Add YAML security restriction and improve string literal handling

Copilot · hotlong · Copilot · commit 1f0c19f6794f · 2026-01-31T04:33:44.000Z
Co-authored-by: hotlong &lt;50353452+hotlong@users.noreply.github.com&gt;
diff --git a/packages/metadata/src/serializers/typescript-serializer.ts b/packages/metadata/src/serializers/typescript-serializer.ts
@@ -53,15 +53,36 @@ export class TypeScriptSerializer implements MetadataSerializer {
     }
 
     // Find the matching closing brace by counting braces
+    // Handle string literals to avoid counting braces inside strings
     let braceCount = 0;
     let braceEnd = -1;
+    let inString = false;
+    let stringChar = '';
+    
     for (let i = braceStart; i < content.length; i++) {
-      if (content[i] === '{') braceCount++;
-      if (content[i] === '}') {
-        braceCount--;
-        if (braceCount === 0) {
-          braceEnd = i;
-          break;
+      const char = content[i];
+      const prevChar = i > 0 ? content[i - 1] : '';
+      
+      // Track string literals (simple handling of " and ')
+      if ((char === '"' || char === "'") && prevChar !== '\\') {
+        if (!inString) {
+          inString = true;
+          stringChar = char;
+        } else if (char === stringChar) {
+          inString = false;
+          stringChar = '';
+        }
+      }
+      
+      // Count braces only when not inside strings
+      if (!inString) {
+        if (char === '{') braceCount++;
+        if (char === '}') {
+          braceCount--;
+          if (braceCount === 0) {
+            braceEnd = i;
+            break;
+          }
         }
       }
     }
@@ -85,7 +106,7 @@ export class TypeScriptSerializer implements MetadataSerializer {
     } catch (error) {
       throw new Error(
         `Failed to parse object literal as JSON: ${error instanceof Error ? error.message : String(error)}. ` +
-        'Make sure the TypeScript/JavaScript object uses JSON-compatible syntax.'
+        'Make sure the TypeScript/JavaScript object uses JSON-compatible syntax (no functions, comments, or trailing commas).'
       );
     }
   }
diff --git a/packages/metadata/src/serializers/yaml-serializer.ts b/packages/metadata/src/serializers/yaml-serializer.ts
@@ -22,7 +22,9 @@ export class YAMLSerializer implements MetadataSerializer {
   }
 
   deserialize<T>(content: string, schema?: z.ZodSchema): T {
-    const parsed = yaml.load(content);
+    // Use JSON_SCHEMA to prevent arbitrary code execution
+    // This restricts YAML to JSON-compatible types only
+    const parsed = yaml.load(content, { schema: yaml.JSON_SCHEMA });
 
     if (schema) {
       return schema.parse(parsed) as T;

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,9 @@ export class YAMLSerializer implements MetadataSerializer {`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`deserialize<T>(content: string, schema?: z.ZodSchema): T {`
`25`		`- const parsed = yaml.load(content);`
	`25`	`+ // Use JSON_SCHEMA to prevent arbitrary code execution`
	`26`	`+ // This restricts YAML to JSON-compatible types only`
	`27`	`+ const parsed = yaml.load(content, { schema: yaml.JSON_SCHEMA });`
`26`	`28`
`27`	`29`	`if (schema) {`
`28`	`30`	`return schema.parse(parsed) as T;`