Parser does not support buffer object? #14

Open
magwo opened this Issue May 31, 2012 · 2 comments

Comments

Projects
None yet
3 participants

magwo commented May 31, 2012

Hello,

it seems to me that the CSON parser does not, in contrast to the JSON parser, support buffer objects as returned by for example fs.readFileSync().

CSON.parseSync(fs.readFileSync filename) # Does not parse file contents

Note that you only get a buffer object if you do not specify encoding:
http://nodejs.org/api/fs.html#fs_fs_readfilesync_filename_encoding

Owner

balupton commented Jun 10, 2013

Hrmmm... So you're saying: JSON.parse(fs.readFileSync filename) works? When is a use case when someone would want to do this over just providing the filename?

@balupton balupton closed this Feb 6, 2015

@balupton balupton reopened this Feb 6, 2015

rdeforest commented Aug 8, 2017

Interestingly, the JSON Buffer transforms are not symmetrical:

coffee> JSON.parse JSON.stringify Buffer.from "foo"
{ type: 'Buffer', data: [ 102, 111, 111 ] }

This can be addressed with the reviver option to .parse:

reviver = (k, v) ->
  if (d = v.data) and (t = global[v.type]) and 'function' is typeof t.from
    t.from d
  else
    v

coffee> reviver = (k, v) -> if (d = v.data) and (t = global[v.type]) then t.from d else v
[Function: reviver]
coffee> JSON.parse JSON.stringify(Buffer.from "foo"), reviver
<Buffer 66 6f 6f>
coffee> _.toString()
'foo'

This would need to be hardened to make sure it doesn't somehow enable arbitrary code execution via variation of the following:

hax:
  type: VulnerableObject
  data: "stuff that VulnerableObject treats as code for some reason"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment