forked from msironi/expr-eval
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathexpression-validator.ts
More file actions
191 lines (177 loc) · 5.23 KB
/
Copy pathexpression-validator.ts
File metadata and controls
191 lines (177 loc) · 5.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
/**
* Validation utilities for expression evaluation
*
* This module provides comprehensive validation functions for ensuring
* safe and correct expression evaluation including security checks
* and type validation.
*/
import { AccessError, FunctionError } from '../types/errors.js';
import type { OperatorFunction } from '../types/index.js';
/**
* Set of dangerous property names that could lead to prototype pollution
*/
const DANGEROUS_PROPERTIES = new Set(['__proto__', 'prototype', 'constructor']);
/**
* Safe Math functions that are allowed by default.
* These are immutable references to the standard Math object methods.
*/
const SAFE_MATH_FUNCTIONS: ReadonlySet<Function> = new Set([
Math.abs,
Math.acos,
Math.asin,
Math.atan,
Math.atan2,
Math.ceil,
Math.cos,
Math.exp,
Math.floor,
Math.log,
Math.max,
Math.min,
Math.pow,
Math.random,
Math.round,
Math.sin,
Math.sqrt,
Math.tan,
Math.log10,
Math.log2,
Math.log1p,
Math.expm1,
Math.cosh,
Math.sinh,
Math.tanh,
Math.acosh,
Math.asinh,
Math.atanh,
Math.hypot,
Math.trunc,
Math.sign,
Math.cbrt,
Math.clz32,
Math.imul,
Math.fround
]);
/**
* Validation utilities for expression evaluation
*/
export class ExpressionValidator {
/**
* Validates variable name to prevent prototype pollution
*/
static validateVariableName(variableName: string, expressionString: string): void {
if (DANGEROUS_PROPERTIES.has(variableName)) {
throw new AccessError(
'Prototype access detected',
{
propertyName: variableName,
expression: expressionString
}
);
}
}
/**
* Validates member access to prevent prototype pollution attacks.
* Blocks access to __proto__, prototype, and constructor properties.
*
* @param propertyName - The property name being accessed
* @param expressionString - The full expression string for error context
* @throws {AccessError} When trying to access dangerous prototype properties
*/
static validateMemberAccess(propertyName: string, expressionString: string): void {
if (DANGEROUS_PROPERTIES.has(propertyName)) {
throw new AccessError(
`Prototype access detected in member expression`,
{
propertyName,
expression: expressionString
}
);
}
}
/**
* Checks if a function is allowed to be called.
* Only functions explicitly registered in expr.functions or safe Math functions are allowed.
*
* @param fn - The function to check
* @param registeredFunctions - The registered functions from the expression's parser
* @returns true if the function is allowed, false otherwise
*/
static isAllowedFunction(fn: unknown, registeredFunctions: Record<string, OperatorFunction>): boolean {
if (typeof fn !== 'function') {
return true; // Non-functions are not subject to function call restrictions
}
// Check if it's a safe Math function
if (SAFE_MATH_FUNCTIONS.has(fn as Function)) {
return true;
}
// Check if it's registered in expr.functions
for (const key in registeredFunctions) {
if (Object.prototype.hasOwnProperty.call(registeredFunctions, key) && registeredFunctions[key] === fn) {
return true;
}
}
return false;
}
/**
* Validates that a function is allowed to be called.
* Throws an error if the function is not in the allowed list.
*
* @param fn - The function to validate
* @param registeredFunctions - The registered functions from the expression's parser
* @param expressionString - The full expression string for error context
* @throws {FunctionError} When trying to call an unregistered function
*/
static validateAllowedFunction(
fn: unknown,
registeredFunctions: Record<string, OperatorFunction>,
expressionString: string
): void {
if (typeof fn === 'function' && !this.isAllowedFunction(fn, registeredFunctions)) {
throw new FunctionError(
'Calling unregistered functions is not allowed for security reasons',
{
expression: expressionString
}
);
}
}
/**
* Validates function call parameters
*/
static validateFunctionCall(functionValue: any, functionName: string, expressionString: string): void {
if (typeof functionValue !== 'function') {
throw new FunctionError(
`${functionValue} is not a function`,
{
functionName: String(functionValue),
expression: expressionString
}
);
}
}
/**
* Validates array access with proper error context
*/
static validateArrayAccess(parent: any, index: any): void {
if (Array.isArray(parent) && !Number.isInteger(index)) {
throw new Error(`Array can only be indexed with integers. Received: ${index}`);
}
}
/**
* Validates that required parameters are present
*/
static validateRequiredParameter(value: any, parameterName: string): void {
if (value === undefined || value === null) {
throw new Error(`Required parameter '${parameterName}' is missing`);
}
}
/**
* Validates expression evaluation stack parity
*/
static validateStackParity(stackLength: number): void {
if (stackLength > 1) {
throw new Error('invalid Expression (parity)');
}
}
}