fix(bson): throw on invalid string data

for invalid buffer is received is it necessary to check buffer size to not endlessly loop to find the end of a string.
deepkit · Jan 9, 2025 · 423df6c · 423df6c
1 parent fb1263d
commit 423df6c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/packages/bson/src/bson-parser.ts b/packages/bson/src/bson-parser.ts
@@ -279,14 +279,17 @@ export class BaseParser {
      */
     stringSize(): number {
         let end = this.offset;
-        while (this.buffer[end] !== 0) end++;
+        while (this.buffer[end] !== 0 && end < this.size) end++;
         end++; //null
         return end - this.offset;
     }
 
     eatObjectPropertyName() {
         let end = this.offset;
-        while (this.buffer[end] !== 0) end++;
+        while (this.buffer[end] !== 0) {
+            if (end >= this.size) throw new SerializationError('Unexpected end of buffer');
+            end++;
+        }
         const s = decodeUTF8(this.buffer, this.offset, end);
         this.offset = end + 1;
         return s;

diff --git a/packages/bson/tests/bson-parser.spec.ts b/packages/bson/tests/bson-parser.spec.ts
@@ -4,6 +4,8 @@ import { deserializeBSON, getBSONDeserializer } from '../src/bson-deserializer.j
 import { BinaryBigInt, copyAndSetParent, MongoId, nodeBufferToArrayBuffer, PrimaryKey, Reference, ReflectionKind, SignedBinaryBigInt, TypeObjectLiteral, typeOf, uuid, UUID } from '@deepkit/type';
 import { getClassName } from '@deepkit/core';
 import { serializeBSONWithoutOptimiser } from '../src/bson-serializer.js';
+import { BSONType } from '../src/utils';
+import { deserializeBSONWithoutOptimiser } from '../src/bson-parser';
 
 const { deserialize, serialize } = bson;
 
@@ -754,3 +756,20 @@ test('additional are ignored', () => {
     const back = fn(bson);
     expect(back).toEqual({ismaster: true});
 });
+
+test('invalid buffer, string parse', () => {
+    const buffer = Buffer.from([
+        28, 0, 0, 0, //size
+        BSONType.BINARY, //just some type
+        112, 111, 115, 105, 116, 105, 111, 110, // 0, /'/position\n' without ending
+        // to simulate a buffer that is not correctly serialized
+    ]);
+
+    expect(() => deserializeBSONWithoutOptimiser(buffer)).toThrow('Unexpected end of buffer');
+
+    const deserialize = getBSONDeserializer<{ position: Uint8Array }>();
+    expect(() => deserialize(buffer)).toThrow('Cannot convert undefined value to Uint8Array');
+
+    const deserialize2 = getBSONDeserializer<{ [name: string]: Uint8Array }>();
+    expect(() => deserialize2(buffer)).toThrow('Serialization failed. Unexpected end of buffer');
+});