@uppy/companion: do not use unsafe call to JSON.stringify (#5422)

transloadit · Aug 29, 2024 · ededd0b · ededd0b
1 parent 43becf8
commit ededd0b
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/packages/@uppy/companion/package.json b/packages/@uppy/companion/package.json
@@ -45,6 +45,7 @@
     "express-interceptor": "1.2.0",
     "express-prom-bundle": "7.0.0",
     "express-session": "1.18.0",
+    "fast-safe-stringify": "^2.1.1",
     "got": "^13.0.0",
     "grant": "5.4.22",
     "helmet": "^7.1.0",

diff --git a/packages/@uppy/companion/src/server/emitter/redis-emitter.js b/packages/@uppy/companion/src/server/emitter/redis-emitter.js
@@ -1,7 +1,13 @@
 const { EventEmitter } = require('node:events')
+const { default: safeStringify } = require('fast-safe-stringify')
 
 const logger = require('../logger')
 
+function replacer(key, value) {
+  // Remove the circular structure and internal ones
+  return key[0] === '_' || value === '[Circular]' ? undefined : value
+}
+
 /**
  * This module simulates the builtin events.EventEmitter but with the use of redis.
  * This is useful for when companion is running on multiple instances and events need
@@ -141,7 +147,10 @@ module.exports = (redisClient, redisPubSubScope) => {
    * @param {string} eventName name of the event
    */
   function emit (eventName, ...args) {
-    runWhenConnected(() => publisher.publish(getPrefixedEventName(eventName), JSON.stringify(args)))
+    runWhenConnected(
+      () => publisher.publish(getPrefixedEventName(eventName),
+      safeStringify(args, replacer)),
+    )
   }
 
   /**

diff --git a/yarn.lock b/yarn.lock
@@ -8627,6 +8627,7 @@ __metadata:
     express-interceptor: "npm:1.2.0"
     express-prom-bundle: "npm:7.0.0"
     express-session: "npm:1.18.0"
+    fast-safe-stringify: "npm:^2.1.1"
     got: "npm:^13.0.0"
     grant: "npm:5.4.22"
     helmet: "npm:^7.1.0"