test

darrachequesne · darrachequesne · commit 11a15d2d67d4 · 2026-03-16T10:25:02.000+01:00
diff --git a/packages/socket.io-parser/lib/index.ts b/packages/socket.io-parser/lib/index.ts
@@ -135,21 +135,40 @@ interface DecoderReservedEvents {
   decoded: (packet: Packet) => void;
 }
 
+type JSONReviver = (this: any, key: string, value: any) => any;
+
+export interface DecoderOptions {
+  /**
+   * Custom reviver to pass down to JSON.stringify()
+   */
+  reviver?: JSONReviver;
+  /**
+   * Maximum number of attachments per packet.
+   * @default 3
+   */
+  maxAttachments?: number;
+}
+
 /**
  * A socket.io Decoder instance
  *
  * @return {Object} decoder
  */
 export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> {
   private reconstructor: BinaryReconstructor;
+  private opts: Required<DecoderOptions>;
 
   /**
    * Decoder constructor
    *
-   * @param {function} reviver - custom reviver to pass down to JSON.stringify
+   * @param {function|DecoderOptions} opts - custom reviver to pass down to JSON.stringify or an options object
    */
-  constructor(private reviver?: (this: any, key: string, value: any) => any) {
+  constructor(opts?: DecoderOptions | JSONReviver) {
     super();
+    this.opts = Object.assign({
+      reviver: undefined,
+      maxAttachments: 3
+    }, typeof opts === "function" ? { reviver: opts } : opts);
   }
 
   /**
@@ -225,6 +244,9 @@ export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> {
         throw new Error("Illegal attachments");
       }
       p.attachments = Number(buf);
+      if (p.attachments > this.opts.maxAttachments) {
+        throw new Error("too many attachments");
+      }
     }
 
     // look up namespace (if any)
@@ -271,7 +293,7 @@ export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> {
 
   private tryParse(str) {
     try {
-      return JSON.parse(str, this.reviver);
+      return JSON.parse(str, this.opts.reviver);
     } catch (e) {
       return false;
     }
diff --git a/packages/socket.io-parser/test/parser.js b/packages/socket.io-parser/test/parser.js
@@ -107,6 +107,52 @@ describe("socket.io-parser", () => {
     }
   });
 
+  it("throws an error when receiving too many attachments", () => {
+    const decoder = new Decoder({ maxAttachments: 2 });
+
+    expect(() => {
+      decoder.add(
+        '53-["hello",{"_placeholder":true,"num":0},{"_placeholder":true,"num":1},{"_placeholder":true,"num":2}]',
+      );
+    }).to.throwException(/^too many attachments$/);
+  });
+
+  it("decodes with a custom reviver", (done) => {
+    const decoder = new Decoder((key, value) => {
+      if (key === "a") {
+        return value.toUpperCase();
+      } else {
+        return value;
+      }
+    });
+
+    decoder.on("decoded", (packet) => {
+      expect(packet.data).to.eql(["b", { a: "VAL" }]);
+      done();
+    });
+
+    decoder.add('2["b",{"a":"val"}]');
+  });
+
+  it("decodes with a custom reviver (options object)", (done) => {
+    const decoder = new Decoder({
+      reviver: (key, value) => {
+        if (key === "a") {
+          return value.toUpperCase();
+        } else {
+          return value;
+        }
+      },
+    });
+
+    decoder.on("decoded", (packet) => {
+      expect(packet.data).to.eql(["b", { a: "VAL" }]);
+      done();
+    });
+
+    decoder.add('2["b",{"a":"val"}]');
+  });
+
   it("throw an error upon parsing error", () => {
     const isInvalidPayload = (str) =>
       expect(() => new Decoder().add(str)).to.throwException(
