wollardj / simple-plist Goto Github PK
View Code? Open in Web Editor NEWA simple API for interacting with binary and plain text plist data.
License: MIT License
A simple API for interacting with binary and plain text plist data.
License: MIT License
Use-case: I want to read a (usually binary) plist directly from a zip file without extracting a tempfile.
The logic I want is already in readFileSync()
, so it shouldn't be too hard to update parse()
with that and delegate to it from readFileSync()
.
Hi, There's a prototype pollution vulnerability in .parse() related to the xml that are being parsed in it. In the following example the prototype pollution will affect the length parameter.
var plist = require('simple-plist');
var xml = `
<plist version="1.0">
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>com.company.app</string>
</dict>
</plist>`;
console.log(plist.parse(xml));
/**
* * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * END OF THE NORMAL CODE EXAMPLE! * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * *
**/
/**
* * * * * * * * * * * *
* PROTOTYPE POLLUTION *
* * * * * * * * * * * *
**/
var xmlPollution = `
<plist version="1.0">
<dict>
<key>__proto__</key>
<dict>
<key>length</key>
<string>polluted</string>
</dict>
</dict>
</plist>`;
console.log(plist.parse(xmlPollution).length); // polluted
More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
To reproduce:
npm create vite@latest
npm install
and npm run dev
main.ts
:import plist from 'simple-plist';
console.log(plist)
Version 1.3.1
Uncaught Error: Dynamic require of "bplist-creator" is not supported
at simple-plist.js?v=110fc26f:7:9
at index.js:15:44
at index.js:6:17
at node_modules/simple-plist/dist/index.js (index.js:12:1)
at __require2 (simple-plist.js?v=110fc26f:10:50)
at index.js:41:2
Version 1.4.0
Uncaught TypeError: util.inherits is not a function
at node_modules/stream-buffers/lib/readable_streambuffer.js (readable_streambuffer.js:136:6)
at __require (simple-plist.js?v=5edd6120:3:50)
at node_modules/stream-buffers/lib/streambuffer.js (streambuffer.js:2:39)
at __require (simple-plist.js?v=5edd6120:3:50)
at node_modules/bplist-creator/bplistCreator.js (bplistCreator.js:5:21)
at __require (simple-plist.js?v=5edd6120:3:50)
at node_modules/simple-plist/dist/index.js (index.js:7:24)
at __require (simple-plist.js?v=5edd6120:3:50)
at index.js:26:129
If you have a plist file with an empty <string></string>
value like this:
<plist version="1.0">
<dict>
<key>DTPlatformBuild</key>
<string></string>
<key>DTPlatformName</key>
<string>iphonesimulator</string>
<key>DTPlatformVersion</key>
<string>10.0</string>
</dict>
</plist>
The parser will ignore it and interpret the next key as the value, giving an output like this:
{
"DTPlatformBuild":"DTPlatformName",
"iphonesimulator":"DTPlatformVersion",
"10.0": ...
}
Hi, any chance that TypeScript type declarations could be added to this repo?
That would be great! Thanks!
Package works well but I would like to use it in an async context.
That is, rather than the underlying read doing fs.readFileSync(aFile) it would be great to have a readFile method that uses fs.readFile with either an event emitter or a callback. Same goes for writing.
Thanks!