Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions node_modules/@npmcli/agent/lib/agents.js
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,16 @@ module.exports = class Agent extends AgentBase {
return socket
}

keepSocketAlive (socket) {
const keepAlive = super.keepSocketAlive(socket)

if (keepAlive && this.#timeouts.idle) {
socket.setTimeout(this.#timeouts.idle)
}

return keepAlive
}

addRequest (request, options) {
const proxy = this.#getProxy(options)
// it would be better to call proxy.addRequest here but this causes the
Expand Down
6 changes: 3 additions & 3 deletions node_modules/@npmcli/agent/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@npmcli/agent",
"version": "5.0.1",
"version": "5.0.2",
"description": "the http/https agent used by the npm cli",
"main": "lib/index.js",
"scripts": {
Expand Down Expand Up @@ -29,7 +29,7 @@
},
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
"version": "5.1.0",
"version": "5.1.1",
"publish": "true",
"updateNpm": false
},
Expand All @@ -42,7 +42,7 @@
},
"devDependencies": {
"@npmcli/eslint-config": "^7.0.0",
"@npmcli/template-oss": "5.1.0",
"@npmcli/template-oss": "5.1.1",
"ip-address": "^10.1.0",
"minipass-fetch": "^6.0.0",
"nock": "^14.0.3",
Expand Down
3 changes: 1 addition & 2 deletions node_modules/bin-links/node_modules/cmd-shim/lib/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -109,13 +109,12 @@ const writeShim_ = (from, to, prog, args, variables) => {
+ ` SET "_prog=${longProg.replace(/(^")|("$)/g, '')}"\r\n`
+ ') ELSE (\r\n'
+ ` SET "_prog=${prog.replace(/(^")|("$)/g, '')}"\r\n`
+ ' SET PATHEXT=%PATHEXT:;.JS;=;%\r\n'
+ ')\r\n'
+ '\r\n'
// prevent "Terminate Batch Job? (Y/n)" message
// https://github.com/npm/cli/issues/969#issuecomment-737496588
+ 'endLocal & goto #_undefined_# 2>NUL || title %COMSPEC% & '
+ `"%_prog%" ${args} ${target} %*\r\n`
+ `set PATHEXT=%PATHEXT:;.JS;=;% & "%_prog%" ${args} ${target} %*\r\n`
} else {
cmd = `${head}${prog} ${args} ${target} %*\r\n`
}
Expand Down
6 changes: 3 additions & 3 deletions node_modules/bin-links/node_modules/cmd-shim/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "cmd-shim",
"version": "9.0.1",
"version": "9.0.2",
"description": "Used in npm for command line application support",
"scripts": {
"test": "tap",
Expand All @@ -19,7 +19,7 @@
"license": "ISC",
"devDependencies": {
"@npmcli/eslint-config": "^7.0.0",
"@npmcli/template-oss": "5.1.0",
"@npmcli/template-oss": "5.1.1",
"tap": "^16.0.1"
},
"files": [
Expand All @@ -42,7 +42,7 @@
"author": "GitHub Inc.",
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
"version": "5.1.0",
"version": "5.1.1",
"publish": true
}
}
38 changes: 24 additions & 14 deletions node_modules/brace-expansion/dist/commonjs/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -95,19 +95,23 @@ function gte(i, y) {
function expand_(str, max, isTop) {
/** @type {string[]} */
const expansions = [];
const m = (0, balanced_match_1.balanced)('{', '}', str);
if (!m)
return [str];
// no need to expand pre, since it is guaranteed to be free of brace-sets
const pre = m.pre;
const post = m.post.length ? expand_(m.post, max, false) : [''];
if (/\$$/.test(m.pre)) {
for (let k = 0; k < post.length && k < max; k++) {
const expansion = pre + '{' + m.body + '}' + post[k];
expansions.push(expansion);
// The `{a},b}` rewrite below restarts expansion on a rewritten string with
// the same `max` and `isTop = true`. Loop instead of recursing so a long run
// of non-expanding `{}` groups can't exhaust the call stack.
for (;;) {
const m = (0, balanced_match_1.balanced)('{', '}', str);
if (!m)
return [str];
// no need to expand pre, since it is guaranteed to be free of brace-sets
const pre = m.pre;
if (/\$$/.test(m.pre)) {
const post = m.post.length ? expand_(m.post, max, false) : [''];
for (let k = 0; k < post.length && k < max; k++) {
const expansion = pre + '{' + m.body + '}' + post[k];
expansions.push(expansion);
}
return expansions;
}
}
else {
const isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);
const isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);
const isSequence = isNumericSequence || isAlphaSequence;
Expand All @@ -116,10 +120,16 @@ function expand_(str, max, isTop) {
// {a},b}
if (m.post.match(/,(?!,).*\}/)) {
str = m.pre + '{' + m.body + escClose + m.post;
return expand_(str, max, true);
isTop = true;
continue;
}
return [str];
}
// Only expand post once we know this brace set actually expands. Computing
// it before the early returns above expanded post a second time on every
// non-expanding `{}`, which is what made inputs like `a{},{},{}...` blow up
// exponentially.
const post = m.post.length ? expand_(m.post, max, false) : [''];
let n;
if (isSequence) {
n = m.body.split(/\.\./);
Expand Down Expand Up @@ -195,7 +205,7 @@ function expand_(str, max, isTop) {
}
}
}
return expansions;
}
return expansions;
}
//# sourceMappingURL=index.js.map
38 changes: 24 additions & 14 deletions node_modules/brace-expansion/dist/esm/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -91,19 +91,23 @@ function gte(i, y) {
function expand_(str, max, isTop) {
/** @type {string[]} */
const expansions = [];
const m = balanced('{', '}', str);
if (!m)
return [str];
// no need to expand pre, since it is guaranteed to be free of brace-sets
const pre = m.pre;
const post = m.post.length ? expand_(m.post, max, false) : [''];
if (/\$$/.test(m.pre)) {
for (let k = 0; k < post.length && k < max; k++) {
const expansion = pre + '{' + m.body + '}' + post[k];
expansions.push(expansion);
// The `{a},b}` rewrite below restarts expansion on a rewritten string with
// the same `max` and `isTop = true`. Loop instead of recursing so a long run
// of non-expanding `{}` groups can't exhaust the call stack.
for (;;) {
const m = balanced('{', '}', str);
if (!m)
return [str];
// no need to expand pre, since it is guaranteed to be free of brace-sets
const pre = m.pre;
if (/\$$/.test(m.pre)) {
const post = m.post.length ? expand_(m.post, max, false) : [''];
for (let k = 0; k < post.length && k < max; k++) {
const expansion = pre + '{' + m.body + '}' + post[k];
expansions.push(expansion);
}
return expansions;
}
}
else {
const isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);
const isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);
const isSequence = isNumericSequence || isAlphaSequence;
Expand All @@ -112,10 +116,16 @@ function expand_(str, max, isTop) {
// {a},b}
if (m.post.match(/,(?!,).*\}/)) {
str = m.pre + '{' + m.body + escClose + m.post;
return expand_(str, max, true);
isTop = true;
continue;
}
return [str];
}
// Only expand post once we know this brace set actually expands. Computing
// it before the early returns above expanded post a second time on every
// non-expanding `{}`, which is what made inputs like `a{},{},{}...` blow up
// exponentially.
const post = m.post.length ? expand_(m.post, max, false) : [''];
let n;
if (isSequence) {
n = m.body.split(/\.\./);
Expand Down Expand Up @@ -191,7 +201,7 @@ function expand_(str, max, isTop) {
}
}
}
return expansions;
}
return expansions;
}
//# sourceMappingURL=index.js.map
4 changes: 2 additions & 2 deletions node_modules/brace-expansion/package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "brace-expansion",
"description": "Brace expansion as known from sh/bash",
"version": "5.0.6",
"version": "5.0.7",
"files": [
"dist"
],
Expand Down Expand Up @@ -59,6 +59,6 @@
"module": "./dist/esm/index.js",
"repository": {
"type": "git",
"url": "git+ssh://git@github.com/juliangruber/brace-expansion.git"
"url": "git+https://github.com/juliangruber/brace-expansion.git"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,23 @@ function decodeLength(stream) {
// Iterate over the bytes that encode the length.
let len = 0;
for (let i = 0; i < byteCount; i++) {
len = len * 256 + stream.getUint8();
const byte = stream.getUint8();
// The first byte of a multi-byte length must not be zero; a leading zero
// means the length could have been encoded in fewer bytes (non-minimal).
if (i === 0 && byte === 0x00) {
throw new error_1.ASN1ParseError('non-minimal length encoding');
}
len = len * 256 + byte;
}
// This is a valid ASN.1 length encoding, but we don't support it.
if (len === 0) {
throw new error_1.ASN1ParseError('indefinite length encoding not supported');
}
// Lengths less than 128 must use the short form; rejecting them here ensures
// the encoding is minimal (strict DER).
if (len < 128) {
throw new error_1.ASN1ParseError('non-minimal length encoding');
}
return len;
}
// Translates the supplied value to a DER-encoded length.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,14 @@ class ASN1Obj {
}
// Constructs an ASN.1 object from a Buffer of DER-encoded bytes.
static parseBuffer(buf) {
return parseStream(new stream_1.ByteStream(buf));
const stream = new stream_1.ByteStream(buf);
const obj = parseStream(stream);
// Ensure the entire buffer was consumed; trailing data after the top-level
// object indicates a malformed (or maliciously padded) encoding.
if (stream.position !== stream.length) {
throw new error_1.ASN1ParseError('invalid trailing data');
}
return obj;
}
toDER() {
const valueStream = new stream_1.ByteStream();
Expand Down Expand Up @@ -103,7 +110,14 @@ class ASN1Obj {
exports.ASN1Obj = ASN1Obj;
/////////////////////////////////////////////////////////////////////////////
// Internal stream parsing functions
function parseStream(stream) {
// Maximum nesting depth for parsed ASN.1 objects. Bounds the mutual recursion
// between parseStream and collectSubs so that deeply nested DER cannot exhaust
// the call stack (denial of service).
const MAX_DEPTH = 100;
function parseStream(stream, depth = 0) {
if (depth > MAX_DEPTH) {
throw new error_1.ASN1ParseError('maximum nesting depth exceeded');
}
// Parse tag, length, and value from stream
const tag = new tag_1.ASN1Tag(stream.getUint8());
const len = (0, length_1.decodeLength)(stream);
Expand All @@ -114,13 +128,17 @@ function parseStream(stream) {
// are embedded in OCTESTRING objects, so we need to check those
// for children as well.
if (tag.constructed) {
subs = collectSubs(stream, len);
subs = collectSubs(stream, len, depth);
}
else if (tag.isOctetString()) {
// Attempt to parse children of OCTETSTRING objects. If anything fails,
// assume the object is not constructed and treat as primitive.
// assume the object is not constructed and treat as primitive. This is
// intentional: it transparently unwraps DER content embedded in an OCTET
// STRING (e.g. X.509 extnValue, CMS eContent). The error is swallowed
// because a parse failure simply means the bytes are an opaque primitive
// value rather than a nested structure.
try {
subs = collectSubs(stream, len);
subs = collectSubs(stream, len, depth);
}
catch (e) {
// Fail silently and treat as primitive
Expand All @@ -132,7 +150,7 @@ function parseStream(stream) {
}
return new ASN1Obj(tag, value, subs);
}
function collectSubs(stream, len) {
function collectSubs(stream, len, depth) {
// Calculate end of object content
const end = stream.position + len;
// Make sure there are enough bytes left in the stream. This should never
Expand All @@ -145,7 +163,7 @@ function collectSubs(stream, len) {
// Parse all children
const subs = [];
while (stream.position < end) {
subs.push(parseStream(stream));
subs.push(parseStream(stream, depth + 1));
}
// When we're done parsing children, we should be at the end of the object
if (stream.position !== end) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("./error");
const RE_TIME_SHORT_YEAR = /^(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})(\.\d{3})?Z$/;
const RE_TIME_LONG_YEAR = /^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})(\.\d{3})?Z$/;
// Parse a BigInt from the DER-encoded buffer
Expand Down Expand Up @@ -83,30 +84,48 @@ function parseOID(buf) {
const first = Math.floor(n / 40);
const second = n % 40;
let oid = `${first}.${second}`;
// Consume remaining bytes
let val = 0;
// Consume remaining bytes. Use a BigInt accumulator so that arcs which
// exceed 32 bits are not silently truncated (a truncated arc could be made
// to collide with a trusted OID).
let val = 0n;
for (; pos < end; ++pos) {
n = buf[pos];
val = (val << 7) + (n & 0x7f);
val = (val << 7n) + BigInt(n & 0x7f);
// If the left-most bit is NOT set, then this is the last byte in the
// sequence and we can add the value to the OID and reset the accumulator
if ((n & 0x80) === 0) {
oid += `.${val}`;
val = 0;
val = 0n;
}
}
return oid;
}
// Parse a boolean from the DER-encoded buffer
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-basic-types#boolean
function parseBoolean(buf) {
return buf[0] !== 0;
// DER requires a BOOLEAN to be a single byte that is either 0x00 (false) or
// 0xff (true). Reject any other (non-canonical) encoding.
if (buf.length !== 1) {
throw new error_1.ASN1ParseError('invalid boolean');
}
switch (buf[0]) {
case 0x00:
return false;
case 0xff:
return true;
default:
throw new error_1.ASN1ParseError('invalid boolean');
}
}
// Parse a bit string from the DER-encoded buffer
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-bit-string
function parseBitString(buf) {
// First byte tell us how many unused bits are in the last byte
const unused = buf[0];
// The number of unused bits must be in the range 0-7.
if (unused > 7) {
throw new error_1.ASN1ParseError('invalid bit string');
}
const start = 1;
const end = buf.length;
const bits = [];
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sigstore/core",
"version": "4.0.0",
"version": "4.0.1",
"description": "Base library for Sigstore",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand Down
Loading
Loading