From 8218b9b3b069fc9f7da0333199b862f7edafe526 Mon Sep 17 00:00:00 2001
From: Simon Esposito <simon@heroiclabs.com>
Date: Wed, 22 Nov 2023 18:28:50 +0000
Subject: [PATCH 1/2] Add safeguard around js caching api

Prevent js objects and other types to leak vm context through the
localcache by disallowing such types to be cached and restricting
to primitive data types only on put.
---
 server/runtime_javascript_nakama.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/runtime_javascript_nakama.go b/server/runtime_javascript_nakama.go
index f1ff128531..ce187a574a 100644
--- a/server/runtime_javascript_nakama.go
+++ b/server/runtime_javascript_nakama.go
@@ -8004,7 +8004,15 @@ func (n *runtimeJavascriptNakamaModule) localcachePut(r *goja.Runtime) func(goja
 			panic(r.NewTypeError("ttl must be 0 or more"))
 		}
 
-		n.localCache.Put(key, value.Export(), ttl)
+		v := value.Export()
+
+		switch v.(type) {
+		case string, int64, float64, bool:
+		default:
+			panic(r.NewTypeError("unsupported value type: must be string, numeric or boolean"))
+		}
+
+		n.localCache.Put(key, v, ttl)
 
 		return goja.Undefined()
 	}

From b32a1b2ee59b546b9bf37e3a7ff9dc6a0519488b Mon Sep 17 00:00:00 2001
From: Simon Esposito <simon@heroiclabs.com>
Date: Wed, 29 Nov 2023 18:28:08 +0000
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1437155c66..a3822de3b7 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@ All notable changes to this project are documented below.
 The format is based on [keep a changelog](http://keepachangelog.com) and this project uses [semantic versioning](http://semver.org).
 
 ## [Unreleased]
+### Changed
+- JS localcachePut now only accepts primitive types, other values will throw an error.
 
 ## [3.19.0] 2023-11-11
 ### Added