Bug: artifactResultsToAlerts crashes on packages without alerts
Location
sfw-free binary v1.8.0, in the bundled JS at the function registered as
artifactResultsToAlerts (minified name: n_).
The function (decompiled)
function artifactResultsToAlerts(results) {
return results
.flatMap(pkg => pkg.alerts.map(alert => ({
...alert,
inputPurl: pkg.inputPurl ?? "",
packageName: pkg.name,
packageType: pkg.type,
packageVersion: pkg.version,
})))
.filter(a => a.action === "error" || a.action === "warn");
}
The bug
The schema (Cc) defines alerts as optional:
alerts: s.array(W1).optional()
So when the Socket API returns a package result where alerts is undefined
(which happens for private/scoped packages like @private/* that aren't in their
database), the code does:
pkg.alerts.map(...)
// ^^^^^^ undefined
This throws:
TypeError: Cannot read properties of undefined (reading 'map')
Call chain
- npm CONNECT request intercepted by sfw-free proxy
fetchBlockStatus → getPurlAlertInfo → Zg (fetchAlerts) → t_ (fetchFreeAlerts)
t_ calls o_ or i_ which are API wrappers created by dr(url, method, params, schema, parser, transform)
n_ (artifactResultsToAlerts) is passed as the transform (6th arg) to dr
- Inside
dr, after successful schema validation: return [o ? o(P) : P, null]
- So
n_(validatedResults) is called — crashes if any result has alerts: undefined
Impact
The TypeError propagates up, killing the proxy CONNECT handler. npm sees
ECONNRESET on the tarball download socket.
Fix
function artifactResultsToAlerts(results) {
return results
.flatMap(pkg => (pkg.alerts ?? []).map(alert => ({
...alert,
inputPurl: pkg.inputPurl ?? "",
packageName: pkg.name,
packageType: pkg.type,
packageVersion: pkg.version,
})))
.filter(a => a.action === "error" || a.action === "warn");
}
One-character-class fix: pkg.alerts?.map(...) with .flatMap would also work
since flatMap skips undefined returns, but (pkg.alerts ?? []).map(...) is more
explicit.
Bug: artifactResultsToAlerts crashes on packages without alerts
Location
sfw-freebinary v1.8.0, in the bundled JS at the function registered asartifactResultsToAlerts(minified name:n_).The function (decompiled)
The bug
The schema (
Cc) definesalertsas optional:So when the Socket API returns a package result where
alertsisundefined(which happens for private/scoped packages like
@private/*that aren't in theirdatabase), the code does:
This throws:
Call chain
fetchBlockStatus→getPurlAlertInfo→Zg(fetchAlerts) →t_(fetchFreeAlerts)t_callso_ori_which are API wrappers created bydr(url, method, params, schema, parser, transform)n_(artifactResultsToAlerts) is passed as thetransform(6th arg) todrdr, after successful schema validation:return [o ? o(P) : P, null]n_(validatedResults)is called — crashes if any result hasalerts: undefinedImpact
The TypeError propagates up, killing the proxy CONNECT handler. npm sees
ECONNRESET on the tarball download socket.
Fix
One-character-class fix:
pkg.alerts?.map(...)with.flatMapwould also worksince flatMap skips undefined returns, but
(pkg.alerts ?? []).map(...)is moreexplicit.