Add safety checks for numbers and BigInts in stringify

Author: antonmedv

.github/workflows/test.yaml

@@ -53,7 +53,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [6, 12, 18, 20, 24]
+        node-version: [12, 18, 20, 24]
     steps:
       - uses: actions/checkout@v5
         with:

build/index.cjs

@@ -243,7 +243,14 @@ function parse(source) {
   function toSafeNumber(str) {
     if (str == "-0") return -0;
     let num = Number(str);
-    return num >= Number.MIN_SAFE_INTEGER && num <= Number.MAX_SAFE_INTEGER ? num : BigInt(str);
+    if (num >= Number.MIN_SAFE_INTEGER && num <= Number.MAX_SAFE_INTEGER)
+      return num;
+    let big = BigInt(str), I64_MIN = -(2n ** 63n), I64_MAX = 2n ** 63n - 1n;
+    if (big < I64_MIN || big > I64_MAX)
+      throw new SyntaxError(
+        `Integer ${str} is outside the 64-bit signed integer range on line ${lineNumber}.`
+      );
+    return big;
   }
   function expectValue(value2) {
     if (value2 === void 0)

build/index.js

@@ -360,9 +360,18 @@ export function parse(source: string): any {
   function toSafeNumber(str: string) {
     if (str == '-0') return -0
     const num = Number(str)
-    return num >= Number.MIN_SAFE_INTEGER && num <= Number.MAX_SAFE_INTEGER
-      ? num
-      : BigInt(str)
+    if (num >= Number.MIN_SAFE_INTEGER && num <= Number.MAX_SAFE_INTEGER) {
+      return num
+    }
+    const big = BigInt(str)
+    const I64_MIN = -(2n ** 63n)
+    const I64_MAX = 2n ** 63n - 1n
+    if (big < I64_MIN || big > I64_MAX) {
+      throw new SyntaxError(
+        `Integer ${str} is outside the 64-bit signed integer range on line ${lineNumber}.`,
+      )
+    }
+    return big
   }
 
   function expectValue(value: unknown) {

build/maml.min.js

@@ -21,6 +21,37 @@ describe('error', () => {
     expect(() => parse(42)).toThrow('Source must be a string')
   })
 
+  describe('integer out of 64-bit range', () => {
+    const I64_MAX = 2n ** 63n - 1n
+    const I64_MIN = -(2n ** 63n)
+
+    test('exceeds 64-bit max', () => {
+      expect(() => parse(`${I64_MAX + 1n}`)).toThrow(
+        'outside the 64-bit signed integer range',
+      )
+    })
+
+    test('below 64-bit min', () => {
+      expect(() => parse(`${I64_MIN - 1n}`)).toThrow(
+        'outside the 64-bit signed integer range',
+      )
+    })
+
+    test('way beyond 64-bit range', () => {
+      expect(() => parse(`${2n ** 128n}`)).toThrow(
+        'outside the 64-bit signed integer range',
+      )
+    })
+
+    test('64-bit max is accepted', () => {
+      expect(parse(`${I64_MAX}`)).toBe(I64_MAX)
+    })
+
+    test('64-bit min is accepted', () => {
+      expect(parse(`${I64_MIN}`)).toBe(I64_MIN)
+    })
+  })
+
   test('unescaped \u0000 inside string', () => {
     expect(() => parse('"\u0000"')).toThrow('Unexpected character "\\u0000" on line 1.')
   })

src/parse.ts

@@ -105,19 +105,21 @@ describe('stringify', () => {
     })
 
     test('MAX_SAFE_INTEGER is fine', () => {
-      expect(stringify(Number.MAX_SAFE_INTEGER)).toBe('9007199254740991')
+      expect(stringify(Number.MAX_SAFE_INTEGER)).toBe(`${Number.MAX_SAFE_INTEGER}`)
     })
 
     test('MIN_SAFE_INTEGER is fine', () => {
-      expect(stringify(Number.MIN_SAFE_INTEGER)).toBe('-9007199254740991')
+      expect(stringify(Number.MIN_SAFE_INTEGER)).toBe(`${Number.MIN_SAFE_INTEGER}`)
     })
 
     test('bigint at 64-bit max boundary is fine', () => {
-      expect(stringify(2n ** 63n - 1n)).toBe('9223372036854775807')
+      const I64_MAX = 2n ** 63n - 1n
+      expect(stringify(I64_MAX)).toBe(`${I64_MAX}`)
     })
 
     test('bigint at 64-bit min boundary is fine', () => {
-      expect(stringify(-(2n ** 63n))).toBe('-9223372036854775808')
+      const I64_MIN = -(2n ** 63n)
+      expect(stringify(I64_MIN)).toBe(`${I64_MIN}`)
     })
 
     test('floats are not affected by integer checks', () => {