UNPKG

better-auth

Version:

The most comprehensive authentication framework for TypeScript.

better-auth.com

better-auth/better-auth

73 lines (72 loc) 3.28 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
//#region src/client/parser.ts const PROTO_POLLUTION_PATTERNS = { proto: /"(?:_|\\u0{2}5[Ff]){2}(?:p|\\u0{2}70)(?:r|\\u0{2}72)(?:o|\\u0{2}6[Ff])(?:t|\\u0{2}74)(?:o|\\u0{2}6[Ff])(?:_|\\u0{2}5[Ff]){2}"\s*:/, constructor: /"(?:c|\\u0063)(?:o|\\u006[Ff])(?:n|\\u006[Ee])(?:s|\\u0073)(?:t|\\u0074)(?:r|\\u0072)(?:u|\\u0075)(?:c|\\u0063)(?:t|\\u0074)(?:o|\\u006[Ff])(?:r|\\u0072)"\s*:/, protoShort: /"__proto__"\s*:/, constructorShort: /"constructor"\s*:/ }; const JSON_SIGNATURE = /^\s*["[{]|^\s*-?\d{1,16}(\.\d{1,17})?([Ee][+-]?\d+)?\s*$/; const SPECIAL_VALUES = { true: true, false: false, null: null, undefined: void 0, nan: NaN, infinity: Number.POSITIVE_INFINITY, "-infinity": Number.NEGATIVE_INFINITY }; const ISO_DATE_REGEX = /^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(?:\.(\d{1,7}))?(?:Z|([+-])(\d{2}):(\d{2}))$/; function isValidDate(date) { return date instanceof Date && !isNaN(date.getTime()); } function parseISODate(value) { const match = ISO_DATE_REGEX.exec(value); if (!match) return null; const [, year, month, day, hour, minute, second, ms, offsetSign, offsetHour, offsetMinute] = match; let date = new Date(Date.UTC(parseInt(year, 10), parseInt(month, 10) - 1, parseInt(day, 10), parseInt(hour, 10), parseInt(minute, 10), parseInt(second, 10), ms ? parseInt(ms.padEnd(3, "0"), 10) : 0)); if (offsetSign) { const offset = (parseInt(offsetHour, 10) * 60 + parseInt(offsetMinute, 10)) * (offsetSign === "+" ? -1 : 1); date.setUTCMinutes(date.getUTCMinutes() + offset); } return isValidDate(date) ? date : null; } function betterJSONParse(value, options = {}) { const { strict = false, warnings = false, reviver, parseDates = true } = options; if (typeof value !== "string") return value; const trimmed = value.trim(); if (trimmed.length > 0 && trimmed[0] === "\"" && trimmed.endsWith("\"") && !trimmed.slice(1, -1).includes("\"")) return trimmed.slice(1, -1); const lowerValue = trimmed.toLowerCase(); if (lowerValue.length <= 9 && lowerValue in SPECIAL_VALUES) return SPECIAL_VALUES[lowerValue]; if (!JSON_SIGNATURE.test(trimmed)) { if (strict) throw new SyntaxError("[better-json] Invalid JSON"); return value; } if (Object.entries(PROTO_POLLUTION_PATTERNS).some(([key, pattern]) => { const matches = pattern.test(trimmed); if (matches && warnings) console.warn(`[better-json] Detected potential prototype pollution attempt using ${key} pattern`); return matches; }) && strict) throw new Error("[better-json] Potential prototype pollution attempt detected"); try { const secureReviver = (key, value$1) => { if (key === "__proto__" || key === "constructor" && value$1 && typeof value$1 === "object" && "prototype" in value$1) { if (warnings) console.warn(`[better-json] Dropping "${key}" key to prevent prototype pollution`); return; } if (parseDates && typeof value$1 === "string") { const date = parseISODate(value$1); if (date) return date; } return reviver ? reviver(key, value$1) : value$1; }; return JSON.parse(trimmed, secureReviver); } catch (error) { if (strict) throw error; return value; } } function parseJSON(value, options = { strict: true }) { return betterJSONParse(value, options); } //#endregion export { parseJSON }; //# sourceMappingURL=parser.mjs.map