Released v3.13.3

chenermeng · May 27, 2017 · 4e1142a · 4e1142a
1 parent bc3febc
commit 4e1142a
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 33 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,9 +1,10 @@
 # History
 
-## not yet released, version 3.13.3
+## 2017-05-27, version 3.13.3
 
 - Fixed a bug in function `intersection` of line and plane.
   Thanks @viclai.
+- Fixed security vulnerabilities.
 
 
 ## 2017-05-26, version 3.13.2

diff --git a/dist/math.js b/dist/math.js
@@ -6,8 +6,8 @@
  * It features real and complex numbers, units, matrices, a large set of
  * mathematical functions, and a flexible expression parser.
  *
- * @version 3.13.2
- * @date    2017-05-26
+ * @version 3.13.3
+ * @date    2017-05-27
  *
  * @license
  * Copyright (C) 2013-2017 Jos de Jong <wjosdejong@gmail.com>
@@ -3961,18 +3961,20 @@ function isSafeMethod (object, method) {
     return isPlainObject(object);
   }
   else {
-    // only allow methods defined on the prototype of this object
-    // and not defined on the prototype of native Object
-    // i.e. constructor, __defineGetter__, hasOwnProperty, etc. are not allowed
-    // A few safe native methods are allowed: toString, valueOf, toLocaleString
-    return (object &&
-        hasOwnProperty(object.constructor.prototype, method) &&
+    // only allow methods:
+    // - defined on the prototype of this object
+    // - not defined on the prototype of native Object
+    //   i.e. constructor, __defineGetter__, hasOwnProperty, etc. are not allowed
+    // - calling methods on a function (like bind) is not allowed
+    // - A few safe native methods are allowed: toString, valueOf, toLocaleString
+    return (object && typeof object !== 'function' &&
+        (hasOwnProperty(object.constructor.prototype, method) ||
+            hasOwnProperty(object.__proto__, method)) &&
         (!hasOwnProperty(Object.prototype, method) || hasOwnProperty(safeNativeMethods, method)));
   }
 }
 
 function isPlainObject (object) {
-  // TODO: improve this function
   return typeof object === 'object' && object && object.constructor === Object;
 }
 
@@ -3987,6 +3989,7 @@ exports.setSafeProperty = setSafeProperty;
 exports.isSafeProperty = isSafeProperty;
 exports.validateSafeMethod = validateSafeMethod;
 exports.isSafeMethod = isSafeMethod;
+exports.isPlainObject = isPlainObject;
 
 
 /***/ }),
@@ -26512,14 +26515,14 @@ function factory (type, config, load, typed, math) {
   function _importTransform (name, value) {
     if (value && typeof value.transform === 'function') {
       math.expression.transform[name] = value.transform;
-      if (!unsafe.hasOwnProperty(name)) {
+      if (allowedInExpressions(name)) {
         math.expression.mathWithTransform[name] = value.transform
       }
     }
     else {
       // remove existing transform
       delete math.expression.transform[name]
-      if (!unsafe.hasOwnProperty(name)) {
+      if (allowedInExpressions(name)) {
         math.expression.mathWithTransform[name] = value
       }
     }
@@ -26594,7 +26597,7 @@ function factory (type, config, load, typed, math) {
         lazy(namespace, name, resolver);
 
         if (!existingTransform) {
-          if (!unsafe.hasOwnProperty(name)) {
+          if (factory.path === 'expression.transform' || factoryAllowedInExpressions(factory)) {
             lazy(math.expression.mathWithTransform, name, resolver);
           }
         }
@@ -26603,7 +26606,7 @@ function factory (type, config, load, typed, math) {
         namespace[name] = resolver();
 
         if (!existingTransform) {
-          if (!unsafe.hasOwnProperty(name)) {
+          if (factory.path === 'expression.transform' || factoryAllowedInExpressions(factory)) {
             math.expression.mathWithTransform[name] = resolver();
           }
         }
@@ -26647,10 +26650,19 @@ function factory (type, config, load, typed, math) {
     return typeof fn === 'function' && typeof fn.signatures === 'object';
   }
 
+  function allowedInExpressions (name) {
+    return !unsafe.hasOwnProperty(name);
+  }
+
+  function factoryAllowedInExpressions (factory) {
+    return factory.path === undefined && !unsafe.hasOwnProperty(factory.name);
+  }
+
   // namespaces and functions not available in the parser for safety reasons
   var unsafe = {
     'expression': true,
     'type': true,
+    'docs': true,
     'error': true,
     'json': true,
     'chain': true // chain method not supported. Note that there is a unit chain too.
@@ -39867,7 +39879,7 @@ function factory (type, config, load, typed) {
   }
 
   function _intersectLinePlane(x1, y1, z1, x2, y2, z2, x, y, z, c){
-    var t = (c - x1*x - y1*y - z1*z)/(x2*x + y2*y + z2*z - x1 - y1 - z1);
+    var t = (c - x1*x - y1*y - z1*z)/(x2*x + y2*y + z2*z - x1*x - y1*y - z1*z);
     var px = x1 + t * (x2 - x1);
     var py = y1 + t * (y2 - y1);
     var pz = z1 + t * (z2 - z1);
@@ -49657,7 +49669,7 @@ module.exports = function scatter(a, j, w, x, u, mark, c, f, inverse, update, va
 /* 511 */
 /***/ (function(module, exports) {
 
-module.exports = '3.13.2';
+module.exports = '3.13.3';
 // Note: This file is automatically generated when building math.js.
 // Changes made in this file will be overwritten.
 

diff --git a/dist/math.map b/dist/math.map
diff --git a/dist/math.min.js b/dist/math.min.js
diff --git a/lib/version.js b/lib/version.js
@@ -1,3 +1,3 @@
-module.exports = '3.13.2';
+module.exports = '3.13.3';
 // Note: This file is automatically generated when building math.js.
 // Changes made in this file will be overwritten.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "mathjs",
-  "version": "3.13.2",
+  "version": "3.13.3",
   "description": "Math.js is an extensive math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with different data types like numbers, big numbers, complex numbers, fractions, units, and matrices.",
   "author": "Jos de Jong <wjosdejong@gmail.com> (https://github.com/josdejong)",
   "contributors": [

diff --git a/test/expression/security.test.js b/test/expression/security.test.js
@@ -282,6 +282,12 @@ describe('security', function () {
     }, /is not a function/);
   })
 
+  it ('should not allow using method Chain', function () {
+    assert.throws(function () {
+      math.eval("x=parse(\"a\",{nodes:{a:Chain}});Chain.bind(x,{})();evilMath=x.create().done();evilMath.import({\"_compile\":f(a,b,c)=\"eval\",\"isNode\":f()=true}); parse(\"(1)\").map(g(a,b,c)=evilMath.chain()).compile().eval()(\"console.log(\'hacked...\')\")");
+    }, /Undefined symbol Chain/);
+  })
+
   it ('should allow calling functions on math', function () {
     assert.equal(math.eval('sqrt(4)'), 2);
   })