Merge pull request from GHSA-h9rv-jmmf-4pgx

yahoo · Dec 4, 2019 · 16a68ab · 16a68ab
1 parent 3bab6de
commit 16a68ab
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 178 deletions.
diff --git a/index.js b/index.js
@@ -188,7 +188,7 @@ module.exports = function serialize(obj, options) {
         }
 
         if (type === 'R') {
-            return regexps[valueIndex].toString();
+            return "new RegExp(\"" + regexps[valueIndex].source + "\", \"" + regexps[valueIndex].flags + "\")";
         }
 
         if (type === 'M') {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "serialize-javascript",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "Serialize JavaScript to a superset of JSON that includes regular expressions and functions.",
   "main": "index.js",
   "scripts": {

diff --git a/test/unit/serialize.js b/test/unit/serialize.js
@@ -251,7 +251,7 @@ describe('serialize( obj )', function () {
     describe('regexps', function () {
         it('should serialize constructed regexps', function () {
             var re = new RegExp('asdf');
-            expect(serialize(re)).to.be.a('string').equal('/asdf/');
+            expect(serialize(re)).to.be.a('string').equal('new RegExp("asdf", "")');
         });
 
         it('should deserialize constructed regexps', function () {
@@ -262,7 +262,7 @@ describe('serialize( obj )', function () {
 
         it('should serialize literal regexps', function () {
             var re = /asdf/;
-            expect(serialize(re)).to.be.a('string').equal('/asdf/');
+            expect(serialize(re)).to.be.a('string').equal('new RegExp("asdf", "")');
         });
 
         it('should deserialize literal regexps', function () {
@@ -273,7 +273,7 @@ describe('serialize( obj )', function () {
 
         it('should serialize regexps with flags', function () {
             var re = /^asdf$/gi;
-            expect(serialize(re)).to.equal('/^asdf$/gi');
+            expect(serialize(re)).to.equal('new RegExp("^asdf$", "gi")');
         });
 
         it('should deserialize regexps with flags', function () {
@@ -285,17 +285,22 @@ describe('serialize( obj )', function () {
         });
 
         it('should serialize regexps with escaped chars', function () {
-            expect(serialize(/\..*/)).to.equal('/\\..*/');
-            expect(serialize(new RegExp('\\..*'))).to.equal('/\\..*/');
+            expect(serialize(/\..*/)).to.equal('new RegExp("\\..*", "")');
+            expect(serialize(new RegExp('\\..*'))).to.equal('new RegExp("\\..*", "")');
         });
 
         it('should deserialize regexps with escaped chars', function () {
             var re = eval(serialize(/\..*/));
             expect(re).to.be.a('RegExp');
-            expect(re.source).to.equal('\\..*');
+            expect(re.source).to.equal('..*');
             re = eval(serialize(new RegExp('\\..*')));
             expect(re).to.be.a('RegExp');
-            expect(re.source).to.equal('\\..*');
+            expect(re.source).to.equal('..*');
+        });
+
+        it('should serialize dangerous regexps', function () {
+            var re = /[</script><script>alert('xss')//]/
+            expect(serialize(re)).to.be.a('string').equal('new RegExp("[<\\/script><script>alert(\'xss\')\\/\\/]", "")');
         });
     });
 
@@ -332,8 +337,8 @@ describe('serialize( obj )', function () {
                 ['a', 123],
                 [regexKey, 456]
             ]);
-            expect(serialize(m)).to.be.a('string').equal('new Map([["a",123],[/.*/,456]])');
-            expect(serialize({t: [m]})).to.be.a('string').equal('{"t":[new Map([["a",123],[/.*/,456]])]}');
+            expect(serialize(m)).to.be.a('string').equal('new Map([["a",123],[new RegExp(".*", ""),456]])');
+            expect(serialize({t: [m]})).to.be.a('string').equal('{"t":[new Map([["a",123],[new RegExp(".*", ""),456]])]}');
         });
 
         it('should deserialize a map', function () {
@@ -354,8 +359,8 @@ describe('serialize( obj )', function () {
                 123,
                 regex
             ]);
-            expect(serialize(m)).to.be.a('string').equal('new Set(["a",123,/.*/])');
-            expect(serialize({t: [m]})).to.be.a('string').equal('{"t":[new Set(["a",123,/.*/])]}');
+            expect(serialize(m)).to.be.a('string').equal('new Set(["a",123,new RegExp(".*", "")])');
+            expect(serialize({t: [m]})).to.be.a('string').equal('{"t":[new Set(["a",123,new RegExp(".*", "")])]}');
         });
 
         it('should deserialize a set', function () {