result)?(e.result=l.construct(e.result),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):N(e,"cannot resolve a node with !<"+e.tag+"> explicit tag")):N(e,"unknown tag !<"+e.tag+">");return null!==e.listener&&e.listener("close",e),null!==e.tag||null!==e.anchor||m}function $(e,t){t=t||{},0!==(e=String(e)).length&&(10!==e.charCodeAt(e.length-1)&&13!==e.charCodeAt(e.length-1)&&(e+="\n"),65279===e.charCodeAt(0)&&(e=e.slice(1)));var n=new h(e,t),i=e.indexOf("\0");for(-1!==i&&(n.position=i,N(n,"null byte is not allowed in input")),n.input+="\0";32===n.input.charCodeAt(n.position);)n.lineIndent+=1,n.position+=1;for(;n.positiont/2-1){n=" ... ",i+=5;break}for(r="",o=this.position;ot/2-1){r=" ... ",o-=5;break}return a=this.buffer.slice(i,o),s.repeat(" ",e)+n+a+r+"\n"+s.repeat(" ",e+this.position-i+n.length)+"^"},i.prototype.toString=function(e){var t,n="";return this.name&&(n+='in "'+this.name+'" '),n+="at line "+(this.line+1)+", column "+(this.column+1),e||(t=this.getSnippet())&&(n+=":\n"+t),n},t.exports=i},{"./common":2}],7:[function(e,t,n){"use strict";var r=e("./common"),o=e("./exception"),a=e("./type");function s(e,t,i){var r=[];return e.include.forEach(function(e){i=s(e,t,i)}),e[t].forEach(function(n){i.forEach(function(e,t){e.tag===n.tag&&e.kind===n.kind&&r.push(t)}),i.push(n)}),i.filter(function(e,t){return-1===r.indexOf(t)})}function c(e){this.include=e.include||[],this.implicit=e.implicit||[],this.explicit=e.explicit||[],this.implicit.forEach(function(e){if(e.loadKind&&"scalar"!==e.loadKind)throw new o("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.")}),this.compiledImplicit=s(this,"implicit",[]),this.compiledExplicit=s(this,"explicit",[]),this.compiledTypeMap=function(){var e,t,n={scalar:{},sequence:{},mapping:{},fallback:{}};function i(e){n[e.kind][e.tag]=n.fallback[e.tag]=e}for(e=0,t=arguments.length;e>16&255),a.push(o>>8&255),a.push(255&o)),o=o<<6|r.indexOf(n.charAt(s));return 0==(t=i%4*6)?(a.push(o>>16&255),a.push(o>>8&255),a.push(255&o)):18==t?(a.push(o>>10&255),a.push(o>>2&255)):12==t&&a.push(o>>4&255),c?c.from?c.from(a):new c(a):a},predicate:function(e){return c&&c.isBuffer(e)},represent:function(e){for(var t,n="",i=0,r=e.length,o=u,a=0;a>18&63],n+=o[i>>12&63],n+=o[i>>6&63],n+=o[63&i]),i=(i<<8)+e[a];return 0==(t=r%3)?(n+=o[i>>18&63],n+=o[i>>12&63],n+=o[i>>6&63],n+=o[63&i]):2==t?(n+=o[i>>10&63],n+=o[i>>4&63],n+=o[i<<2&63],n+=o[64]):1==t&&(n+=o[i>>2&63],n+=o[i<<4&63],n+=o[64],n+=o[64]),n}})},{"../type":13}],15:[function(e,t,n){"use strict";var i=e("../type");t.exports=new i("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t=e.length;return 4===t&&("true"===e||"True"===e||"TRUE"===e)||5===t&&("false"===e||"False"===e||"FALSE"===e)},construct:function(e){return"true"===e||"True"===e||"TRUE"===e},predicate:function(e){return"[object Boolean]"===Object.prototype.toString.call(e)},represent:{lowercase:function(e){return e?"true":"false"},uppercase:function(e){return e?"TRUE":"FALSE"},camelcase:function(e){return e?"True":"False"}},defaultStyle:"lowercase"})},{"../type":13}],16:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type"),o=new RegExp("^(?:[-+]?(?:0|[1-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?[0-9][0-9_]*(?::[0-5]?[0-9])+\\.[0-9_]*|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var a=/^[-+]?[0-9]+e/;t.exports=new r("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(e){return null!==e&&!(!o.test(e)||"_"===e[e.length-1])},construct:function(e){var t,n=e.replace(/_/g,"").toLowerCase(),i="-"===n[0]?-1:1,r=[];return 0<="+-".indexOf(n[0])&&(n=n.slice(1)),".inf"===n?1==i?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===n?NaN:0<=n.indexOf(":")?(n.split(":").forEach(function(e){r.unshift(parseFloat(e,10))}),n=0,t=1,r.forEach(function(e){n+=e*t,t*=60}),i*n):i*parseFloat(n,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&(e%1!=0||i.isNegativeZero(e))},represent:function(e,t){var n;if(isNaN(e))switch(t){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===e)switch(t){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===e)switch(t){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(i.isNegativeZero(e))return"-0.0";return n=e.toString(10),a.test(n)?n.replace("e",".e"):n},defaultStyle:"lowercase"})},{"../common":2,"../type":13}],17:[function(e,t,n){"use strict";var i=e("../common"),r=e("../type");t.exports=new r("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i,r,o=e.length,a=0,s=!1;if(!o)return!1;if("-"!==(t=e[a])&&"+"!==t||(t=e[++a]),"0"===t){if(a+1===o)return!0;if("b"===(t=e[++a])){for(a++;a=i.flowLevel;switch(V(r,n,i.indent,t,function(e){return function(e,t){for(var n=0,i=e.implicitTypes.length;n"+z(r,i.indent)+J(U(function(t,n){var e,i=/(\n+)([^\n]*)/g,r=function(){var e=-1!==(e=t.indexOf("\n"))?e:t.length;return i.lastIndex=e,Q(t.slice(0,e),n)}(),o="\n"===t[0]||" "===t[0];for(;e=i.exec(t);){var a=e[1],s=e[2];e=" "===s[0],r+=a+(o||e||""===s?"":"\n")+Q(s,n),o=e}return r}(r,t),e));case G:return'"'+function(e){for(var t,n,i,r="",o=0;ot&&o tag resolver accepts not "'+o+'" style');i=r.represent[o](t,o)}e.dump=i}return 1}}function ee(e,t,n,i,r,o){e.tag=null,e.dump=n,X(e,n,!1)||X(e,n,!0);var a=l.call(e.dump);i=i&&(e.flowLevel<0||e.flowLevel>t);var s,c,u="[object Object]"===a||"[object Array]"===a;if(u&&(c=-1!==(s=e.duplicates.indexOf(n))),(null!==e.tag&&"?"!==e.tag||c||2!==e.indent&&0 "+e.dump)}return 1}function te(e,t){var n,i,r=[],o=[];for(!function e(t,n,i){var r,o,a;if(null!==t&&"object"==typeof t)if(-1!==(o=n.indexOf(t)))-1===i.indexOf(o)&&i.push(o);else if(n.push(t),Array.isArray(t))for(o=0,a=t.length;o>10),56320+(c-65536&1023)),e.position++}else N(e,"unknown escape sequence");n=i=e.position}else S(u)?(L(e,n,i,!0),B(e,Y(e,!1,t)),n=i=e.position):e.position===e.lineStart&&R(e)?N(e,"unexpected end of the document within a double quoted scalar"):(e.position++,i=e.position)}N(e,"unexpected end of the stream within a double quoted scalar")}}function K(e,t){var n,i,r=e.tag,o=e.anchor,a=[],s=!1;for(null!==e.anchor&&(e.anchorMap[e.anchor]=a),i=e.input.charCodeAt(e.position);0!==i&&45===i&&O(e.input.charCodeAt(e.position+1));)if(s=!0,e.position++,Y(e,!0,-1)&&e.lineIndent<=t)a.push(null),i=e.input.charCodeAt(e.position);else if(n=e.line,P(e,t,x,!1,!0),a.push(e.result),Y(e,!0,-1),i=e.input.charCodeAt(e.position),(e.line===n||e.lineIndent>t)&&0!==i)N(e,"bad indentation of a sequence entry");else if(e.lineIndentt?p=1:e.lineIndent===t?p=0:e.lineIndentt?p=1:e.lineIndent===t?p=0:e.lineIndentt)&&(P(e,t,A,!0,r)&&(m?d=e.result:h=e.result),m||(U(e,l,p,f,d,h,o,a),f=d=h=null),Y(e,!0,-1),s=e.input.charCodeAt(e.position)),e.lineIndent>t&&0!==s)N(e,"bad indentation of a mapping entry");else if(e.lineIndentc&&(c=e.lineIndent),S(p))u++;else{if(e.lineIndent=t){a=!0,f=e.input.charCodeAt(e.position);continue}e.position=o,e.line=s,e.lineStart=c,e.lineIndent=u;break}}a&&(L(e,r,o,!1),B(e,e.line-s),r=o=e.position,a=!1),I(f)||(o=e.position+1),f=e.input.charCodeAt(++e.position)}if(L(e,r,o,!1),e.result)return 1;e.kind=l,e.result=p}}(e,i,g===n)&&(d=!0,null===e.tag&&(e.tag="?")):(d=!0,null===e.tag&&null===e.anchor||N(e,"alias node should not have any properties")),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):0===p&&(d=s&&K(e,r))),null!==e.tag&&"!"!==e.tag)if("?"===e.tag){for(null!==e.result&&"scalar"!==e.kind&&N(e,'unacceptable node kind for ! tag; it should be "scalar", not "'+e.kind+'"'),c=0,u=e.implicitTypes.length;c tag; it should be "'+l.kind+'", not "'+e.kind+'"'),l.resolve(e.result)?(e.result=l.construct(e.result),null!==e.anchor&&(e.anchorMap[e.anchor]=e.result)):N(e,"cannot resolve a node with !<"+e.tag+"> explicit tag")):N(e,"unknown tag !<"+e.tag+">");return null!==e.listener&&e.listener("close",e),null!==e.tag||null!==e.anchor||d}function $(e,t){t=t||{},0!==(e=String(e)).length&&(10!==e.charCodeAt(e.length-1)&&13!==e.charCodeAt(e.length-1)&&(e+="\n"),65279===e.charCodeAt(0)&&(e=e.slice(1)));var n=new F(e,t),e=e.indexOf("\0");for(-1!==e&&(n.position=e,N(n,"null byte is not allowed in input")),n.input+="\0";32===n.input.charCodeAt(n.position);)n.lineIndent+=1,n.position+=1;for(;n.positiont/2-1){n=" ... ",i+=5;break}for(r="",o=this.position;ot/2-1){r=" ... ",o-=5;break}return a=this.buffer.slice(i,o),s.repeat(" ",e)+n+a+r+"\n"+s.repeat(" ",e+this.position-i+n.length)+"^"},i.prototype.toString=function(e){var t="";return this.name&&(t+='in "'+this.name+'" '),t+="at line "+(this.line+1)+", column "+(this.column+1),e||(e=this.getSnippet())&&(t+=":\n"+e),t},t.exports=i},{"./common":2}],7:[function(e,t,n){"use strict";var r=e("./common"),o=e("./exception"),a=e("./type");function s(e,t,i){var r=[];return e.include.forEach(function(e){i=s(e,t,i)}),e[t].forEach(function(n){i.forEach(function(e,t){e.tag===n.tag&&e.kind===n.kind&&r.push(t)}),i.push(n)}),i.filter(function(e,t){return-1===r.indexOf(t)})}function c(e){this.include=e.include||[],this.implicit=e.implicit||[],this.explicit=e.explicit||[],this.implicit.forEach(function(e){if(e.loadKind&&"scalar"!==e.loadKind)throw new o("There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.")}),this.compiledImplicit=s(this,"implicit",[]),this.compiledExplicit=s(this,"explicit",[]),this.compiledTypeMap=function(){var e,t,n={scalar:{},sequence:{},mapping:{},fallback:{}};function i(e){n[e.kind][e.tag]=n.fallback[e.tag]=e}for(e=0,t=arguments.length;e>16&255),o.push(r>>8&255),o.push(255&r)),r=r<<6|i.indexOf(t.charAt(a));return 0==(e=n%4*6)?(o.push(r>>16&255),o.push(r>>8&255),o.push(255&r)):18==e?(o.push(r>>10&255),o.push(r>>2&255)):12==e&&o.push(r>>4&255),s?s.from?s.from(o):new s(o):o},predicate:function(e){return s&&s.isBuffer(e)},represent:function(e){for(var t,n="",i=0,r=e.length,o=c,a=0;a>18&63],n+=o[i>>12&63],n+=o[i>>6&63],n+=o[63&i]),i=(i<<8)+e[a];return 0==(t=r%3)?(n+=o[i>>18&63],n+=o[i>>12&63],n+=o[i>>6&63],n+=o[63&i]):2==t?(n+=o[i>>10&63],n+=o[i>>4&63],n+=o[i<<2&63],n+=o[64]):1==t&&(n+=o[i>>2&63],n+=o[i<<4&63],n+=o[64],n+=o[64]),n}})},{"../type":13}],15:[function(e,t,n){"use strict";e=e("../type");t.exports=new e("tag:yaml.org,2002:bool",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t=e.length;return 4===t&&("true"===e||"True"===e||"TRUE"===e)||5===t&&("false"===e||"False"===e||"FALSE"===e)},construct:function(e){return"true"===e||"True"===e||"TRUE"===e},predicate:function(e){return"[object Boolean]"===Object.prototype.toString.call(e)},represent:{lowercase:function(e){return e?"true":"false"},uppercase:function(e){return e?"TRUE":"FALSE"},camelcase:function(e){return e?"True":"False"}},defaultStyle:"lowercase"})},{"../type":13}],16:[function(e,t,n){"use strict";var i=e("../common"),e=e("../type"),r=new RegExp("^(?:[-+]?(?:0|[1-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?|[-+]?[0-9][0-9_]*(?::[0-5]?[0-9])+\\.[0-9_]*|[-+]?\\.(?:inf|Inf|INF)|\\.(?:nan|NaN|NAN))$");var o=/^[-+]?[0-9]+e/;t.exports=new e("tag:yaml.org,2002:float",{kind:"scalar",resolve:function(e){return null!==e&&!(!r.test(e)||"_"===e[e.length-1])},construct:function(e){var t,n=e.replace(/_/g,"").toLowerCase(),e="-"===n[0]?-1:1,i=[];return 0<="+-".indexOf(n[0])&&(n=n.slice(1)),".inf"===n?1==e?Number.POSITIVE_INFINITY:Number.NEGATIVE_INFINITY:".nan"===n?NaN:0<=n.indexOf(":")?(n.split(":").forEach(function(e){i.unshift(parseFloat(e,10))}),n=0,t=1,i.forEach(function(e){n+=e*t,t*=60}),e*n):e*parseFloat(n,10)},predicate:function(e){return"[object Number]"===Object.prototype.toString.call(e)&&(e%1!=0||i.isNegativeZero(e))},represent:function(e,t){if(isNaN(e))switch(t){case"lowercase":return".nan";case"uppercase":return".NAN";case"camelcase":return".NaN"}else if(Number.POSITIVE_INFINITY===e)switch(t){case"lowercase":return".inf";case"uppercase":return".INF";case"camelcase":return".Inf"}else if(Number.NEGATIVE_INFINITY===e)switch(t){case"lowercase":return"-.inf";case"uppercase":return"-.INF";case"camelcase":return"-.Inf"}else if(i.isNegativeZero(e))return"-0.0";return e=e.toString(10),o.test(e)?e.replace("e",".e"):e},defaultStyle:"lowercase"})},{"../common":2,"../type":13}],17:[function(e,t,n){"use strict";var i=e("../common"),e=e("../type");t.exports=new e("tag:yaml.org,2002:int",{kind:"scalar",resolve:function(e){if(null===e)return!1;var t,n,i,r,o=e.length,a=0,s=!1;if(!o)return!1;if("-"!==(t=e[a])&&"+"!==t||(t=e[++a]),"0"===t){if(a+1===o)return!0;if("b"===(t=e[++a])){for(a++;a Date: Mon, 7 Dec 2020 22:17:20 +0300 Subject: [PATCH 24/24] 3.14.1 released --- CHANGELOG.md | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 979e0fd4..b4baa4ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -484,6 +484,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - First public release +[3.14.1]: https://github.com/nodeca/js-yaml/compare/3.14.0...3.14.1 [3.14.0]: https://github.com/nodeca/js-yaml/compare/3.13.1...3.14.0 [3.13.1]: https://github.com/nodeca/js-yaml/compare/3.13.0...3.13.1 [3.13.0]: https://github.com/nodeca/js-yaml/compare/3.12.2...3.13.0 diff --git a/package.json b/package.json index 66aa7f00..0d236676 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "js-yaml", - "version": "3.14.0", + "version": "3.14.1", "description": "YAML 1.2 parser and serializer", "keywords": [ "yaml",