Merge commit from fork

elliott-with-the-longest-name-on-github · web-flow · commit 11755849fa06 · 2026-01-15T08:58:26.000-07:00
* fix: Validate input for `ArrayBuffer` parsing

* fix: self-referential stack overflows

* changeset

* more efficiency

* Merge commit from fork
diff --git a/.changeset/slow-banks-love.md b/.changeset/slow-banks-love.md
@@ -0,0 +1,5 @@
+---
+"devalue": patch
+---
+
+fix: validate input for `ArrayBuffer` parsing
diff --git a/.changeset/tender-cities-check.md b/.changeset/tender-cities-check.md
@@ -0,0 +1,5 @@
+---
+"devalue": patch
+---
+
+fix: more helpful errors for inputs causing stack overflows
diff --git a/src/parse.js b/src/parse.js
@@ -33,6 +33,13 @@ export function unflatten(parsed, revivers) {
 
 	const hydrated = Array(values.length);
 
+	/**
+	 * A set of values currently being hydrated with custom revivers,
+	 * used to detect invalid cyclical dependencies
+	 * @type {Set<number> | null}
+	 */
+	let hydrating = null;
+
 	/**
 	 * @param {number} index
 	 * @returns {any}
@@ -70,7 +77,18 @@ export function unflatten(parsed, revivers) {
 						// so we need to munge it into the format expected by a custom reviver
 						i = values.push(value[1]) - 1;
 					}
-					return (hydrated[index] = reviver(hydrate(i)));
+
+					hydrating ??= new Set();
+
+					if (hydrating.has(i)) {
+						throw new Error('Invalid circular reference');
+					}
+
+					hydrating.add(i);
+					hydrated[index] = reviver(hydrate(i));
+					hydrating.delete(i);
+
+					return hydrated[index];
 				}
 
 				switch (type) {
@@ -125,6 +143,12 @@ export function unflatten(parsed, revivers) {
 					case 'Float64Array':
 					case 'BigInt64Array':
 					case 'BigUint64Array': {
+						if (values[value[1]][0] !== 'ArrayBuffer') {
+							// without this, if we receive malformed input we could
+							// end up trying to hydrate in a circle
+							throw new Error('Invalid data');
+						}
+
 						const TypedArrayConstructor = globalThis[type];
 						const buffer = hydrate(value[1]);
 						if (!(buffer instanceof ArrayBuffer)) {
@@ -142,6 +166,9 @@ export function unflatten(parsed, revivers) {
 
 					case 'ArrayBuffer': {
 						const base64 = value[1];
+						if (typeof base64 !== 'string') {
+							throw new Error('Invalid ArrayBuffer encoding');
+						}
 						const arraybuffer = decode64(base64);
 						hydrated[index] = arraybuffer;
 						break;
diff --git a/test/test.js b/test/test.js
@@ -745,6 +745,11 @@ const invalid = [
 		json: '[["Int8Array", 1], { "length": 2 }, 1000000000]',
 		message: 'Invalid input, expected ArrayBuffer but got object'
 	},
+	{
+		name: 'ArrayBuffer with non-string value',
+		json: '[["ArrayBuffer", { "length": 100 }]]',
+		message: 'Invalid ArrayBuffer encoding'
+	},
 	{
 		name: 'empty string',
 		json: '',
@@ -802,13 +807,29 @@ const invalid = [
 		name: 'bad index',
 		json: '[{"0":1,"toString":"push"},"hello"]',
 		message: 'Invalid input'
+	},
+	{
+		name: 'TypedArray self-reference',
+		json: '[["Uint8Array", 0]]',
+		message: 'Invalid data'
+	},
+	{
+		name: 'custom reviver self-reference',
+		json: '[["Custom", 0]]',
+		revivers: { Custom: (v) => v },
+		message: 'Invalid circular reference'
+	},
+	{
+		name: 'mutual TypedArray reference',
+		json: '[["Uint8Array", 1], ["Uint8Array", 0]]',
+		message: 'Invalid data'
 	}
 ];
 
-for (const { name, json, message } of invalid) {
+for (const { name, json, message, revivers } of invalid) {
 	uvu.test(`parse error: ${name}`, () => {
 		assert.throws(
-			() => parse(json),
+			() => parse(json, revivers),
 			(error) => {
 				const match = error.message === message;
 				if (!match) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"devalue": patch
 +---
++
 +fix: validate input for `ArrayBuffer` parsing