Fix code injection vulnerability via malicious field names and encoding names

keichi · keichi · commit fd2489405413 · 2025-11-26T14:21:28.000+09:00
diff --git a/lib/binary_parser.ts b/lib/binary_parser.ts
@@ -292,6 +292,30 @@ export class Parser {
     return new Parser();
   }
 
+  private sanitizeFieldName(name: string): string {
+    if (name && !/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(name)) {
+      throw new Error(`Invalid field name: ${name}`);
+    }
+    return name;
+  }
+
+  private sanitizeEncoding(encoding: string): string {
+    const allowed = [
+      "utf8",
+      "utf-8",
+      "ascii",
+      "hex",
+      "base64",
+      "base64url",
+      "latin1",
+      "binary",
+    ];
+    if (!allowed.includes(encoding.toLowerCase())) {
+      throw new Error(`Invalid encoding: ${encoding}`);
+    }
+    return encoding;
+  }
+
   private primitiveGenerateN(type: PrimitiveTypes, ctx: Context) {
     const typeName = PRIMITIVE_NAMES[type];
     const littleEndian = PRIMITIVE_LITTLE_ENDIANS[type];
@@ -593,6 +617,7 @@ export class Parser {
     }
 
     options.encoding = options.encoding || "utf8";
+    this.sanitizeEncoding(options.encoding);
 
     return this.setNextParser("string", varName, options);
   }
@@ -914,7 +939,7 @@ export class Parser {
     const parser = new Parser();
 
     parser.type = type;
-    parser.varName = varName;
+    parser.varName = this.sanitizeFieldName(varName);
     parser.options = options;
     parser.endian = this.endian;
 
diff --git a/test/primitive_parser.ts b/test/primitive_parser.ts
@@ -441,6 +441,29 @@ function primitiveParserTests(
         deepStrictEqual(bufferParser.parse(buffer), { buf: buffer });
       });
     });
+
+    describe("Security", () => {
+      it("should throw an error on invalid field name", () => {
+        try {
+          new Parser().uint8('a; console.log("INJECTED CODE EXECUTED"); //');
+          throw new Error("Should have thrown error");
+        } catch (e: any) {
+          ok(e.message.includes("Invalid field name"));
+        }
+      });
+
+      it("should throw an error on invalid encoding name", () => {
+        try {
+          new Parser().string("s", {
+            length: 1,
+            encoding: "utf8'); console.log('INJECTED ENCODING EXECUTED'); //",
+          });
+          throw new Error("Should have thrown error");
+        } catch (e: any) {
+          ok(e.message.includes("Invalid encoding"));
+        }
+      });
+    });
   });
 }
 
