diff --git a/dist/index.js b/dist/index.js index 022ddc5..c8865b0 100644 --- a/dist/index.js +++ b/dist/index.js @@ -1,7 +1,7 @@ import { createRequire as __WEBPACK_EXTERNAL_createRequire } from "module"; /******/ var __webpack_modules__ = ({ -/***/ 4844: +/***/ 9659: /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { @@ -54,7 +54,7 @@ exports.getProxyUrl = getProxyUrl; exports.isHttps = isHttps; const http = __importStar(__nccwpck_require__(8611)); const https = __importStar(__nccwpck_require__(5692)); -const pm = __importStar(__nccwpck_require__(4988)); +const pm = __importStar(__nccwpck_require__(3335)); const tunnel = __importStar(__nccwpck_require__(770)); const undici_1 = __nccwpck_require__(6752); var HttpCodes; @@ -744,7 +744,7 @@ const lowercaseKeys = (obj) => Object.keys(obj).reduce((c, k) => ((c[k.toLowerCa /***/ }), -/***/ 4988: +/***/ 3335: /***/ ((__unused_webpack_module, exports) => { @@ -1488,7 +1488,7 @@ exports["default"] = SyncProvider; Object.defineProperty(exports, "__esModule", ({ value: true })); const events_1 = __nccwpck_require__(4434); const fsScandir = __nccwpck_require__(7198); -const fastq = __nccwpck_require__(8230); +const fastq = __nccwpck_require__(3281); const common = __nccwpck_require__(4449); const reader_1 = __nccwpck_require__(5903); class AsyncReader extends reader_1.default { @@ -7392,302 +7392,6 @@ function isEmpty(input) { exports.isEmpty = isEmpty; -/***/ }), - -/***/ 8230: -/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { - - - -/* eslint-disable no-var */ - -var reusify = __nccwpck_require__(844) - -function fastqueue (context, worker, concurrency) { - if (typeof context === 'function') { - concurrency = worker - worker = context - context = null - } - - if (concurrency < 1) { - throw new Error('fastqueue concurrency must be greater than 1') - } - - var cache = reusify(Task) - var queueHead = null - var queueTail = null - var _running = 0 - var errorHandler = null - - var self = { - push: push, - drain: noop, - saturated: noop, - pause: pause, - paused: false, - concurrency: concurrency, - running: running, - resume: resume, - idle: idle, - length: length, - getQueue: getQueue, - unshift: unshift, - empty: noop, - kill: kill, - killAndDrain: killAndDrain, - error: error - } - - return self - - function running () { - return _running - } - - function pause () { - self.paused = true - } - - function length () { - var current = queueHead - var counter = 0 - - while (current) { - current = current.next - counter++ - } - - return counter - } - - function getQueue () { - var current = queueHead - var tasks = [] - - while (current) { - tasks.push(current.value) - current = current.next - } - - return tasks - } - - function resume () { - if (!self.paused) return - self.paused = false - for (var i = 0; i < self.concurrency; i++) { - _running++ - release() - } - } - - function idle () { - return _running === 0 && self.length() === 0 - } - - function push (value, done) { - var current = cache.get() - - current.context = context - current.release = release - current.value = value - current.callback = done || noop - current.errorHandler = errorHandler - - if (_running === self.concurrency || self.paused) { - if (queueTail) { - queueTail.next = current - queueTail = current - } else { - queueHead = current - queueTail = current - self.saturated() - } - } else { - _running++ - worker.call(context, current.value, current.worked) - } - } - - function unshift (value, done) { - var current = cache.get() - - current.context = context - current.release = release - current.value = value - current.callback = done || noop - - if (_running === self.concurrency || self.paused) { - if (queueHead) { - current.next = queueHead - queueHead = current - } else { - queueHead = current - queueTail = current - self.saturated() - } - } else { - _running++ - worker.call(context, current.value, current.worked) - } - } - - function release (holder) { - if (holder) { - cache.release(holder) - } - var next = queueHead - if (next) { - if (!self.paused) { - if (queueTail === queueHead) { - queueTail = null - } - queueHead = next.next - next.next = null - worker.call(context, next.value, next.worked) - if (queueTail === null) { - self.empty() - } - } else { - _running-- - } - } else if (--_running === 0) { - self.drain() - } - } - - function kill () { - queueHead = null - queueTail = null - self.drain = noop - } - - function killAndDrain () { - queueHead = null - queueTail = null - self.drain() - self.drain = noop - } - - function error (handler) { - errorHandler = handler - } -} - -function noop () {} - -function Task () { - this.value = null - this.callback = noop - this.next = null - this.release = noop - this.context = null - this.errorHandler = null - - var self = this - - this.worked = function worked (err, result) { - var callback = self.callback - var errorHandler = self.errorHandler - var val = self.value - self.value = null - self.callback = noop - if (self.errorHandler) { - errorHandler(err, val) - } - callback.call(self.context, err, result) - self.release(self) - } -} - -function queueAsPromised (context, worker, concurrency) { - if (typeof context === 'function') { - concurrency = worker - worker = context - context = null - } - - function asyncWrapper (arg, cb) { - worker.call(this, arg) - .then(function (res) { - cb(null, res) - }, cb) - } - - var queue = fastqueue(context, asyncWrapper, concurrency) - - var pushCb = queue.push - var unshiftCb = queue.unshift - - queue.push = push - queue.unshift = unshift - queue.drained = drained - - return queue - - function push (value) { - var p = new Promise(function (resolve, reject) { - pushCb(value, function (err, result) { - if (err) { - reject(err) - return - } - resolve(result) - }) - }) - - // Let's fork the promise chain to - // make the error bubble up to the user but - // not lead to a unhandledRejection - p.catch(noop) - - return p - } - - function unshift (value) { - var p = new Promise(function (resolve, reject) { - unshiftCb(value, function (err, result) { - if (err) { - reject(err) - return - } - resolve(result) - }) - }) - - // Let's fork the promise chain to - // make the error bubble up to the user but - // not lead to a unhandledRejection - p.catch(noop) - - return p - } - - function drained () { - if (queue.idle()) { - return new Promise(function (resolve) { - resolve() - }) - } - - var previousDrain = queue.drain - - var p = new Promise(function (resolve) { - queue.drain = function () { - previousDrain() - resolve() - } - }) - - return p - } -} - -module.exports = fastqueue -module.exports.promise = queueAsPromised - - /***/ }), /***/ 877: @@ -8805,6 +8509,8 @@ const path = __nccwpck_require__(6928); const WIN_SLASH = '\\\\/'; const WIN_NO_SLASH = `[^${WIN_SLASH}]`; +const DEFAULT_MAX_EXTGLOB_RECURSION = 0; + /** * Posix glob regex */ @@ -8868,6 +8574,7 @@ const WINDOWS_CHARS = { */ const POSIX_REGEX_SOURCE = { + __proto__: null, alnum: 'a-zA-Z0-9', alpha: 'a-zA-Z', ascii: '\\x00-\\x7F', @@ -8885,6 +8592,7 @@ const POSIX_REGEX_SOURCE = { }; module.exports = { + DEFAULT_MAX_EXTGLOB_RECURSION, MAX_LENGTH: 1024 * 64, POSIX_REGEX_SOURCE, @@ -8898,6 +8606,7 @@ module.exports = { // Replace globs with equivalent patterns to reduce parsing time. REPLACEMENTS: { + __proto__: null, '***': '*', '**/**': '**', '**/**/**': '**' @@ -9032,6 +8741,277 @@ const syntaxError = (type, char) => { return `Missing ${type}: "${char}" - use "\\\\${char}" to match literal characters`; }; +const splitTopLevel = input => { + const parts = []; + let bracket = 0; + let paren = 0; + let quote = 0; + let value = ''; + let escaped = false; + + for (const ch of input) { + if (escaped === true) { + value += ch; + escaped = false; + continue; + } + + if (ch === '\\') { + value += ch; + escaped = true; + continue; + } + + if (ch === '"') { + quote = quote === 1 ? 0 : 1; + value += ch; + continue; + } + + if (quote === 0) { + if (ch === '[') { + bracket++; + } else if (ch === ']' && bracket > 0) { + bracket--; + } else if (bracket === 0) { + if (ch === '(') { + paren++; + } else if (ch === ')' && paren > 0) { + paren--; + } else if (ch === '|' && paren === 0) { + parts.push(value); + value = ''; + continue; + } + } + } + + value += ch; + } + + parts.push(value); + return parts; +}; + +const isPlainBranch = branch => { + let escaped = false; + + for (const ch of branch) { + if (escaped === true) { + escaped = false; + continue; + } + + if (ch === '\\') { + escaped = true; + continue; + } + + if (/[?*+@!()[\]{}]/.test(ch)) { + return false; + } + } + + return true; +}; + +const normalizeSimpleBranch = branch => { + let value = branch.trim(); + let changed = true; + + while (changed === true) { + changed = false; + + if (/^@\([^\\()[\]{}|]+\)$/.test(value)) { + value = value.slice(2, -1); + changed = true; + } + } + + if (!isPlainBranch(value)) { + return; + } + + return value.replace(/\\(.)/g, '$1'); +}; + +const hasRepeatedCharPrefixOverlap = branches => { + const values = branches.map(normalizeSimpleBranch).filter(Boolean); + + for (let i = 0; i < values.length; i++) { + for (let j = i + 1; j < values.length; j++) { + const a = values[i]; + const b = values[j]; + const char = a[0]; + + if (!char || a !== char.repeat(a.length) || b !== char.repeat(b.length)) { + continue; + } + + if (a === b || a.startsWith(b) || b.startsWith(a)) { + return true; + } + } + } + + return false; +}; + +const parseRepeatedExtglob = (pattern, requireEnd = true) => { + if ((pattern[0] !== '+' && pattern[0] !== '*') || pattern[1] !== '(') { + return; + } + + let bracket = 0; + let paren = 0; + let quote = 0; + let escaped = false; + + for (let i = 1; i < pattern.length; i++) { + const ch = pattern[i]; + + if (escaped === true) { + escaped = false; + continue; + } + + if (ch === '\\') { + escaped = true; + continue; + } + + if (ch === '"') { + quote = quote === 1 ? 0 : 1; + continue; + } + + if (quote === 1) { + continue; + } + + if (ch === '[') { + bracket++; + continue; + } + + if (ch === ']' && bracket > 0) { + bracket--; + continue; + } + + if (bracket > 0) { + continue; + } + + if (ch === '(') { + paren++; + continue; + } + + if (ch === ')') { + paren--; + + if (paren === 0) { + if (requireEnd === true && i !== pattern.length - 1) { + return; + } + + return { + type: pattern[0], + body: pattern.slice(2, i), + end: i + }; + } + } + } +}; + +const getStarExtglobSequenceOutput = pattern => { + let index = 0; + const chars = []; + + while (index < pattern.length) { + const match = parseRepeatedExtglob(pattern.slice(index), false); + + if (!match || match.type !== '*') { + return; + } + + const branches = splitTopLevel(match.body).map(branch => branch.trim()); + if (branches.length !== 1) { + return; + } + + const branch = normalizeSimpleBranch(branches[0]); + if (!branch || branch.length !== 1) { + return; + } + + chars.push(branch); + index += match.end + 1; + } + + if (chars.length < 1) { + return; + } + + const source = chars.length === 1 + ? utils.escapeRegex(chars[0]) + : `[${chars.map(ch => utils.escapeRegex(ch)).join('')}]`; + + return `${source}*`; +}; + +const repeatedExtglobRecursion = pattern => { + let depth = 0; + let value = pattern.trim(); + let match = parseRepeatedExtglob(value); + + while (match) { + depth++; + value = match.body.trim(); + match = parseRepeatedExtglob(value); + } + + return depth; +}; + +const analyzeRepeatedExtglob = (body, options) => { + if (options.maxExtglobRecursion === false) { + return { risky: false }; + } + + const max = + typeof options.maxExtglobRecursion === 'number' + ? options.maxExtglobRecursion + : constants.DEFAULT_MAX_EXTGLOB_RECURSION; + + const branches = splitTopLevel(body).map(branch => branch.trim()); + + if (branches.length > 1) { + if ( + branches.some(branch => branch === '') || + branches.some(branch => /^[*?]+$/.test(branch)) || + hasRepeatedCharPrefixOverlap(branches) + ) { + return { risky: true }; + } + } + + for (const branch of branches) { + const safeOutput = getStarExtglobSequenceOutput(branch); + if (safeOutput) { + return { risky: true, safeOutput }; + } + + if (repeatedExtglobRecursion(branch) > max) { + return { risky: true }; + } + } + + return { risky: false }; +}; + /** * Parse the given input string. * @param {String} input @@ -9213,6 +9193,8 @@ const parse = (input, options) => { token.prev = prev; token.parens = state.parens; token.output = state.output; + token.startIndex = state.index; + token.tokensIndex = tokens.length; const output = (opts.capture ? '(' : '') + token.open; increment('parens'); @@ -9222,6 +9204,34 @@ const parse = (input, options) => { }; const extglobClose = token => { + const literal = input.slice(token.startIndex, state.index + 1); + const body = input.slice(token.startIndex + 2, state.index); + const analysis = analyzeRepeatedExtglob(body, opts); + + if ((token.type === 'plus' || token.type === 'star') && analysis.risky) { + const safeOutput = analysis.safeOutput + ? (token.output ? '' : ONE_CHAR) + (opts.capture ? `(${analysis.safeOutput})` : analysis.safeOutput) + : undefined; + const open = tokens[token.tokensIndex]; + + open.type = 'text'; + open.value = literal; + open.output = safeOutput || utils.escapeRegex(literal); + + for (let i = token.tokensIndex + 1; i < tokens.length; i++) { + tokens[i].value = ''; + tokens[i].output = ''; + delete tokens[i].suffix; + } + + state.output = token.output + open.output; + state.backtrack = true; + + push({ type: 'paren', extglob: true, value, output: '' }); + decrement('parens'); + return; + } + let output = token.close + (opts.capture ? ')' : ''); let rest; @@ -13521,9 +13531,13 @@ function runParallel (tasks, cb) { clearBuffers(parser) parser.q = parser.c = '' parser.bufferCheckPosition = sax.MAX_BUFFER_LENGTH + parser.encoding = null; parser.opt = opt || {} parser.opt.lowercase = parser.opt.lowercase || parser.opt.lowercasetags parser.looseCase = parser.opt.lowercase ? 'toLowerCase' : 'toUpperCase' + parser.opt.maxEntityCount = parser.opt.maxEntityCount || 512 + parser.opt.maxEntityDepth = parser.opt.maxEntityDepth || 4 + parser.entityCount = parser.entityDepth = 0 parser.tags = [] parser.closed = parser.closedRoot = parser.sawRoot = false parser.tag = parser.error = null @@ -13662,6 +13676,39 @@ function runParallel (tasks, cb) { return new SAXStream(strict, opt) } + function determineBufferEncoding(data, isEnd) { + // BOM-based detection is the most reliable signal when present. + if (data.length >= 2) { + if (data[0] === 0xff && data[1] === 0xfe) { + return 'utf-16le' + } + + if (data[0] === 0xfe && data[1] === 0xff) { + return 'utf-16be' + } + } + + if (data.length >= 3 && data[0] === 0xef && data[1] === 0xbb && data[2] === 0xbf) { + return 'utf8' + } + + if (data.length >= 4) { + // XML documents without a BOM still start with "') { - emitNode(parser, 'onprocessinginstruction', { + const procInstEndData = { name: parser.procInstName, body: parser.procInstBody, - }) + } + validateXmlDeclarationEncoding(parser, procInstEndData) + emitNode(parser, 'onprocessinginstruction', procInstEndData) parser.procInstName = parser.procInstBody = '' parser.state = S.TEXT } else { @@ -15012,7 +15158,7 @@ function runParallel (tasks, cb) { } else if (isMatch(nameBody, c)) { parser.tagName += c } else if (parser.script) { - parser.script += ' parser.opt.maxEntityCount) { + error( + parser, + 'Parsed entity count exceeds max entity count' + ) + } + + if ((parser.entityDepth += 1) > parser.opt.maxEntityDepth) { + error( + parser, + 'Parsed entity depth exceeds max entity depth' + ) + } + parser.entity = '' parser.state = returnState parser.write(parsedEntity) + parser.entityDepth -= 1 } else { parser[buffer] += parsedEntity parser.entity = '' @@ -15854,7 +16015,7 @@ module.exports.fetch = async function fetch (init, options = undefined) { } module.exports.Headers = __nccwpck_require__(660).Headers module.exports.Response = __nccwpck_require__(9051).Response -module.exports.Request = __nccwpck_require__(9967).Request +module.exports.Request = __nccwpck_require__(2348).Request module.exports.FormData = __nccwpck_require__(5910).FormData module.exports.File = globalThis.File ?? (__nccwpck_require__(4573).File) module.exports.FileReader = __nccwpck_require__(8355).FileReader @@ -19826,7 +19987,6 @@ function defaultFactory (origin, opts) { class Agent extends DispatcherBase { constructor ({ factory = defaultFactory, maxRedirections = 0, connect, ...options } = {}) { - super() if (typeof factory !== 'function') { throw new InvalidArgumentError('factory must be a function.') @@ -19840,6 +20000,8 @@ class Agent extends DispatcherBase { throw new InvalidArgumentError('maxRedirections must be a positive number') } + super(options) + if (connect && typeof connect !== 'function') { connect = { ...connect } } @@ -22388,9 +22550,10 @@ class Client extends DispatcherBase { autoSelectFamilyAttemptTimeout, // h2 maxConcurrentStreams, - allowH2 + allowH2, + webSocket } = {}) { - super() + super({ webSocket }) if (keepAlive !== undefined) { throw new InvalidArgumentError('unsupported keepAlive, use pipelining=0 instead') @@ -22922,15 +23085,23 @@ const { kDestroy, kClose, kClosed, kDestroyed, kDispatch, kInterceptors } = __nc const kOnDestroyed = Symbol('onDestroyed') const kOnClosed = Symbol('onClosed') const kInterceptedDispatch = Symbol('Intercepted Dispatch') +const kWebSocketOptions = Symbol('webSocketOptions') class DispatcherBase extends Dispatcher { - constructor () { + constructor (opts) { super() this[kDestroyed] = false this[kOnDestroyed] = null this[kClosed] = false this[kOnClosed] = [] + this[kWebSocketOptions] = opts?.webSocket ?? {} + } + + get webSocketOptions () { + return { + maxPayloadSize: this[kWebSocketOptions].maxPayloadSize ?? 128 * 1024 * 1024 + } } get destroyed () { @@ -23490,8 +23661,8 @@ const kRemoveClient = Symbol('remove client') const kStats = Symbol('stats') class PoolBase extends DispatcherBase { - constructor () { - super() + constructor (opts) { + super(opts) this[kQueue] = new FixedQueue() this[kClients] = [] @@ -23750,8 +23921,6 @@ class Pool extends PoolBase { allowH2, ...options } = {}) { - super() - if (connections != null && (!Number.isFinite(connections) || connections < 0)) { throw new InvalidArgumentError('invalid connections') } @@ -23776,6 +23945,8 @@ class Pool extends PoolBase { }) } + super(options) + this[kInterceptors] = options.interceptors?.Pool && Array.isArray(options.interceptors.Pool) ? options.interceptors.Pool : [] @@ -27259,7 +27430,7 @@ const { urlEquals, getFieldValues } = __nccwpck_require__(6798) const { kEnumerableProperty, isDisturbed } = __nccwpck_require__(3440) const { webidl } = __nccwpck_require__(5893) const { Response, cloneResponse, fromInnerResponse } = __nccwpck_require__(9051) -const { Request, fromInnerRequest } = __nccwpck_require__(9967) +const { Request, fromInnerRequest } = __nccwpck_require__(2348) const { kState } = __nccwpck_require__(3627) const { fetching } = __nccwpck_require__(4398) const { urlIsHttpHttpsScheme, createDeferredPromise, readAllBytes } = __nccwpck_require__(3168) @@ -29573,7 +29744,7 @@ module.exports = { const { pipeline } = __nccwpck_require__(7075) const { fetching } = __nccwpck_require__(4398) -const { makeRequest } = __nccwpck_require__(9967) +const { makeRequest } = __nccwpck_require__(2348) const { webidl } = __nccwpck_require__(5893) const { EventSourceStream } = __nccwpck_require__(4031) const { parseMIMEType } = __nccwpck_require__(1900) @@ -33197,7 +33368,7 @@ const { fromInnerResponse } = __nccwpck_require__(9051) const { HeadersList } = __nccwpck_require__(660) -const { Request, cloneRequest } = __nccwpck_require__(9967) +const { Request, cloneRequest } = __nccwpck_require__(2348) const zlib = __nccwpck_require__(8522) const { bytesMatch, @@ -35461,7 +35632,7 @@ module.exports = { /***/ }), -/***/ 9967: +/***/ 2348: /***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { /* globals AbortController */ @@ -40643,7 +40814,7 @@ const { const { fireEvent, failWebsocketConnection, isClosing, isClosed, isEstablished, parseExtensions } = __nccwpck_require__(8625) const { channels } = __nccwpck_require__(2414) const { CloseEvent } = __nccwpck_require__(5188) -const { makeRequest } = __nccwpck_require__(9967) +const { makeRequest } = __nccwpck_require__(2348) const { fetching } = __nccwpck_require__(4398) const { Headers, getHeadersList } = __nccwpck_require__(660) const { getDecodeSplit } = __nccwpck_require__(3168) @@ -41530,40 +41701,35 @@ const tail = Buffer.from([0x00, 0x00, 0xff, 0xff]) const kBuffer = Symbol('kBuffer') const kLength = Symbol('kLength') -// Default maximum decompressed message size: 4 MB -const kDefaultMaxDecompressedSize = 4 * 1024 * 1024 - class PerMessageDeflate { /** @type {import('node:zlib').InflateRaw} */ #inflate #options = {} - /** @type {boolean} */ - #aborted = false - - /** @type {Function|null} */ - #currentCallback = null + #maxPayloadSize = 0 /** * @param {Map} extensions */ - constructor (extensions) { + constructor (extensions, options) { this.#options.serverNoContextTakeover = extensions.has('server_no_context_takeover') this.#options.serverMaxWindowBits = extensions.get('server_max_window_bits') + + this.#maxPayloadSize = options.maxPayloadSize } + /** + * Decompress a compressed payload. + * @param {Buffer} chunk Compressed data + * @param {boolean} fin Final fragment flag + * @param {Function} callback Callback function + */ decompress (chunk, fin, callback) { // An endpoint uses the following algorithm to decompress a message. // 1. Append 4 octets of 0x00 0x00 0xff 0xff to the tail end of the // payload of the message. // 2. Decompress the resulting data using DEFLATE. - - if (this.#aborted) { - callback(new MessageSizeExceededError()) - return - } - if (!this.#inflate) { let windowBits = Z_DEFAULT_WINDOWBITS @@ -41586,23 +41752,12 @@ class PerMessageDeflate { this.#inflate[kLength] = 0 this.#inflate.on('data', (data) => { - if (this.#aborted) { - return - } - this.#inflate[kLength] += data.length - if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) { - this.#aborted = true + if (this.#maxPayloadSize > 0 && this.#inflate[kLength] > this.#maxPayloadSize) { + callback(new MessageSizeExceededError()) this.#inflate.removeAllListeners() - this.#inflate.destroy() this.#inflate = null - - if (this.#currentCallback) { - const cb = this.#currentCallback - this.#currentCallback = null - cb(new MessageSizeExceededError()) - } return } @@ -41615,14 +41770,13 @@ class PerMessageDeflate { }) } - this.#currentCallback = callback this.#inflate.write(chunk) if (fin) { this.#inflate.write(tail) } this.#inflate.flush(() => { - if (this.#aborted || !this.#inflate) { + if (!this.#inflate) { return } @@ -41630,7 +41784,6 @@ class PerMessageDeflate { this.#inflate[kBuffer].length = 0 this.#inflate[kLength] = 0 - this.#currentCallback = null callback(null, full) }) @@ -41665,6 +41818,7 @@ const { const { WebsocketFrameSend } = __nccwpck_require__(3264) const { closeWebSocketConnection } = __nccwpck_require__(6897) const { PerMessageDeflate } = __nccwpck_require__(9469) +const { MessageSizeExceededError } = __nccwpck_require__(8707) // This code was influenced by ws released under the MIT license. // Copyright (c) 2011 Einar Otto Stangvik @@ -41673,6 +41827,7 @@ const { PerMessageDeflate } = __nccwpck_require__(9469) class ByteParser extends Writable { #buffers = [] + #fragmentsBytes = 0 #byteOffset = 0 #loop = false @@ -41684,18 +41839,23 @@ class ByteParser extends Writable { /** @type {Map} */ #extensions + /** @type {number} */ + #maxPayloadSize + /** * @param {import('./websocket').WebSocket} ws * @param {Map|null} extensions + * @param {{ maxPayloadSize?: number }} [options] */ - constructor (ws, extensions) { + constructor (ws, extensions, options = {}) { super() this.ws = ws this.#extensions = extensions == null ? new Map() : extensions + this.#maxPayloadSize = options.maxPayloadSize ?? 0 if (this.#extensions.has('permessage-deflate')) { - this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions)) + this.#extensions.set('permessage-deflate', new PerMessageDeflate(extensions, options)) } } @@ -41711,6 +41871,19 @@ class ByteParser extends Writable { this.run(callback) } + #validatePayloadLength () { + if ( + this.#maxPayloadSize > 0 && + !isControlFrame(this.#info.opcode) && + this.#info.payloadLength > this.#maxPayloadSize + ) { + failWebsocketConnection(this.ws, 'Payload size exceeds maximum allowed size') + return false + } + + return true + } + /** * Runs whenever a new chunk is received. * Callback is called whenever there are no more chunks buffering, @@ -41799,6 +41972,10 @@ class ByteParser extends Writable { if (payloadLength <= 125) { this.#info.payloadLength = payloadLength this.#state = parserStates.READ_DATA + + if (!this.#validatePayloadLength()) { + return + } } else if (payloadLength === 126) { this.#state = parserStates.PAYLOADLENGTH_16 } else if (payloadLength === 127) { @@ -41823,6 +42000,10 @@ class ByteParser extends Writable { this.#info.payloadLength = buffer.readUInt16BE(0) this.#state = parserStates.READ_DATA + + if (!this.#validatePayloadLength()) { + return + } } else if (this.#state === parserStates.PAYLOADLENGTH_64) { if (this.#byteOffset < 8) { return callback() @@ -41845,6 +42026,10 @@ class ByteParser extends Writable { this.#info.payloadLength = lower this.#state = parserStates.READ_DATA + + if (!this.#validatePayloadLength()) { + return + } } else if (this.#state === parserStates.READ_DATA) { if (this.#byteOffset < this.#info.payloadLength) { return callback() @@ -41857,42 +42042,53 @@ class ByteParser extends Writable { this.#state = parserStates.INFO } else { if (!this.#info.compressed) { - this.#fragments.push(body) + this.writeFragments(body) + + if (this.#maxPayloadSize > 0 && this.#fragmentsBytes > this.#maxPayloadSize) { + failWebsocketConnection(this.ws, new MessageSizeExceededError().message) + return + } // If the frame is not fragmented, a message has been received. // If the frame is fragmented, it will terminate with a fin bit set // and an opcode of 0 (continuation), therefore we handle that when // parsing continuation frames, not here. if (!this.#info.fragmented && this.#info.fin) { - const fullMessage = Buffer.concat(this.#fragments) - websocketMessageReceived(this.ws, this.#info.binaryType, fullMessage) - this.#fragments.length = 0 + websocketMessageReceived(this.ws, this.#info.binaryType, this.consumeFragments()) } this.#state = parserStates.INFO } else { - this.#extensions.get('permessage-deflate').decompress(body, this.#info.fin, (error, data) => { - if (error) { - failWebsocketConnection(this.ws, error.message) - return - } + this.#extensions.get('permessage-deflate').decompress( + body, + this.#info.fin, + (error, data) => { + if (error) { + failWebsocketConnection(this.ws, error.message) + return + } - this.#fragments.push(data) + this.writeFragments(data) + + if (this.#maxPayloadSize > 0 && this.#fragmentsBytes > this.#maxPayloadSize) { + failWebsocketConnection(this.ws, new MessageSizeExceededError().message) + return + } + + if (!this.#info.fin) { + this.#state = parserStates.INFO + this.#loop = true + this.run(callback) + return + } + + websocketMessageReceived(this.ws, this.#info.binaryType, this.consumeFragments()) - if (!this.#info.fin) { - this.#state = parserStates.INFO this.#loop = true + this.#state = parserStates.INFO this.run(callback) - return } - - websocketMessageReceived(this.ws, this.#info.binaryType, Buffer.concat(this.#fragments)) - - this.#loop = true - this.#state = parserStates.INFO - this.#fragments.length = 0 - this.run(callback) - }) + ) this.#loop = false break @@ -41944,6 +42140,26 @@ class ByteParser extends Writable { return buffer } + writeFragments (fragment) { + this.#fragmentsBytes += fragment.length + this.#fragments.push(fragment) + } + + consumeFragments () { + const fragments = this.#fragments + + if (fragments.length === 1) { + this.#fragmentsBytes = 0 + return fragments.shift() + } + + const output = Buffer.concat(fragments, this.#fragmentsBytes) + this.#fragments = [] + this.#fragmentsBytes = 0 + + return output + } + parseCloseBody (data) { assert(data.length !== 1) @@ -42975,7 +43191,11 @@ class WebSocket extends EventTarget { // once this happens, the connection is open this[kResponse] = response - const parser = new ByteParser(this, parsedExtensions) + const maxPayloadSize = this[kController]?.dispatcher?.webSocketOptions?.maxPayloadSize + + const parser = new ByteParser(this, parsedExtensions, { + maxPayloadSize + }) parser.on('drain', onParserDrain) parser.on('error', onParserError.bind(this)) @@ -48567,6 +48787,359 @@ module.exports.xL = safeParse __webpack_unused_export__ = defaultContentType +/***/ }), + +/***/ 3281: +/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => { + + + +/* eslint-disable no-var */ + +var reusify = __nccwpck_require__(844) + +function fastqueue (context, worker, _concurrency) { + if (typeof context === 'function') { + _concurrency = worker + worker = context + context = null + } + + if (!(_concurrency >= 1)) { + throw new Error('fastqueue concurrency must be equal to or greater than 1') + } + + var cache = reusify(Task) + var queueHead = null + var queueTail = null + var _running = 0 + var errorHandler = null + + var self = { + push: push, + drain: noop, + saturated: noop, + pause: pause, + paused: false, + + get concurrency () { + return _concurrency + }, + set concurrency (value) { + if (!(value >= 1)) { + throw new Error('fastqueue concurrency must be equal to or greater than 1') + } + _concurrency = value + + if (self.paused) return + for (; queueHead && _running < _concurrency;) { + _running++ + release() + } + }, + + running: running, + resume: resume, + idle: idle, + length: length, + getQueue: getQueue, + unshift: unshift, + empty: noop, + kill: kill, + killAndDrain: killAndDrain, + error: error, + abort: abort + } + + return self + + function running () { + return _running + } + + function pause () { + self.paused = true + } + + function length () { + var current = queueHead + var counter = 0 + + while (current) { + current = current.next + counter++ + } + + return counter + } + + function getQueue () { + var current = queueHead + var tasks = [] + + while (current) { + tasks.push(current.value) + current = current.next + } + + return tasks + } + + function resume () { + if (!self.paused) return + self.paused = false + if (queueHead === null) { + _running++ + release() + return + } + for (; queueHead && _running < _concurrency;) { + _running++ + release() + } + } + + function idle () { + return _running === 0 && self.length() === 0 + } + + function push (value, done) { + var current = cache.get() + + current.context = context + current.release = release + current.value = value + current.callback = done || noop + current.errorHandler = errorHandler + + if (_running >= _concurrency || self.paused) { + if (queueTail) { + queueTail.next = current + queueTail = current + } else { + queueHead = current + queueTail = current + self.saturated() + } + } else { + _running++ + worker.call(context, current.value, current.worked) + } + } + + function unshift (value, done) { + var current = cache.get() + + current.context = context + current.release = release + current.value = value + current.callback = done || noop + current.errorHandler = errorHandler + + if (_running >= _concurrency || self.paused) { + if (queueHead) { + current.next = queueHead + queueHead = current + } else { + queueHead = current + queueTail = current + self.saturated() + } + } else { + _running++ + worker.call(context, current.value, current.worked) + } + } + + function release (holder) { + if (holder) { + cache.release(holder) + } + var next = queueHead + if (next && _running <= _concurrency) { + if (!self.paused) { + if (queueTail === queueHead) { + queueTail = null + } + queueHead = next.next + next.next = null + worker.call(context, next.value, next.worked) + if (queueTail === null) { + self.empty() + } + } else { + _running-- + } + } else if (--_running === 0) { + self.drain() + } + } + + function kill () { + queueHead = null + queueTail = null + self.drain = noop + } + + function killAndDrain () { + queueHead = null + queueTail = null + self.drain() + self.drain = noop + } + + function abort () { + var current = queueHead + queueHead = null + queueTail = null + + while (current) { + var next = current.next + var callback = current.callback + var errorHandler = current.errorHandler + var val = current.value + var context = current.context + + // Reset the task state + current.value = null + current.callback = noop + current.errorHandler = null + + // Call error handler if present + if (errorHandler) { + errorHandler(new Error('abort'), val) + } + + // Call callback with error + callback.call(context, new Error('abort')) + + // Release the task back to the pool + current.release(current) + + current = next + } + + self.drain = noop + } + + function error (handler) { + errorHandler = handler + } +} + +function noop () {} + +function Task () { + this.value = null + this.callback = noop + this.next = null + this.release = noop + this.context = null + this.errorHandler = null + + var self = this + + this.worked = function worked (err, result) { + var callback = self.callback + var errorHandler = self.errorHandler + var val = self.value + self.value = null + self.callback = noop + if (self.errorHandler) { + errorHandler(err, val) + } + callback.call(self.context, err, result) + self.release(self) + } +} + +function queueAsPromised (context, worker, _concurrency) { + if (typeof context === 'function') { + _concurrency = worker + worker = context + context = null + } + + function asyncWrapper (arg, cb) { + worker.call(this, arg) + .then(function (res) { + cb(null, res) + }, cb) + } + + var queue = fastqueue(context, asyncWrapper, _concurrency) + + var pushCb = queue.push + var unshiftCb = queue.unshift + + queue.push = push + queue.unshift = unshift + queue.drained = drained + + return queue + + function push (value) { + var p = new Promise(function (resolve, reject) { + pushCb(value, function (err, result) { + if (err) { + reject(err) + return + } + resolve(result) + }) + }) + + // Let's fork the promise chain to + // make the error bubble up to the user but + // not lead to a unhandledRejection + p.catch(noop) + + return p + } + + function unshift (value) { + var p = new Promise(function (resolve, reject) { + unshiftCb(value, function (err, result) { + if (err) { + reject(err) + return + } + resolve(result) + }) + }) + + // Let's fork the promise chain to + // make the error bubble up to the user but + // not lead to a unhandledRejection + p.catch(noop) + + return p + } + + function drained () { + var p = new Promise(function (resolve) { + process.nextTick(function () { + if (queue.idle()) { + resolve() + } else { + var previousDrain = queue.drain + queue.drain = function () { + if (typeof previousDrain === 'function') previousDrain() + resolve() + queue.drain = previousDrain + } + } + }) + }) + + return p + } +} + +module.exports = fastqueue +module.exports.promise = queueAsPromised + + /***/ }) /******/ }); @@ -48784,7 +49357,7 @@ var external_path_ = __nccwpck_require__(6928); var external_http_ = __nccwpck_require__(8611); // EXTERNAL MODULE: external "https" var external_https_ = __nccwpck_require__(5692); -;// CONCATENATED MODULE: ./node_modules/@actions/core/node_modules/@actions/http-client/lib/proxy.js +;// CONCATENATED MODULE: ./node_modules/@actions/http-client/lib/proxy.js function getProxyUrl(reqUrl) { const usingSsl = reqUrl.protocol === 'https:'; if (checkBypass(reqUrl)) { @@ -48879,7 +49452,7 @@ class DecodedURL extends URL { var node_modules_tunnel = __nccwpck_require__(770); // EXTERNAL MODULE: ./node_modules/undici/index.js var undici = __nccwpck_require__(6752); -;// CONCATENATED MODULE: ./node_modules/@actions/core/node_modules/@actions/http-client/lib/index.js +;// CONCATENATED MODULE: ./node_modules/@actions/http-client/lib/index.js /* eslint-disable @typescript-eslint/no-explicit-any */ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } @@ -49576,7 +50149,7 @@ class lib_HttpClient { } const lowercaseKeys = (obj) => Object.keys(obj).reduce((c, k) => ((c[k.toLowerCase()] = obj[k]), c), {}); //# sourceMappingURL=index.js.map -;// CONCATENATED MODULE: ./node_modules/@actions/core/node_modules/@actions/http-client/lib/auth.js +;// CONCATENATED MODULE: ./node_modules/@actions/http-client/lib/auth.js var auth_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { @@ -51607,8 +52180,8 @@ class Context { } } //# sourceMappingURL=context.js.map -// EXTERNAL MODULE: ./node_modules/@actions/http-client/lib/index.js -var lib = __nccwpck_require__(4844); +// EXTERNAL MODULE: ./node_modules/@actions/github/node_modules/@actions/http-client/lib/index.js +var lib = __nccwpck_require__(9659); ;// CONCATENATED MODULE: ./node_modules/@actions/github/lib/internal/utils.js var utils_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } @@ -52181,14 +52754,26 @@ const bigIntsStringify = /([\[:])?"(-?\d+)n"($|([\\n]|\s)*(\s|[\\n])*[,\}\]])/g; const noiseStringify = /([\[:])?("-?\d+n+)n("$|"([\\n]|\s)*(\s|[\\n])*[,\}\]])/g; -/** @typedef {(key: string, value: any, context?: { source: string }) => any} Reviver */ +/** + * @typedef {(this: any, key: string | number | undefined, value: any) => any} Replacer + * @typedef {(key: string | number | undefined, value: any, context?: { source: string }) => any} Reviver + */ /** - * Function to serialize value to a JSON string. - * Converts BigInt values to a custom format (strings with digits and "n" at the end) and then converts them to proper big integers in a JSON string. - * @param {*} value - The value to convert to a JSON string. - * @param {(Function|Array|null)} [replacer] - A function that alters the behavior of the stringification process, or an array of strings to indicate properties to exclude. - * @param {(string|number)} [space] - A string or number to specify indentation or pretty-printing. + * Converts a JavaScript value to a JSON string. + * + * Supports serialization of BigInt values using two strategies: + * 1. Custom format "123n" → "123" (universal fallback) + * 2. Native JSON.rawJSON() (Node.js 22+, fastest) when available + * + * All other values are serialized exactly like native JSON.stringify(). + * + * @param {*} value The value to convert to a JSON string. + * @param {Replacer | Array | null} [replacer] + * A function that alters the behavior of the stringification process, + * or an array of strings/numbers to indicate properties to exclude. + * @param {string | number} [space] + * A string or number to specify indentation or pretty-printing. * @returns {string} The JSON string representation. */ const JSONStringify = (value, replacer, space) => { @@ -52213,8 +52798,7 @@ const JSONStringify = (value, replacer, space) => { const convertedToCustomJSON = originalStringify( value, (key, value) => { - const isNoise = - typeof value === "string" && Boolean(value.match(noiseValue)); + const isNoise = typeof value === "string" && noiseValue.test(value); if (isNoise) return value.toString() + "n"; // Mark noise values with additional "n" to offset the deletion of one "n" during the processing @@ -52237,33 +52821,71 @@ const JSONStringify = (value, replacer, space) => { return denoisedJSON; }; -/** - * Support for JSON.parse's context.source feature detection. - * @type {boolean} - */ -const isContextSourceSupported = () => - JSON.parse("1", (_, __, context) => !!context && context.source === "1"); +const featureCache = new Map(); /** - * Convert marked big numbers to BigInt - * @type {Reviver} + * Detects if the current JSON.parse implementation supports the context.source feature. + * + * Uses toString() fingerprinting to cache results and automatically detect runtime + * replacements of JSON.parse (polyfills, mocks, etc.). + * + * @returns {boolean} true if context.source is supported, false otherwise. + */ +const isContextSourceSupported = () => { + const parseFingerprint = JSON.parse.toString(); + + if (featureCache.has(parseFingerprint)) { + return featureCache.get(parseFingerprint); + } + + try { + const result = JSON.parse( + "1", + (_, __, context) => !!context?.source && context.source === "1", + ); + featureCache.set(parseFingerprint, result); + + return result; + } catch { + featureCache.set(parseFingerprint, false); + + return false; + } +}; + +/** + * Reviver function that converts custom-format BigInt strings back to BigInt values. + * Also handles "noise" strings that accidentally match the BigInt format. + * + * @param {string | number | undefined} key The object key. + * @param {*} value The value being parsed. + * @param {object} [context] Parse context (if supported by JSON.parse). + * @param {Reviver} [userReviver] User's custom reviver function. + * @returns {any} The transformed value. */ const convertMarkedBigIntsReviver = (key, value, context, userReviver) => { const isCustomFormatBigInt = - typeof value === "string" && value.match(customFormat); + typeof value === "string" && customFormat.test(value); if (isCustomFormatBigInt) return BigInt(value.slice(0, -1)); - const isNoiseValue = typeof value === "string" && value.match(noiseValue); + const isNoiseValue = typeof value === "string" && noiseValue.test(value); if (isNoiseValue) return value.slice(0, -1); if (typeof userReviver !== "function") return value; + return userReviver(key, value, context); }; /** - * Faster (2x) and simpler function to parse JSON. - * Based on JSON.parse's context.source feature, which is not universally available now. - * Does not support the legacy custom format, used in the first version of this library. + * Fast JSON.parse implementation (~2x faster than classic fallback). + * Uses JSON.parse's context.source feature to detect integers and convert + * large numbers directly to BigInt without string manipulation. + * + * Does not support legacy custom format from v1 of this library. + * + * @param {string} text JSON string to parse. + * @param {Reviver} [reviver] Transform function to apply to each value. + * @returns {any} Parsed JavaScript value. */ const JSONParseV2 = (text, reviver) => { return JSON.parse(text, (key, value, context) => { @@ -52288,9 +52910,21 @@ const stringsOrLargeNumbers = const noiseValueWithQuotes = /^"-?\d+n+"$/; // Noise - strings that match the custom format before being converted to it /** - * Function to parse JSON. - * If JSON has number values greater than Number.MAX_SAFE_INTEGER, we convert those values to a custom format, then parse them to BigInt values. - * Other types of values are not affected and parsed as native JSON.parse() would parse them. + * Converts a JSON string into a JavaScript value. + * + * Supports parsing of large integers using two strategies: + * 1. Classic fallback: Marks large numbers with "123n" format, then converts to BigInt + * 2. Fast path (JSONParseV2): Uses context.source feature (~2x faster) when available + * + * All other JSON values are parsed exactly like native JSON.parse(). + * + * @param {string} text A valid JSON string. + * @param {Reviver} [reviver] + * A function that transforms the results. This function is called for each member + * of the object. If a member contains nested objects, the nested objects are + * transformed before the parent object is. + * @returns {any} The parsed JavaScript value. + * @throws {SyntaxError} If text is not valid JSON. */ const JSONParse = (text, reviver) => { if (!text) return originalParse(text, reviver); @@ -52302,7 +52936,7 @@ const JSONParse = (text, reviver) => { stringsOrLargeNumbers, (text, digits, fractional, exponential) => { const isString = text[0] === '"'; - const isNoise = isString && Boolean(text.match(noiseValueWithQuotes)); + const isNoise = isString && noiseValueWithQuotes.test(text); if (isNoise) return text.substring(0, text.length - 1) + 'n"'; // Mark noise values with additional "n" to offset the deletion of one "n" during the processing diff --git a/dist/licenses.txt b/dist/licenses.txt index 914a082..b367d47 100644 --- a/dist/licenses.txt +++ b/dist/licenses.txt @@ -889,7 +889,7 @@ reusify MIT The MIT License (MIT) -Copyright (c) 2015 Matteo Collina +Copyright (c) 2015-2024 Matteo Collina Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal