From ed5ce7005b994d7e94be9456ccb6e58d7a51a7b1 Mon Sep 17 00:00:00 2001 From: Alfredo Moralejo Date: Thu, 20 Jun 2019 16:26:40 +0200 Subject: [PATCH] Update package to 3.13.1.0 Version 3.13.1 includes fixes for some security issues as: https://www.npmjs.com/advisories/788 https://www.npmjs.com/advisories/813 Change-Id: I4684d5fc6b2d6f8fa5d16421ebbc861f78c10c64 --- README.txt | 2 +- setup.cfg | 2 +- xstatic/pkg/js_yaml/__init__.py | 2 +- xstatic/pkg/js_yaml/data/js-yaml.js | 182 ++++++++++++++++++++-------- 4 files changed, 136 insertions(+), 52 deletions(-) diff --git a/README.txt b/README.txt index efead29..2c97c12 100644 --- a/README.txt +++ b/README.txt @@ -1,5 +1,5 @@ XStatic-JS-Yaml --------------- +--------------- JS Yaml JavaScript library packaged for setuptools (easy_install) / pip. diff --git a/setup.cfg b/setup.cfg index c2bad8f..a20a65d 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,6 +1,6 @@ [metadata] name = XStatic-JS-Yaml -description = JS-Yaml 3.8.1 (XStatic packaging standard) +description = JS-Yaml 3.13.1 (XStatic packaging standard) description-file = README.rst maintainer = xinni.ge maintainer-email = xinni.ge@ntt.com diff --git a/xstatic/pkg/js_yaml/__init__.py b/xstatic/pkg/js_yaml/__init__.py index edd6592..19b70bc 100644 --- a/xstatic/pkg/js_yaml/__init__.py +++ b/xstatic/pkg/js_yaml/__init__.py @@ -11,7 +11,7 @@ NAME = __name__.split('.')[-1] # package name (e.g. 'foo' or 'foo_bar') # please use a all-lowercase valid python # package name -VERSION = '3.8.1' # version of the packaged files, please use the upstream +VERSION = '3.13.1' # version of the packaged files, please use the upstream # version number BUILD = '0' # our package build number, so we can release new builds # with fixes for xstatic stuff. diff --git a/xstatic/pkg/js_yaml/data/js-yaml.js b/xstatic/pkg/js_yaml/data/js-yaml.js index 422dce1..fad044a 100644 --- a/xstatic/pkg/js_yaml/data/js-yaml.js +++ b/xstatic/pkg/js_yaml/data/js-yaml.js @@ -1,4 +1,4 @@ -/* js-yaml 3.8.1 https://github.com/nodeca/js-yaml */(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.jsyaml = f()}})(function(){var define,module,exports;return (function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o 9) { + if (indentPerLevel > 9 && needIndentIndicator(string)) { return STYLE_DOUBLE; } // At this point we know block styles are valid. @@ -467,7 +475,7 @@ function writeScalar(state, string, level, iskey) { // Pre-conditions: string is valid for a block scalar, 1 <= indentPerLevel <= 9. function blockHeader(string, indentPerLevel) { - var indentIndicator = (string[0] === ' ') ? String(indentPerLevel) : ''; + var indentIndicator = needIndentIndicator(string) ? String(indentPerLevel) : ''; // note the special case: the string '\n' counts as a "trailing" empty line. var clip = string[string.length - 1] === '\n'; @@ -563,11 +571,21 @@ function foldLine(line, width) { // Escapes a double-quoted string. function escapeString(string) { var result = ''; - var char; + var char, nextChar; var escapeSeq; for (var i = 0; i < string.length; i++) { char = string.charCodeAt(i); + // Check for surrogate pairs (reference Unicode 3.0 section "3.7 Surrogates"). + if (char >= 0xD800 && char <= 0xDBFF/* high surrogate */) { + nextChar = string.charCodeAt(i + 1); + if (nextChar >= 0xDC00 && nextChar <= 0xDFFF/* low surrogate */) { + // Combine the surrogate pair and store it escaped. + result += encodeHex((char - 0xD800) * 0x400 + nextChar - 0xDC00 + 0x10000); + // Advance index one extra since we already used that char here. + i++; continue; + } + } escapeSeq = ESCAPE_SEQUENCES[char]; result += !escapeSeq && isPrintable(char) ? string[i] @@ -586,7 +604,7 @@ function writeFlowSequence(state, level, object) { for (index = 0, length = object.length; index < length; index += 1) { // Write only valid elements. if (writeNode(state, level, object[index], false, false)) { - if (index !== 0) _result += ', '; + if (index !== 0) _result += ',' + (!state.condenseFlow ? ' ' : ''); _result += state.dump; } } @@ -607,7 +625,14 @@ function writeBlockSequence(state, level, object, compact) { if (!compact || index !== 0) { _result += generateNextLine(state, level); } - _result += '- ' + state.dump; + + if (state.dump && CHAR_LINE_FEED === state.dump.charCodeAt(0)) { + _result += '-'; + } else { + _result += '- '; + } + + _result += state.dump; } } @@ -626,7 +651,7 @@ function writeFlowMapping(state, level, object) { pairBuffer; for (index = 0, length = objectKeyList.length; index < length; index += 1) { - pairBuffer = ''; + pairBuffer = state.condenseFlow ? '"' : ''; if (index !== 0) pairBuffer += ', '; @@ -639,7 +664,7 @@ function writeFlowMapping(state, level, object) { if (state.dump.length > 1024) pairBuffer += '? '; - pairBuffer += state.dump + ': '; + pairBuffer += state.dump + (state.condenseFlow ? '"' : '') + ':' + (state.condenseFlow ? '' : ' '); if (!writeNode(state, level, objectValue, false, false)) { continue; // Skip this pair because of invalid value. @@ -813,13 +838,14 @@ function writeNode(state, level, object, block, compact, iskey) { } } } else if (type === '[object Array]') { + var arrayLevel = (state.noArrayIndent && (level > 0)) ? level - 1 : level; if (block && (state.dump.length !== 0)) { - writeBlockSequence(state, level, state.dump, compact); + writeBlockSequence(state, arrayLevel, state.dump, compact); if (duplicate) { state.dump = '&ref_' + duplicateIndex + state.dump; } } else { - writeFlowSequence(state, level, state.dump); + writeFlowSequence(state, arrayLevel, state.dump); if (duplicate) { state.dump = '&ref_' + duplicateIndex + ' ' + state.dump; } @@ -912,6 +938,11 @@ function YAMLException(reason, mark) { // Super constructor Error.call(this); + this.name = 'YAMLException'; + this.reason = reason; + this.mark = mark; + this.message = (this.reason || '(unknown reason)') + (this.mark ? ' ' + this.mark.toString() : ''); + // Include stack trace in error object if (Error.captureStackTrace) { // Chrome and NodeJS @@ -920,11 +951,6 @@ function YAMLException(reason, mark) { // FF, IE 10+ and Safari 6+. Fallback for others this.stack = (new Error()).stack || ''; } - - this.name = 'YAMLException'; - this.reason = reason; - this.mark = mark; - this.message = (this.reason || '(unknown reason)') + (this.mark ? ' ' + this.mark.toString() : ''); } @@ -981,6 +1007,8 @@ var PATTERN_TAG_HANDLE = /^(?:!|!!|![a-z\-]+!)$/i; var PATTERN_TAG_URI = /^(?:!|[^,\[\]\{\}])(?:%[0-9a-f]{2}|[0-9a-z\-#;\/\?:@&=\+\$,_\.!~\*'\(\)\[\]])*$/i; +function _class(obj) { return Object.prototype.toString.call(obj); } + function is_EOL(c) { return (c === 0x0A/* LF */) || (c === 0x0D/* CR */); } @@ -1037,6 +1065,7 @@ function fromDecimalCode(c) { } function simpleEscapeSequence(c) { + /* eslint-disable indent */ return (c === 0x30/* 0 */) ? '\x00' : (c === 0x61/* a */) ? '\x07' : (c === 0x62/* b */) ? '\x08' : @@ -1063,8 +1092,10 @@ function charFromCodepoint(c) { } // Encode UTF-16 surrogate pair // https://en.wikipedia.org/wiki/UTF-16#Code_points_U.2B010000_to_U.2B10FFFF - return String.fromCharCode(((c - 0x010000) >> 10) + 0xD800, - ((c - 0x010000) & 0x03FF) + 0xDC00); + return String.fromCharCode( + ((c - 0x010000) >> 10) + 0xD800, + ((c - 0x010000) & 0x03FF) + 0xDC00 + ); } var simpleEscapeCheck = new Array(256); // integer, for fast access @@ -1196,9 +1227,7 @@ function captureSegment(state, start, end, checkJson) { _result = state.input.slice(start, end); if (checkJson) { - for (_position = 0, _length = _result.length; - _position < _length; - _position += 1) { + for (_position = 0, _length = _result.length; _position < _length; _position += 1) { _character = _result.charCodeAt(_position); if (!(_character === 0x09 || (0x20 <= _character && _character <= 0x10FFFF))) { @@ -1235,6 +1264,31 @@ function mergeMappings(state, destination, source, overridableKeys) { function storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode, startLine, startPos) { var index, quantity; + // The output is a plain object here, so keys can only be strings. + // We need to convert keyNode to a string, but doing so can hang the process + // (deeply nested arrays that explode exponentially using aliases). + if (Array.isArray(keyNode)) { + keyNode = Array.prototype.slice.call(keyNode); + + for (index = 0, quantity = keyNode.length; index < quantity; index += 1) { + if (Array.isArray(keyNode[index])) { + throwError(state, 'nested arrays are not supported inside keys'); + } + + if (typeof keyNode === 'object' && _class(keyNode[index]) === '[object Object]') { + keyNode[index] = '[object Object]'; + } + } + } + + // Avoid code execution in load() via toString property + // (still use its own toString for arrays, timestamps, + // and whatever user schema extensions happen to have @@toStringTag) + if (typeof keyNode === 'object' && _class(keyNode) === '[object Object]') { + keyNode = '[object Object]'; + } + + keyNode = String(keyNode); if (_result === null) { @@ -1947,7 +2001,7 @@ function readBlockMapping(state, nodeIndent, flowIndent) { allowCompact = true; } else { - throwError(state, 'incomplete explicit mapping pair; a key node is missed'); + throwError(state, 'incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line'); } state.position += 1; @@ -2316,9 +2370,7 @@ function composeNode(state, parentIndent, nodeContext, allowToSeek, allowCompact if (state.tag !== null && state.tag !== '!') { if (state.tag === '?') { - for (typeIndex = 0, typeQuantity = state.implicitTypes.length; - typeIndex < typeQuantity; - typeIndex += 1) { + for (typeIndex = 0, typeQuantity = state.implicitTypes.length; typeIndex < typeQuantity; typeIndex += 1) { type = state.implicitTypes[typeIndex]; // Implicit resolving is not allowed for non-scalar types, and '?' @@ -2507,6 +2559,10 @@ function loadDocuments(input, options) { function loadAll(input, iterator, options) { var documents = loadDocuments(input, options), index, length; + if (typeof iterator !== 'function') { + return documents; + } + for (index = 0, length = documents.length; index < length; index += 1) { iterator(documents[index]); } @@ -2527,7 +2583,11 @@ function load(input, options) { function safeLoadAll(input, output, options) { - loadAll(input, output, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); + if (typeof output === 'function') { + loadAll(input, output, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); + } else { + return loadAll(input, common.extend({ schema: DEFAULT_SAFE_SCHEMA }, options)); + } } @@ -3099,16 +3159,27 @@ var common = require('../common'); var Type = require('../type'); var YAML_FLOAT_PATTERN = new RegExp( - '^(?:[-+]?(?:[0-9][0-9_]*)\\.[0-9_]*(?:[eE][-+][0-9]+)?' + - '|\\.[0-9_]+(?:[eE][-+][0-9]+)?' + + // 2.5e4, 2.5 and integers + '^(?:[-+]?(?:0|[1-9][0-9_]*)(?:\\.[0-9_]*)?(?:[eE][-+]?[0-9]+)?' + + // .2e4, .2 + // special case, seems not from spec + '|\\.[0-9_]+(?:[eE][-+]?[0-9]+)?' + + // 20:59 '|[-+]?[0-9][0-9_]*(?::[0-5]?[0-9])+\\.[0-9_]*' + + // .inf '|[-+]?\\.(?:inf|Inf|INF)' + + // .nan '|\\.(?:nan|NaN|NAN))$'); function resolveYamlFloat(data) { if (data === null) return false; - if (!YAML_FLOAT_PATTERN.test(data)) return false; + if (!YAML_FLOAT_PATTERN.test(data) || + // Quick hack to not allow integers end with `_` + // Probably should update regexp & check speed + data[data.length - 1] === '_') { + return false; + } return true; } @@ -3253,7 +3324,7 @@ function resolveYamlInteger(data) { if (ch !== '0' && ch !== '1') return false; hasDigits = true; } - return hasDigits; + return hasDigits && ch !== '_'; } @@ -3267,7 +3338,7 @@ function resolveYamlInteger(data) { if (!isHexCode(data.charCodeAt(index))) return false; hasDigits = true; } - return hasDigits; + return hasDigits && ch !== '_'; } // base 8 @@ -3277,11 +3348,14 @@ function resolveYamlInteger(data) { if (!isOctCode(data.charCodeAt(index))) return false; hasDigits = true; } - return hasDigits; + return hasDigits && ch !== '_'; } // base 10 (except 0) or base 60 + // value should not start with `_`; + if (ch === '_') return false; + for (; index < max; index++) { ch = data[index]; if (ch === '_') continue; @@ -3292,7 +3366,8 @@ function resolveYamlInteger(data) { hasDigits = true; } - if (!hasDigits) return false; + // Should have digits and should not end with `_` + if (!hasDigits || ch === '_') return false; // if !base60 - done; if (ch !== ':') return true; @@ -3355,10 +3430,11 @@ module.exports = new Type('tag:yaml.org,2002:int', { construct: constructYamlInteger, predicate: isInteger, represent: { - binary: function (object) { return '0b' + object.toString(2); }, - octal: function (object) { return '0' + object.toString(8); }, - decimal: function (object) { return object.toString(10); }, - hexadecimal: function (object) { return '0x' + object.toString(16).toUpperCase(); } + binary: function (obj) { return obj >= 0 ? '0b' + obj.toString(2) : '-0b' + obj.toString(2).slice(1); }, + octal: function (obj) { return obj >= 0 ? '0' + obj.toString(8) : '-0' + obj.toString(8).slice(1); }, + decimal: function (obj) { return obj.toString(10); }, + /* eslint-disable max-len */ + hexadecimal: function (obj) { return obj >= 0 ? '0x' + obj.toString(16).toUpperCase() : '-0x' + obj.toString(16).toUpperCase().slice(1); } }, defaultStyle: 'decimal', styleAliases: { @@ -3402,7 +3478,8 @@ function resolveJavascriptFunction(data) { if (ast.type !== 'Program' || ast.body.length !== 1 || ast.body[0].type !== 'ExpressionStatement' || - ast.body[0].expression.type !== 'FunctionExpression') { + (ast.body[0].expression.type !== 'ArrowFunctionExpression' && + ast.body[0].expression.type !== 'FunctionExpression')) { return false; } @@ -3423,7 +3500,8 @@ function constructJavascriptFunction(data) { if (ast.type !== 'Program' || ast.body.length !== 1 || ast.body[0].type !== 'ExpressionStatement' || - ast.body[0].expression.type !== 'FunctionExpression') { + (ast.body[0].expression.type !== 'ArrowFunctionExpression' && + ast.body[0].expression.type !== 'FunctionExpression')) { throw new Error('Failed to resolve function'); } @@ -3435,8 +3513,14 @@ function constructJavascriptFunction(data) { // Esprima's ranges include the first '{' and the last '}' characters on // function expressions. So cut them out. + if (ast.body[0].expression.body.type === 'BlockStatement') { + /*eslint-disable no-new-func*/ + return new Function(params, source.slice(body[0] + 1, body[1] - 1)); + } + // ES6 arrow functions can omit the BlockStatement. In that case, just return + // the body. /*eslint-disable no-new-func*/ - return new Function(params, source.slice(body[0] + 1, body[1] - 1)); + return new Function(params, 'return ' + source.slice(body[0], body[1])); } function representJavascriptFunction(object /*, style*/) { @@ -3859,4 +3943,4 @@ var yaml = require('./lib/js-yaml.js'); module.exports = yaml; },{"./lib/js-yaml.js":1}]},{},[])("/") -}); \ No newline at end of file +});