Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Avoid RCE when deserialising TypedArrays [closes #16][part of #12] #17

Merged
merged 6 commits into from May 17, 2021

Conversation

AndreyBelym
Copy link
Collaborator

@AndreyBelym AndreyBelym commented May 14, 2021

[closes #16][part of #12]

Added a check for the array constructor at the deserialization step.

Tools and modern language features, as well as additional security measures, will come in future PRs (check my plans in #12, #13, #14, #15)

@AndreyBelym AndreyBelym changed the title fix: Avoid RCE when deserialising TypedArrays [closes #16][part of #12] fix: Avoid RCE when deserialising TypedArrays May 14, 2021
@AndreyBelym AndreyBelym changed the title fix: Avoid RCE when deserialising TypedArrays fix: Avoid RCE when deserialising TypedArrays [closes #16][part of #12] May 14, 2021
@AndreyBelym
Copy link
Collaborator Author

@miherlosev, please take a look at it. Currently, I cannot assign you, since you're not a collaborator, and I do not have enough rights to add you to the repo.

I will try to contact @inikulin about elevating my permissions.

@AndreyBelym AndreyBelym merged commit 2c62624 into master May 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Refactor the TypedArray deserializer to avoid RCE
2 participants