Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed functions with prototype pollution vulnerability
  • Loading branch information
Irrelon committed Aug 18, 2020
1 parent bfbaddf commit 8a126b1
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 9 deletions.
20 changes: 16 additions & 4 deletions dist/Path.js
Expand Up @@ -451,6 +451,8 @@ var set = function set(obj, path, val) {


if (isNonCompositePath(internalPath)) {
// Do not allow prototype pollution
if (internalPath === "__proto__") return obj;
obj = decouple(obj, options);
obj[options.transformKey(unEscape(internalPath))] = val;
return obj;
Expand All @@ -459,7 +461,9 @@ var set = function set(obj, path, val) {
var newObj = decouple(obj, options);
var pathParts = split(internalPath);
var pathPart = pathParts.shift();
var transformedPathPart = options.transformKey(pathPart);
var transformedPathPart = options.transformKey(pathPart); // Do not allow prototype pollution

if (transformedPathPart === "__proto__") return obj;
var childPart = newObj[transformedPathPart];

if ((0, _typeof2["default"])(childPart) !== "object") {
Expand Down Expand Up @@ -519,8 +523,12 @@ var unSet = function unSet(obj, path) {
var newObj = decouple(obj, options); // Path has no dot-notation, set key/value

if (isNonCompositePath(internalPath)) {
if (newObj.hasOwnProperty(unEscape(internalPath))) {
delete newObj[options.transformKey(unEscape(internalPath))];
var unescapedPath = unEscape(internalPath); // Do not allow prototype pollution

if (unescapedPath === "__proto__") return obj;

if (newObj.hasOwnProperty(unescapedPath)) {
delete newObj[options.transformKey(unescapedPath)];
return newObj;
}

Expand All @@ -530,7 +538,9 @@ var unSet = function unSet(obj, path) {

var pathParts = split(internalPath);
var pathPart = pathParts.shift();
var transformedPathPart = options.transformKey(unEscape(pathPart));
var transformedPathPart = options.transformKey(unEscape(pathPart)); // Do not allow prototype pollution

if (transformedPathPart === "__proto__") return obj;
var childPart = newObj[transformedPathPart];

if (!childPart) {
Expand Down Expand Up @@ -618,6 +628,7 @@ var pushVal = function pushVal(obj, path, val) {
path = clean(path);
var pathParts = split(path);
var part = pathParts.shift();
if (part === "__proto__") return obj;

if (pathParts.length) {
// Generate the path part in the object if it does not already exist
Expand Down Expand Up @@ -671,6 +682,7 @@ var pullVal = function pullVal(obj, path, val) {
path = clean(path);
var pathParts = split(path);
var part = pathParts.shift();
if (part === "__proto__") return obj;

if (pathParts.length) {
// Generate the path part in the object if it does not already exist
Expand Down
2 changes: 1 addition & 1 deletion package.json
@@ -1,6 +1,6 @@
{
"name": "@irrelon/path",
"version": "4.6.8",
"version": "4.7.0",
"description": "A powerful JSON path processor. Allows you to drill into and manipulate JSON objects with a simple dot-delimited path format e.g. \"obj.name\".",
"main": "./src/Path.js",
"scripts": {
Expand Down
27 changes: 23 additions & 4 deletions src/Path.js
Expand Up @@ -400,6 +400,9 @@ const set = (obj, path, val, options = {}) => {

// Path has no dot-notation, set key/value
if (isNonCompositePath(internalPath)) {
// Do not allow prototype pollution
if (internalPath === "__proto__") return obj;

obj = decouple(obj, options);
obj[options.transformKey(unEscape(internalPath))] = val;
return obj;
Expand All @@ -409,6 +412,10 @@ const set = (obj, path, val, options = {}) => {
const pathParts = split(internalPath);
const pathPart = pathParts.shift();
const transformedPathPart = options.transformKey(pathPart);

// Do not allow prototype pollution
if (transformedPathPart === "__proto__") return obj;

let childPart = newObj[transformedPathPart];

if (typeof childPart !== "object") {
Expand Down Expand Up @@ -470,19 +477,27 @@ const unSet = (obj, path, options = {}, tracking = {}) => {

// Path has no dot-notation, set key/value
if (isNonCompositePath(internalPath)) {
if (newObj.hasOwnProperty(unEscape(internalPath))) {
delete newObj[options.transformKey(unEscape(internalPath))];
const unescapedPath = unEscape(internalPath);

// Do not allow prototype pollution
if (unescapedPath === "__proto__") return obj;

if (newObj.hasOwnProperty(unescapedPath)) {
delete newObj[options.transformKey(unescapedPath)];
return newObj;
}

tracking.returnOriginal = true;
return obj;
}


const pathParts = split(internalPath);
const pathPart = pathParts.shift();
const transformedPathPart = options.transformKey(unEscape(pathPart));

// Do not allow prototype pollution
if (transformedPathPart === "__proto__") return obj;

let childPart = newObj[transformedPathPart];

if (!childPart) {
Expand Down Expand Up @@ -563,7 +578,9 @@ const pushVal = (obj, path, val, options = {}) => {

const pathParts = split(path);
const part = pathParts.shift();


if (part === "__proto__") return obj;

if (pathParts.length) {
// Generate the path part in the object if it does not already exist
obj[part] = decouple(obj[part], options) || {};
Expand Down Expand Up @@ -613,6 +630,8 @@ const pullVal = (obj, path, val, options = {strict: true}) => {

const pathParts = split(path);
const part = pathParts.shift();

if (part === "__proto__") return obj;

if (pathParts.length) {
// Generate the path part in the object if it does not already exist
Expand Down

0 comments on commit 8a126b1

Please sign in to comment.