From d9db4737a3c8ce5f1f49ecc8d928a74f3da591f7 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Wed, 31 May 2023 08:18:48 +0200 Subject: [PATCH] fix: ensure reserved events cannot be used as event names --- lib/index.ts | 16 +++++++++++++++- test/parser.js | 2 ++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/index.ts b/lib/index.ts index 4319d2c..d858915 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -5,6 +5,18 @@ import debugModule from "debug"; // debug() const debug = debugModule("socket.io-parser"); // debug() +/** + * These strings must not be used as event names, as they have a special meaning. + */ +const RESERVED_EVENTS = [ + "connect", // used on the client side + "connect_error", // used on the client side + "disconnect", // used on both sides + "disconnecting", // used on the server side + "newListener", // used by the Node.js EventEmitter + "removeListener", // used by the Node.js EventEmitter +]; + /** * Protocol version. * @@ -277,7 +289,9 @@ export class Decoder extends Emitter<{}, {}, DecoderReservedEvents> { case PacketType.BINARY_EVENT: return ( Array.isArray(payload) && - (typeof payload[0] === "string" || typeof payload[0] === "number") + (typeof payload[0] === "number" || + (typeof payload[0] === "string" && + RESERVED_EVENTS.indexOf(payload[0]) === -1)) ); case PacketType.ACK: case PacketType.BINARY_ACK: diff --git a/test/parser.js b/test/parser.js index c78e675..915e746 100644 --- a/test/parser.js +++ b/test/parser.js @@ -121,6 +121,8 @@ describe("socket.io-parser", () => { isInvalidPayload('2[{"toString":"foo"}]'); isInvalidPayload('2[true,"foo"]'); isInvalidPayload('2[null,"bar"]'); + isInvalidPayload('2["connect"]'); + isInvalidPayload('2["disconnect","123"]'); expect(() => new Decoder().add("999")).to.throwException( /^unknown packet type 9$/