webpack · Nov 4, 2021 · Nov 4, 2021 · Oct 20, 2022 · Oct 20, 2022
Showing with 95 additions and 13 deletions.

+14 −0 CHANGELOG.md

+7 −3 lib/getHashDigest.js

+64 −0 lib/hash/BatchedHash.js

+1 −1 lib/hash/wasm-hash.js

+1 −1 lib/parseQuery.js

+1 −1 package.json

+2 −2 test/getHashDigest.test.js

+5 −5 test/interpolateName.test.js
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.0.3](https://github.com/webpack/loader-utils/compare/v2.0.1...v2.0.3) (2022-10-20)
+
+
+### Bug Fixes
+
+* **security:** prototype pollution exploit ([#217](https://github.com/webpack/loader-utils/issues/217)) ([a93cf6f](https://github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c))
+
+### [2.0.2](https://github.com/webpack/loader-utils/compare/v2.0.1...v2.0.2) (2021-11-04)
+
+
+### Bug Fixes
+
+* base64 generation and unicode characters ([#197](https://github.com/webpack/loader-utils/issues/197)) ([8c2d24e](https://github.com/webpack/loader-utils/commit/8c2d24ee400bc4567335e97ee6004c3baa6ef66f))
+
 ### [2.0.1](https://github.com/webpack/loader-utils/compare/v2.0.0...v2.0.1) (2021-10-29)
 
 

diff --git a/lib/getHashDigest.js b/lib/getHashDigest.js
@@ -40,6 +40,7 @@ function encodeBufferToBase(buffer, base) {
 }
 
 let createMd4 = undefined;
+let BatchedHash = undefined;
 
 function getHashDigest(buffer, hashType, digestType, maxLength) {
   hashType = hashType || 'md4';
@@ -53,9 +54,13 @@ function getHashDigest(buffer, hashType, digestType, maxLength) {
     if (error.code === 'ERR_OSSL_EVP_UNSUPPORTED' && hashType === 'md4') {
       if (createMd4 === undefined) {
         createMd4 = require('./hash/md4');
+
+        if (BatchedHash === undefined) {
+          BatchedHash = require('./hash/BatchedHash');
+        }
       }
 
-      hash = createMd4();
+      hash = new BatchedHash(createMd4());
     }
 
     if (!hash) {
@@ -72,8 +77,7 @@ function getHashDigest(buffer, hashType, digestType, maxLength) {
     digestType === 'base49' ||
     digestType === 'base52' ||
     digestType === 'base58' ||
-    digestType === 'base62' ||
-    digestType === 'base64'
+    digestType === 'base62'
   ) {
     return encodeBufferToBase(hash.digest(), digestType.substr(4)).substr(
       0,

diff --git a/lib/hash/BatchedHash.js b/lib/hash/BatchedHash.js
@@ -0,0 +1,64 @@
+const MAX_SHORT_STRING = require('./wasm-hash').MAX_SHORT_STRING;
+
+class BatchedHash {
+  constructor(hash) {
+    this.string = undefined;
+    this.encoding = undefined;
+    this.hash = hash;
+  }
+
+  /**
+   * Update hash {@link https://nodejs.org/api/crypto.html#crypto_hash_update_data_inputencoding}
+   * @param {string|Buffer} data data
+   * @param {string=} inputEncoding data encoding
+   * @returns {this} updated hash
+   */
+  update(data, inputEncoding) {
+    if (this.string !== undefined) {
+      if (
+        typeof data === 'string' &&
+        inputEncoding === this.encoding &&
+        this.string.length + data.length < MAX_SHORT_STRING
+      ) {
+        this.string += data;
+
+        return this;
+      }
+
+      this.hash.update(this.string, this.encoding);
+      this.string = undefined;
+    }
+
+    if (typeof data === 'string') {
+      if (
+        data.length < MAX_SHORT_STRING &&
+        // base64 encoding is not valid since it may contain padding chars
+        (!inputEncoding || !inputEncoding.startsWith('ba'))
+      ) {
+        this.string = data;
+        this.encoding = inputEncoding;
+      } else {
+        this.hash.update(data, inputEncoding);
+      }
+    } else {
+      this.hash.update(data);
+    }
+
+    return this;
+  }
+
+  /**
+   * Calculates the digest {@link https://nodejs.org/api/crypto.html#crypto_hash_digest_encoding}
+   * @param {string=} encoding encoding of the return value
+   * @returns {string|Buffer} digest
+   */
+  digest(encoding) {
+    if (this.string !== undefined) {
+      this.hash.update(this.string, this.encoding);
+    }
+
+    return this.hash.digest(encoding);
+  }
+}
+
+module.exports = BatchedHash;
diff --git a/lib/hash/wasm-hash.js b/lib/hash/wasm-hash.js
@@ -82,7 +82,7 @@ class WasmHash {
             endPos += 2;
           } else {
             // bail-out for weird chars
-            endPos += mem.write(data.slice(endPos), endPos, encoding);
+            endPos += mem.write(data.slice(i), endPos, encoding);
             break;
           }
         }

diff --git a/lib/parseQuery.js b/lib/parseQuery.js
@@ -26,7 +26,7 @@ function parseQuery(query) {
   }
 
   const queryArgs = query.split(/[,&]/g);
-  const result = {};
+  const result = Object.create(null);
 
   queryArgs.forEach((arg) => {
     const idx = arg.indexOf('=');

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "loader-utils",
-  "version": "2.0.1",
+  "version": "2.0.3",
   "author": "Tobias Koppers @sokra",
   "description": "utils for webpack loaders",
   "dependencies": {

diff --git a/test/getHashDigest.test.js b/test/getHashDigest.test.js
@@ -12,15 +12,15 @@ describe('getHashDigest()', () => {
       '6f8db599de986fab7a21625b7916589c',
     ],
     ['test string', 'md5', 'hex', 4, '6f8d'],
-    ['test string', 'md5', 'base64', undefined, '2sm1pVmS8xuGJLCdWpJoRL'],
+    ['test string', 'md5', 'base64', undefined, 'b421md6Yb6t6IWJbeRZYnA=='],
     ['test string', 'md5', 'base52', undefined, 'dJnldHSAutqUacjgfBQGLQx'],
     ['test string', 'md5', 'base26', 6, 'bhtsgu'],
     [
       'test string',
       'sha512',
       'base64',
       undefined,
-      '2IS-kbfIPnVflXb9CzgoNESGCkvkb0urMmucPD9z8q6HuYz8RShY1-tzSUpm5-Ivx_u4H1MEzPgAhyhaZ7RKog',
+      'EObWR69EYkRC84jCwUp4f/ixfmFluD12fsBHdo2MvLcaGjIm58x4Frx5wEJ9lKnaaIxBo5kse/Xk18w+C+XbrA==',
     ],
     [
       'test string',

diff --git a/test/interpolateName.test.js b/test/interpolateName.test.js
@@ -62,13 +62,13 @@ describe('interpolateName()', () => {
       '/app/img/image.png',
       '[sha512:hash:base64:7].[ext]',
       'test content',
-      '2BKDTjl.png',
+      'DL9MrvO.png',
     ],
     [
       '/app/img/image.png',
       '[sha512:contenthash:base64:7].[ext]',
       'test content',
-      '2BKDTjl.png',
+      'DL9MrvO.png',
     ],
     [
       '/app/dir/file.png',
@@ -116,13 +116,13 @@ describe('interpolateName()', () => {
       '/lib/components/modal/modal.css',
       '[name].[md5:hash:base64:20].[ext]',
       'test content',
-      'modal.1n8osQznuT8jOAwdzg_n.css',
+      'modal.lHP90NiApDwht3eNNIch.css',
     ],
     [
       '/lib/components/modal/modal.css',
       '[name].[md5:contenthash:base64:20].[ext]',
       'test content',
-      'modal.1n8osQznuT8jOAwdzg_n.css',
+      'modal.lHP90NiApDwht3eNNIch.css',
     ],
     // Should not interpret without `hash` or `contenthash`
     [
@@ -265,7 +265,7 @@ describe('interpolateName()', () => {
     ],
     [
       [{}, '[hash:base64]', { content: 'test string' }],
-      '2LIG3oc1uBNmwOoL7kXgoK',
+      'Lgbt1PFiMmjFpRcw2KCyrw==',
       'should interpolate [hash] token with options',
     ],
     [