Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency smol-toml to v1.3.1 [security] #11733

Merged
merged 1 commit into from
Nov 25, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 22, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
smol-toml 1.3.0 -> 1.3.1 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-pqhp-25j4-6hq9

Summary

An attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inline structure. A similar problem occurs when attempting to stringify deeply nested objects.

The library does not limit the maximum exploration depth while parsing or producing TOML documents, nor does it offer a way to do so.

Proof of concept

require("smol-toml").parse("e=" + "{e=".repeat(9999) + "{}" + "}".repeat(9999))

Impact

Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input and therefore to properly handle errors.

Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.

As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.

Patches

Version 1.3.1 offers a mechanism to limit the exploration depth before halting with a TomlError when parsing, with a default cap of 1000. A same mechanism has been implemented for stringifying objects.

Please note that the parser will still throw an error upon such cases. It is, however, a now-controlled and documented behavior of the library.

Workarounds

Wrap all invocations of parse and stringify in a try/catch block.


Release Notes

squirrelchat/smol-toml (smol-toml)

v1.3.1

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) November 22, 2024 20:45
@Josh-Walker-GM Josh-Walker-GM added this to the next-release milestone Nov 25, 2024
@Josh-Walker-GM Josh-Walker-GM added changesets-ok Override the changesets check release:dependency This PR only updates dependencies labels Nov 25, 2024
@renovate renovate bot merged commit 9ec5f8c into main Nov 25, 2024
54 of 59 checks passed
@renovate renovate bot deleted the renovate/npm-smol-toml-vulnerability branch November 25, 2024 12:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
changesets-ok Override the changesets check release:dependency This PR only updates dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant