wollardj / simple-plist Goto Github PK
View Code? Open in Web Editor NEWA simple API for interacting with binary and plain text plist data.
License: MIT License
A simple API for interacting with binary and plain text plist data.
License: MIT License
xmldom
has a vulnerability: https://www.npmjs.com/advisories/1769
To upgrade to version 0.7.x, need to switch to @xmldom/xmldom
because the publishers lost control of xmldom
on NPM.
When using simple-plist
from NPM (via npm install simple-plist
) with TypeScript, I get the following error when trying to compile my project:
node_modules/simple-plist/dist/index.d.ts:13:19 - error TS2709: Cannot use namespace 'bplistParser' as a type.
13 bplistParser: bplistParser;
~~~~~~~~~~~~
Found 1 error in node_modules/simple-plist/dist/index.d.ts:13
The current version of simple-plist
on NPM at the time of this writing (and the one I'm using) is 1.3.1, and I'm using the latest TypeScript 4.7.4. It seems that when I clone this project and run npm run build
, an index.d.ts
is generated that's different from the one I get in node_modules
, and this one doesn't appear to have this issue, though it may be missing some declarations as well
EDIT: I saw at the bottom of the discussion of #58 that there's another version on NPM with the tag next
that appears to resolve this issue. I'll leave this open until it's the default latest on NPM tho
Use-case: I want to read a (usually binary) plist directly from a zip file without extracting a tempfile.
The logic I want is already in readFileSync()
, so it shouldn't be too hard to update parse()
with that and delegate to it from readFileSync()
.
Thanks for making the modernized 1.0.0
release. I spotted the following issues with this project on GitHub:
develop
, which does not have any commits since 2016.I would also recommend increasing the version number and adding "-dev" to the end after publishing each release. This way whenever someone raises a PR it would not look like it is a released version.
I cannot seem to parse utf8 encoded string (from buffer) using plist.readFileSync. Is this currently possible?
To reproduce:
npm create vite@latest
npm install
and npm run dev
main.ts
:import plist from 'simple-plist';
console.log(plist)
Version 1.3.1
Uncaught Error: Dynamic require of "bplist-creator" is not supported
at simple-plist.js?v=110fc26f:7:9
at index.js:15:44
at index.js:6:17
at node_modules/simple-plist/dist/index.js (index.js:12:1)
at __require2 (simple-plist.js?v=110fc26f:10:50)
at index.js:41:2
Version 1.4.0
Uncaught TypeError: util.inherits is not a function
at node_modules/stream-buffers/lib/readable_streambuffer.js (readable_streambuffer.js:136:6)
at __require (simple-plist.js?v=5edd6120:3:50)
at node_modules/stream-buffers/lib/streambuffer.js (streambuffer.js:2:39)
at __require (simple-plist.js?v=5edd6120:3:50)
at node_modules/bplist-creator/bplistCreator.js (bplistCreator.js:5:21)
at __require (simple-plist.js?v=5edd6120:3:50)
at node_modules/simple-plist/dist/index.js (index.js:7:24)
at __require (simple-plist.js?v=5edd6120:3:50)
at index.js:26:129
If you have a plist file with an empty <string></string>
value like this:
<plist version="1.0">
<dict>
<key>DTPlatformBuild</key>
<string></string>
<key>DTPlatformName</key>
<string>iphonesimulator</string>
<key>DTPlatformVersion</key>
<string>10.0</string>
</dict>
</plist>
The parser will ignore it and interpret the next key as the value, giving an output like this:
{
"DTPlatformBuild":"DTPlatformName",
"iphonesimulator":"DTPlatformVersion",
"10.0": ...
}
Fix the following vulnérability: prototype pollution vulnerability via .parse()
Vulnérability
Latest version on npmjs.com is version 1.3.1
Should be version 1.4.0
Trying to write a simple JSON with a null
value fails in underlying bplist-creator
package.
{
"key": null
}
Yes, null
value is as good as nothing, but there's nothing wrong with having it in a JSON overall.
While for our use case, we can sanitize the JSON by removing null
s before creating plist, overall I think the library should be able to write and read null values for properties.
TypeError: Cannot read property 'bplistOverride' of null
at toEntries (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:320:13)
at /path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:419:22
at Array.forEach ()
at toEntriesObject (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:418:21)
at toEntries (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:356:14)
at /path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:419:22
at Array.forEach ()
at toEntriesObject (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:418:21)
at toEntries (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:356:14)
at module.exports (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:26:17)
Hi, There's a prototype pollution vulnerability in .parse() related to the xml that are being parsed in it. In the following example the prototype pollution will affect the length parameter.
var plist = require('simple-plist');
var xml = `
<plist version="1.0">
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>com.company.app</string>
</dict>
</plist>`;
console.log(plist.parse(xml));
/**
* * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * END OF THE NORMAL CODE EXAMPLE! * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * *
**/
/**
* * * * * * * * * * * *
* PROTOTYPE POLLUTION *
* * * * * * * * * * * *
**/
var xmlPollution = `
<plist version="1.0">
<dict>
<key>__proto__</key>
<dict>
<key>length</key>
<string>polluted</string>
</dict>
</dict>
</plist>`;
console.log(plist.parse(xmlPollution).length); // polluted
More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
While not stated explicitly, but derived from mentions like in the 1.1.0 release notes, the lowest supported node version is assumed to be v10.
However, this project uses v16 for its @types/node
dependencies, and uses types which aren't present in node v10.
Specifically the type PathOrFileDescriptor
is not present in older versions of @types/node
. Instead node uses PathLike | number
.
As of now, it results in the following typescript compiler errors when trying to compile with a project which is expected to support node v10:
node_modules/simple-plist/dist/parse.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.
2 import { PathOrFileDescriptor } from "fs";
~~~~~~~~~~~~~~~~~~~~
node_modules/simple-plist/dist/readFile.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.
2 import { PathOrFileDescriptor } from "fs";
~~~~~~~~~~~~~~~~~~~~
node_modules/simple-plist/dist/readFileSync.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.
2 import { PathOrFileDescriptor } from "fs";
~~~~~~~~~~~~~~~~~~~~
node_modules/simple-plist/dist/writeBinaryFile.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.
2 import { PathOrFileDescriptor, WriteFileOptions } from "fs";
~~~~~~~~~~~~~~~~~~~~
node_modules/simple-plist/dist/writeBinaryFileSync.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.
2 import { PathOrFileDescriptor, WriteFileOptions } from "fs";
~~~~~~~~~~~~~~~~~~~~
node_modules/simple-plist/dist/writeFile.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.
2 import { PathOrFileDescriptor, WriteFileOptions } from "fs";
~~~~~~~~~~~~~~~~~~~~
node_modules/simple-plist/dist/writeFileSync.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.
2 import { PathOrFileDescriptor, WriteFileOptions } from "fs";
~~~~~~~~~~~~~~~~~~~~
Found 7 errors.
would really help with contributions