fix(cache): improve cache key serialization (#2424)

* fix(cache): improve cache key formation. Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
sidorares · Mar 26, 2024 · 0d54b0c · 0d54b0c
1 parent d9dccfd
commit 0d54b0c
Show file tree

Hide file tree

Showing 2 changed files with 518 additions and 15 deletions.
diff --git a/lib/parsers/parser_cache.js b/lib/parsers/parser_cache.js
@@ -3,26 +3,38 @@
 const LRU = require('lru-cache').default;
 
 const parserCache = new LRU({
- max: 15000
+ max: 15000,
 });
 
 function keyFromFields(type, fields, options, config) {
- let res =
- `${type}` +
- `/${typeof options.nestTables}` +
- `/${options.nestTables}` +
- `/${options.rowsAsArray}` +
- `/${options.supportBigNumbers || config.supportBigNumbers}` +
- `/${options.bigNumberStrings || config.bigNumberStrings}` +
- `/${typeof options.typeCast}` +
- `/${options.timezone || config.timezone}` +
- `/${options.decimalNumbers}` +
- `/${options.dateStrings}`;
+ const res = [
+ type,
+ typeof options.nestTables,
+ options.nestTables,
+ Boolean(options.rowsAsArray),
+ Boolean(options.supportBigNumbers || config.supportBigNumbers),
+ Boolean(options.bigNumberStrings || config.bigNumberStrings),
+ typeof options.typeCast,
+ options.timezone || config.timezone,
+ Boolean(options.decimalNumbers),
+ options.dateStrings,
+ ];
+
  for (let i = 0; i < fields.length; ++i) {
  const field = fields[i];
- res += `/${field.name}:${field.columnType}:${field.length}:${field.schema}:${field.table}:${field.flags}:${field.characterSet}`;
+
+ res.push([
+ field.name,
+ field.columnType,
+ field.length,
+ field.schema,
+ field.table,
+ field.flags,
+ field.characterSet,
+ ]);
  }
- return res;
+
+ return JSON.stringify(res, null, 0);
 }
 
 function getParser(type, fields, options, config, compiler) {
@@ -49,5 +61,6 @@ function clearCache() {
 module.exports = {
  getParser: getParser,
  setMaxCache: setMaxCache,
- clearCache: clearCache
+ clearCache: clearCache,
+ _keyFromFields: keyFromFields,
 };