wollardj / simple-plist Goto Github PK

xmldom has a vulnerability: https://www.npmjs.com/advisories/1769

To upgrade to version 0.7.x, need to switch to @xmldom/xmldom because the publishers lost control of xmldom on NPM.

https://www.npmjs.com/package/@xmldom/xmldom

When using simple-plist from NPM (via npm install simple-plist) with TypeScript, I get the following error when trying to compile my project:

node_modules/simple-plist/dist/index.d.ts:13:19 - error TS2709: Cannot use namespace 'bplistParser' as a type.

13     bplistParser: bplistParser;
                     ~~~~~~~~~~~~


Found 1 error in node_modules/simple-plist/dist/index.d.ts:13

The current version of simple-plist on NPM at the time of this writing (and the one I'm using) is 1.3.1, and I'm using the latest TypeScript 4.7.4. It seems that when I clone this project and run npm run build, an index.d.ts is generated that's different from the one I get in node_modules, and this one doesn't appear to have this issue, though it may be missing some declarations as well

EDIT: I saw at the bottom of the discussion of #58 that there's another version on NPM with the tag next that appears to resolve this issue. I'll leave this open until it's the default latest on NPM tho

Use-case: I want to read a (usually binary) plist directly from a zip file without extracting a tempfile.

The logic I want is already in readFileSync(), so it shouldn't be too hard to update parse() with that and delegate to it from readFileSync().

Thanks for making the modernized 1.0.0 release. I spotted the following issues with this project on GitHub:

• Travis CI does not seem to be enabled for PRs (did not seem to be run when I raised PR #20)
• Travis CI does not seem to be run on recent commits in https://github.com/wollardj/node-simple-plist/commits/master
• The default branch of this project seems to be develop, which does not have any commits since 2016.

I would also recommend increasing the version number and adding "-dev" to the end after publishing each release. This way whenever someone raises a PR it would not look like it is a released version.

I cannot seem to parse utf8 encoded string (from buffer) using plist.readFileSync. Is this currently possible?

To reproduce:

1. npm create vite@latest
2. Choose Vanilla
3. Choose TypeScript
4. Run npm install and npm run dev
5. Add the following code to main.ts:

import plist from 'simple-plist';
console.log(plist)

Version 1.3.1

Uncaught Error: Dynamic require of "bplist-creator" is not supported
    at simple-plist.js?v=110fc26f:7:9
    at index.js:15:44
    at index.js:6:17
    at node_modules/simple-plist/dist/index.js (index.js:12:1)
    at __require2 (simple-plist.js?v=110fc26f:10:50)
    at index.js:41:2

Version 1.4.0

Uncaught TypeError: util.inherits is not a function
    at node_modules/stream-buffers/lib/readable_streambuffer.js (readable_streambuffer.js:136:6)
    at __require (simple-plist.js?v=5edd6120:3:50)
    at node_modules/stream-buffers/lib/streambuffer.js (streambuffer.js:2:39)
    at __require (simple-plist.js?v=5edd6120:3:50)
    at node_modules/bplist-creator/bplistCreator.js (bplistCreator.js:5:21)
    at __require (simple-plist.js?v=5edd6120:3:50)
    at node_modules/simple-plist/dist/index.js (index.js:7:24)
    at __require (simple-plist.js?v=5edd6120:3:50)
    at index.js:26:129

If you have a plist file with an empty <string></string> value like this:

<plist version="1.0">
    <dict>
        <key>DTPlatformBuild</key>
        <string></string>
        <key>DTPlatformName</key>
        <string>iphonesimulator</string>
        <key>DTPlatformVersion</key>
        <string>10.0</string>
    </dict>
</plist>

The parser will ignore it and interpret the next key as the value, giving an output like this:

{
    "DTPlatformBuild":"DTPlatformName",
    "iphonesimulator":"DTPlatformVersion",
    "10.0": ...
}

• This only affects reading plain-text XML plist files.
• When reading binary encoded plist files the problem does not appear.
• Writing both text and binary plist files appears to be fine.

Fix the following vulnérability: prototype pollution vulnerability via .parse()
Vulnérability

Latest version on npmjs.com is version 1.3.1

Should be version 1.4.0

Trying to write a simple JSON with a null value fails in underlying bplist-creator package.

{
  "key": null
}

Yes, null value is as good as nothing, but there's nothing wrong with having it in a JSON overall.
While for our use case, we can sanitize the JSON by removing nulls before creating plist, overall I think the library should be able to write and read null values for properties.

TypeError: Cannot read property 'bplistOverride' of null
at toEntries (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:320:13)
at /path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:419:22
at Array.forEach ()
at toEntriesObject (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:418:21)
at toEntries (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:356:14)
at /path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:419:22
at Array.forEach ()
at toEntriesObject (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:418:21)
at toEntries (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:356:14)
at module.exports (/path/packages/build/node_modules/simple-plist/node_modules/bplist-creator/bplistCreator.js:26:17)

Hi, There's a prototype pollution vulnerability in .parse() related to the xml that are being parsed in it. In the following example the prototype pollution will affect the length parameter.

var plist = require('simple-plist');

var xml = `
<plist version="1.0">
    <key>metadata</key>
    <dict>
      <key>bundle-identifier</key>
      <string>com.company.app</string>
    </dict>
  </plist>`;

console.log(plist.parse(xml));
/**
 * * * * * * * * * * * * * * * * * * * * * * * * * *
 * * * * END OF THE NORMAL CODE EXAMPLE! * * * * * * 
 * * * * * * * * * * * * * * * * * * * * * * * * * * 
 **/


/**
 * * * * * * * * * * * *
 * PROTOTYPE POLLUTION *
 * * * * * * * * * * * *
 **/
var xmlPollution = `
<plist version="1.0">
  <dict>
    <key>__proto__</key>
    <dict>
      <key>length</key>
      <string>polluted</string>
    </dict>
  </dict>
</plist>`;
console.log(plist.parse(xmlPollution).length); // polluted

More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

While not stated explicitly, but derived from mentions like in the 1.1.0 release notes, the lowest supported node version is assumed to be v10.
However, this project uses v16 for its @types/node dependencies, and uses types which aren't present in node v10.
Specifically the type PathOrFileDescriptor is not present in older versions of @types/node. Instead node uses PathLike | number.

As of now, it results in the following typescript compiler errors when trying to compile with a project which is expected to support node v10:

node_modules/simple-plist/dist/parse.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.

2 import { PathOrFileDescriptor } from "fs";
           ~~~~~~~~~~~~~~~~~~~~

node_modules/simple-plist/dist/readFile.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.

2 import { PathOrFileDescriptor } from "fs";
           ~~~~~~~~~~~~~~~~~~~~

node_modules/simple-plist/dist/readFileSync.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.

2 import { PathOrFileDescriptor } from "fs";
           ~~~~~~~~~~~~~~~~~~~~

node_modules/simple-plist/dist/writeBinaryFile.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.

2 import { PathOrFileDescriptor, WriteFileOptions } from "fs";
           ~~~~~~~~~~~~~~~~~~~~

node_modules/simple-plist/dist/writeBinaryFileSync.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.

2 import { PathOrFileDescriptor, WriteFileOptions } from "fs";
           ~~~~~~~~~~~~~~~~~~~~

node_modules/simple-plist/dist/writeFile.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.

2 import { PathOrFileDescriptor, WriteFileOptions } from "fs";
           ~~~~~~~~~~~~~~~~~~~~

node_modules/simple-plist/dist/writeFileSync.d.ts:2:10 - error TS2305: Module '"fs"' has no exported member 'PathOrFileDescriptor'.

2 import { PathOrFileDescriptor, WriteFileOptions } from "fs";
           ~~~~~~~~~~~~~~~~~~~~


Found 7 errors.

see App crashes due to main interface NSMainNibFile~ipad

would really help with contributions

Environment:

Node 14.18.0
electron 20.1.1
simple-plist 1.3.1
webpack 5.74.0
windows 10 专业版

Developing in Windows 10 Visual studio code
Run pnpm make to build my windows application
show simple-plist error
Error

Uncaught Exception
Error: Cannot find module 'simple-plist'

Hello, I'm reporting an issue that I found... If the plist has two entries with the same key they are replaced, and only one is used.

For example this plist, has two CFBundleURLTypes and they seem to be valid at least I can build the app with this plist...

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>CFBundleDevelopmentRegion</key>
	<string>en</string>
	<key>CFBundleDisplayName</key>
    <string>App</string>
	<key>CFBundleExecutable</key>
	<string>$(EXECUTABLE_NAME)</string>
	<key>CFBundleIdentifier</key>
	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>$(PRODUCT_NAME)</string>
	<key>CFBundlePackageType</key>
	<string>APPL</string>
	<key>CFBundleShortVersionString</key>
	<string>1.0</string>
	**<key>CFBundleURLTypes</key>
	<array>
		<dict>
			<key>CFBundleURLName</key>
			<string>com.app.demo</string>
			<key>CFBundleURLSchemes</key>
			<array>
				<string>demo</string>
			</array>
		</dict>
	</array>**
	<key>CFBundleVersion</key>
	<string>1</string>
	<key>LSRequiresIPhoneOS</key>
	<true/>
	<key>NSAppTransportSecurity</key>
	<dict>
		<key>NSAllowsArbitraryLoads</key>
		<true/>
	</dict>
	<key>UILaunchStoryboardName</key>
	<string>LaunchScreen</string>
	<key>UIMainStoryboardFile</key>
	<string>Main</string>
	<key>UIRequiredDeviceCapabilities</key>
	<array>
		<string>armv7</string>
	</array>
	<key>UISupportedInterfaceOrientations</key>
	<array>
		<string>UIInterfaceOrientationPortrait</string>
	</array>
	<key>UISupportedInterfaceOrientations~ipad</key>
	<array>
		<string>UIInterfaceOrientationPortrait</string>
		<string>UIInterfaceOrientationPortraitUpsideDown</string>
	</array>
	<key>UIViewControllerBasedStatusBarAppearance</key>
	<true/>
	**<key>CFBundleURLTypes</key>
    <array>
      <dict>
        <key>CFBundleURLSchemes</key>
        <array>
          <string>fb[APP_ID]</string>
        </array>
      </dict>
    </array>**
    <key>FacebookAppID</key>
    <string>[APP_ID]</string>
    <key>FacebookDisplayName</key>
    <string>App</string>
    <key>LSApplicationQueriesSchemes</key>
    <array>
      <string>fbapi</string>
      <string>fbauth2</string>
    </array>
	<key>FacebookAutoLogAppEventsEnabled</key>
	<true/>
	<key>FacebookAdvertiserIDCollectionEnabled</key>
	<false/>
</dict>
</plist>

When parsing the plist I get the following json output, where threre is only tha last CFBundleURLTypes:

 {
                "CFBundleDevelopmentRegion": "en",
                "CFBundleDisplayName": "App",
                "CFBundleExecutable": "$(EXECUTABLE_NAME)",
                "CFBundleIdentifier": "$(PRODUCT_BUNDLE_IDENTIFIER)",
                "CFBundleInfoDictionaryVersion": "6.0",
                "CFBundleName": "$(PRODUCT_NAME)",
                "CFBundlePackageType": "APPL",
                "CFBundleShortVersionString": "1.0",
                "CFBundleURLTypes": [
                    {
                        "CFBundleURLSchemes": [
                            "fb[APP_ID]"
                        ]
                    }
                ],
                "CFBundleVersion": "1",
                "LSRequiresIPhoneOS": true,
                "NSAppTransportSecurity": {
                    "NSAllowsArbitraryLoads": true
                },
                "UILaunchStoryboardName": "LaunchScreen",
                "UIMainStoryboardFile": "Main",
                "UIRequiredDeviceCapabilities": [
                    "armv7"
                ],
                "UISupportedInterfaceOrientations": [
                    "UIInterfaceOrientationPortrait"
                ],
                "UISupportedInterfaceOrientations~ipad": [
                    "UIInterfaceOrientationPortrait",
                    "UIInterfaceOrientationPortraitUpsideDown"
                ],
                "UIViewControllerBasedStatusBarAppearance": true,
                "FacebookAppID": "[APP_ID]",
                "FacebookDisplayName": "App",
                "LSApplicationQueriesSchemes": [
                    "fbapi",
                    "fbauth2"
                ],
                "FacebookAutoLogAppEventsEnabled": true,
                "FacebookAdvertiserIDCollectionEnabled": false
}

Environment:

• Node 16.9.1
• electron 16.0.0
• electron-builder 22.14.5
• simple-plist 1.3.0
• webpack 5.64.1
• windows 11

Scenario

• Developing in Windows 11 + Visual studio code
• Run npm start to launch my application
• show bplist-creator error

Error

• Uncaught Exception
• Error: Cannot find module 'bplist-creator'
  

I'm trying to update /Users/username/Library/Preferences/com.apple.ncprefs.plist but the change only sticks for 5-10 seconds before being reverted to the original value.

Can this caused by node-simple-plist, or is it something else? I'm running it on Big Sur

const plist = require('simple-plist')
const PATH = '/Users/username/Library/Preferences/com.apple.ncprefs.plist'

const data = plist.readFileSync(PATH)
data.apps[2].flags = newFlagsValue // I verified that the new value is valid
plist.writeBinaryFileSync(PATH, data)

Package works well but I would like to use it in an async context.
That is, rather than the underlying read doing fs.readFileSync(aFile) it would be great to have a readFile method that uses fs.readFile with either an event emitter or a callback. Same goes for writing.
Thanks!

Hi, any chance that TypeScript type declarations could be added to this repo?

That would be great! Thanks!

Running the following script results in type errors when using Deno:

echo 'import plist from "https://cdn.skypack.dev/[email protected]?dts"' | deno run -

#65 can potentially fix some of them.

Download https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/index.d.ts
Download https://cdn.skypack.dev/error/fs?from=simple-plist
error: TS2580 [ERROR]: Cannot find name 'Buffer'. Do you need to install type definitions for node? Try `npm i --save-dev @types/node`.
export function parseFile<T = any>(fileNameOrBuffer: string|Buffer, callback?: CallbackFunction<T>): Promise<[T]>
                                                            ~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/bplistParser.d.ts:3:63

TS2580 [ERROR]: Cannot find name 'Buffer'. Do you need to install type definitions for node? Try `npm i --save-dev @types/node`.
export declare type StringOrBuffer = string | Buffer;
                                            ~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/types.d.ts:3:47

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'PathOrFileDescriptor'.
import { PathOrFileDescriptor } from "/error/fs?from=simple-plist";
       ~~~~~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/parse.d.ts:2:10

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'PathOrFileDescriptor'.
import { PathOrFileDescriptor } from "/error/fs?from=simple-plist";
       ~~~~~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/readFile.d.ts:2:10

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'PathOrFileDescriptor'.
import { PathOrFileDescriptor } from "/error/fs?from=simple-plist";
       ~~~~~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/readFileSync.d.ts:2:10

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'PathOrFileDescriptor'.
import { PathOrFileDescriptor, WriteFileOptions } from "/error/fs?from=simple-plist";
       ~~~~~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/writeBinaryFile.d.ts:2:10

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'WriteFileOptions'.
import { PathOrFileDescriptor, WriteFileOptions } from "/error/fs?from=simple-plist";
                             ~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/writeBinaryFile.d.ts:2:32

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'PathOrFileDescriptor'.
import { PathOrFileDescriptor, WriteFileOptions } from "/error/fs?from=simple-plist";
       ~~~~~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/writeBinaryFileSync.d.ts:2:10

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'WriteFileOptions'.
import { PathOrFileDescriptor, WriteFileOptions } from "/error/fs?from=simple-plist";
                             ~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/writeBinaryFileSync.d.ts:2:32

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'PathOrFileDescriptor'.
import { PathOrFileDescriptor, WriteFileOptions } from "/error/fs?from=simple-plist";
       ~~~~~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/writeFile.d.ts:2:10

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'WriteFileOptions'.
import { PathOrFileDescriptor, WriteFileOptions } from "/error/fs?from=simple-plist";
                             ~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/writeFile.d.ts:2:32

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'PathOrFileDescriptor'.
import { PathOrFileDescriptor, WriteFileOptions } from "/error/fs?from=simple-plist";
       ~~~~~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/writeFileSync.d.ts:2:10

TS2305 [ERROR]: Module '"deno:///missing_dependency.d.ts"' has no exported member 'WriteFileOptions'.
import { PathOrFileDescriptor, WriteFileOptions } from "/error/fs?from=simple-plist";
                             ~~~~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/writeFileSync.d.ts:2:32

TS2749 [ERROR]: 'bplistCreator' refers to a value, but is being used as a type here. Did you mean 'typeof bplistCreator'?
  bplistCreator: bplistCreator;
                 ~~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/index.d.ts:12:20

TS2709 [ERROR]: Cannot use namespace 'bplistParser' as a type.
  bplistParser: bplistParser;
                ~~~~~~~~~~~~
  at https://cdn.skypack.dev/-/[email protected]/dist=es2019,mode=types/dist/index.d.ts:13:19

Found 15 errors.

From the use of the simple-plist , we have analyze the security vulnerability in simple-plist v1.3.0 and v1.3.1 .
is there new version is coming soon ?
Hopefully new version removes the security vulnerability which current version have it right now.

for more information regarding found security vulnerabilities ,
https://snyk.io/test/npm/simple-plist/1.3.0
https://snyk.io/test/npm/simple-plist/1.3.1