Unverified Commit c091d698 authored by Simon Esposito's avatar Simon Esposito Committed by GitHub
Browse files

Add safeguard around js caching api (#1146) 

Prevent js vm context leaks via the localcache by restricting its inputs to primitive data types only.
parent 96090860

CHANGELOG.md

+2 −0
Original line number Diff line number Diff line
@@ -4,6 +4,8 @@ All notable changes to this project are documented below. 
The format is based on [keep a changelog](http://keepachangelog.com) and this project uses [semantic versioning](http://semver.org).



## [Unreleased]

### Changed

- JS localcachePut now only accepts primitive types, other values will throw an error.



## [3.19.0] 2023-11-11

### Added

server/runtime_javascript_nakama.go

+9 −1
Original line number Diff line number Diff line
@@ -8004,7 +8004,15 @@ func (n *runtimeJavascriptNakamaModule) localcachePut(r *goja.Runtime) func(goja 
			panic(r.NewTypeError("ttl must be 0 or more"))

		}



		n.localCache.Put(key, value.Export(), ttl)

		v := value.Export()



		switch v.(type) {

		case string, int64, float64, bool:

		default:

			panic(r.NewTypeError("unsupported value type: must be string, numeric or boolean"))

		}



		n.localCache.Put(key, v, ttl)



		return goja.Undefined()

	}