Merge pull request #158 from NearSocial/release-2.5.3

## 2.5.3

- FIX: Replace url-sanitize library with dompurify. Reported by BrunoModificato from OtterSec.
- FIX: Replace internal usage of `in` operator with `hasOwnProperty` on dictionaries to avoid exposing certain built-in methods and properties. Reported by BrunoModificato from OtterSec.
- FIX: `atob` and `btoa` are working correctly now.

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 2.5.3
+
+- FIX: Remove `cachedPropery` from `elliptic.utils`. Reported by BrunoModificato from OtterSec. 
+- FIX: Replace url-sanitize library with dompurify. Reported by BrunoModificato from OtterSec.
+- FIX: Replace internal usage of `in` operator with `hasOwnProperty` on dictionaries to avoid exposing certain built-in methods and properties. Reported by BrunoModificato from OtterSec.
+- FIX: `atob` and `btoa` are working correctly now.
+
 ## 2.5.2
 
 - Use `styled-components` in combination with `customElements` like `Link`:

package.json

@@ -1,13 +1,12 @@
 {
   "name": "near-social-vm",
-  "version": "2.5.2",
+  "version": "2.5.3",
   "description": "Near Social VM",
   "main": "dist/index.js",
   "files": [
     "dist"
   ],
   "dependencies": {
-    "@braintree/sanitize-url": "6.0.0",
     "@radix-ui/react-accordion": "^1.1.1",
     "@radix-ui/react-alert-dialog": "^1.0.3",
     "@radix-ui/react-aspect-ratio": "^1.0.2",
@@ -43,6 +42,7 @@
     "bootstrap-icons": "^1.9.0",
     "collections": "^5.1.12",
     "deep-equal": "^2.2.0",
+    "dompurify": "^3.0.6",
     "elliptic": "^6.5.4",
     "ethers": "^5.7.2",
     "idb": "^7.1.1",

src/lib/data/near.js

@@ -45,7 +45,7 @@ const SupportedApiMethods = {
 };
 
 const apiCall = async (config, methodName, args, blockId, fallback) => {
-  if (!config.apiUrl || !(methodName in SupportedApiMethods)) {
+  if (!config.apiUrl || !SupportedApiMethods.hasOwnProperty(methodName)) {
     return fallback();
   }
   args = args || {};
@@ -214,7 +214,7 @@ async function web4ViewCall(contractId, methodName, args, fallback) {
 /**
  * Current VM Features:
  * - enableComponentSrcDataKey: Allows enabling the component source `data-component` attribute for rendered DOM elements. Disabled by default.
-**/
+ **/
 async function _initNear({
   networkId,
   config,
@@ -255,7 +255,7 @@ async function _initNear({
     selector,
     keyStore,
     nearConnection,
-    features
+    features,
   };
 
   _near.nearArchivalConnection = nearAPI.Connection.fromConfig({

src/lib/data/utils.js

@@ -248,7 +248,7 @@ const matchGet = (obj, keys) => {
   const values =
     matchKey === "*" || isRecursiveMatch
       ? Object.values(obj)
-      : matchKey in obj
+      : obj.hasOwnProperty(matchKey)
       ? [obj[matchKey]]
       : [];
 
@@ -266,7 +266,7 @@ const matchKeys = (obj, keys) => {
   const values =
     matchKey === "*"
       ? Object.values(obj)
-      : matchKey in obj
+      : obj.hasOwnProperty(matchKey)
       ? [obj[matchKey]]
       : [];
 
@@ -311,7 +311,7 @@ export const computeWritePermission = (previousPermissions, data) => {
 
   if (isObject(data)) {
     Object.entries(data).forEach(([key, value]) => {
-      if (key in KnownSecondLevelKeys) {
+      if (KnownSecondLevelKeys.hasOwnProperty(key)) {
         if (isObject(value)) {
           const subPermissions = (permissions[key] = permissions[key] || {});
           Object.keys(value).forEach((key) => {

src/lib/vm/vm.js

@@ -17,7 +17,6 @@ import {
   ReactKey,
 } from "../data/utils";
 import Files from "react-files";
-import { sanitizeUrl } from "@braintree/sanitize-url";
 import { Markdown } from "../components/Markdown";
 import InfiniteScroll from "react-infinite-scroller";
 import { CommitButton } from "../components/Commit";
@@ -35,6 +34,7 @@ import { Parser } from "acorn";
 import jsx from "acorn-jsx";
 import { ethers } from "ethers";
 import { Web3ConnectButton } from "../components/ethers";
+import { isValidAttribute } from "dompurify";
 
 // Radix:
 import * as Accordion from "@radix-ui/react-accordion";
@@ -215,8 +215,8 @@ const GlobalInjected = deepFreeze(
     parseInt,
     parseFloat,
     isFinite,
-    btoa,
-    atob,
+    btoa: (s) => btoa(s),
+    atob: (s) => atob(s),
     decodeURI,
     encodeURI,
 
@@ -281,14 +281,16 @@ const AcornOptions = {
   allowReturnOutsideFunction: true,
 };
 
-const ParsedCodeCache = {};
+const ParsedCodeCache = new Map();
 const JsxParser = Parser.extend(jsx());
 
 const parseCode = (code) => {
-  if (code in ParsedCodeCache) {
-    return ParsedCodeCache[code];
+  if (ParsedCodeCache.has(code)) {
+    return ParsedCodeCache.get(code);
   }
-  return (ParsedCodeCache[code] = JsxParser.parse(code, AcornOptions));
+  const parsedCode = JsxParser.parse(code, AcornOptions);
+  ParsedCodeCache.set(code, parsedCode);
+  return parsedCode;
 };
 
 const assertNotReservedKey = (key) => {
@@ -344,7 +346,7 @@ const requireIdentifier = (id) => {
   }
   const name = id.name;
   assertNotReservedKey(name);
-  if (name in Keywords) {
+  if (Keywords.hasOwnProperty(name)) {
     throw new Error("Cannot use keyword: " + name);
   }
   return {
@@ -418,14 +420,14 @@ class Stack {
   }
 
   findObj(name) {
-    if (name in this.state) {
+    if (this.state.hasOwnProperty(name)) {
       return this.state;
     }
     return this.prevStack ? this.prevStack.findObj(name) : undefined;
   }
 
   get(name) {
-    if (name in this.state) {
+    if (this.state.hasOwnProperty(name)) {
       return this.state[name];
     }
     return this.prevStack ? this.prevStack.get(name) : undefined;
@@ -609,7 +611,9 @@ class VmStack {
     } else if (basicElement === "a") {
       Object.entries(attributes).forEach(([name, value]) => {
         if (name.toLowerCase() === "href") {
-          attributes[name] = sanitizeUrl(value);
+          attributes[name] = isValidAttribute("a", "href", value)
+            ? value
+            : "about:blank";
         }
       });
     } else if (element === "Widget") {
@@ -751,15 +755,15 @@ class VmStack {
       const obj = this.stack.findObj(key) ?? this.stack.state;
       assertNotReactObject(obj);
       if (obj === this.stack.state) {
-        if (key in Keywords) {
+        if (Keywords.hasOwnProperty(key)) {
           if (options?.left) {
             throw new Error("Cannot assign to keyword '" + key + "'");
           }
           return { obj, key, keyword: key };
         }
       }
       if (options?.left) {
-        if (!obj || !(key in obj)) {
+        if (!obj || !obj.hasOwnProperty(key)) {
           throw new Error(`Accessing undeclared identifier '${code.name}'`);
         }
       }
@@ -773,7 +777,7 @@ class VmStack {
         code.object?.type === "JSXIdentifier"
       ) {
         const keyword = code.object.name;
-        if (keyword in Keywords) {
+        if (Keywords.hasOwnProperty(keyword)) {
           if (!options?.callee) {
             throw new Error(
               "Cannot dereference keyword '" +
@@ -1025,7 +1029,7 @@ class VmStack {
         } else {
           if (key === "keyframes") {
             styledTemplate = keyframes;
-          } else if (key in ApprovedTagsSimple) {
+          } else if (ApprovedTagsSimple.hasOwnProperty(key)) {
             styledTemplate = styled(key);
           } else {
             throw new Error("Unsupported styled tag: " + key);
@@ -2254,6 +2258,7 @@ export default class VM {
       get elliptic() {
         delete this.elliptic;
         this.elliptic = cloneDeep(elliptic);
+        delete this.elliptic.utils.cachedProperty;
         return this.elliptic;
       },
     };

yarn.lock

@@ -962,11 +962,6 @@
     "@babel/helper-validator-identifier" "^7.19.1"
     to-fast-properties "^2.0.0"
 
-"@braintree/[email protected]":
-  version "6.0.0"
-  resolved "https://registry.yarnpkg.com/@braintree/sanitize-url/-/sanitize-url-6.0.0.tgz#fe364f025ba74f6de6c837a84ef44bdb1d61e68f"
-  integrity sha512-mgmE7XBYY/21erpzhexk4Cj1cyTQ9LzvnTxtzM17BJ7ERMNE6W72mQRo0I1Ud8eFJ+RVVIcBNhLFZ3GX4XFz5w==
-
 "@discoveryjs/[email protected]", "@discoveryjs/json-ext@^0.5.0":
   version "0.5.7"
   resolved "https://registry.yarnpkg.com/@discoveryjs/json-ext/-/json-ext-0.5.7.tgz#1d572bfbbe14b7704e0ba0f39b74815b84870d70"
@@ -4028,6 +4023,11 @@ domhandler@^4.0.0, domhandler@^4.2.0, domhandler@^4.3.1:
   dependencies:
     domelementtype "^2.2.0"
 
+dompurify@^3.0.6:
+  version "3.0.6"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.6.tgz#925ebd576d54a9531b5d76f0a5bef32548351dae"
+  integrity sha512-ilkD8YEnnGh1zJ240uJsW7AzE+2qpbOUYjacomn3AvJ6J4JhKGSZ2nh4wUIXPZrEPppaCLx5jFe8T89Rk8tQ7w==
+
 domutils@^2.5.2, domutils@^2.8.0:
   version "2.8.0"
   resolved "https://registry.yarnpkg.com/domutils/-/domutils-2.8.0.tgz#4437def5db6e2d1f5d6ee859bd95ca7d02048135"