Fix possible code execution in (already unsafe) load() by rlidwka · Pull Request #480 · nodeca/js-yaml (original) (raw)

Object with executable toString() property when used as a map key will execute that function.

This happens only for load(), which should not be used with untrusted data anyway. safeLoad() is not affected because it can't parse functions.

Example:

$ cat test.yaml { toString: !tag:yaml.org,2002:js/function 'function (){return Date.now()}' } : 1

$ ./bin/js-yaml.js ./test.yaml { "1553107949161": 1 }

After this PR it would return [object Object] as if toString wasn't there.

Dates are not affected, and if you for whatever reason are using custom types as keys (which is not supported very well), you can change internal class with Symbol.toStringTag bypassing added validation check.