Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix(set-value): prototype pollution
  • Loading branch information
Qwerios committed Mar 7, 2022
1 parent ec0b977 commit 8d5d54c
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 23 deletions.
15 changes: 3 additions & 12 deletions lib/utils.js
Expand Up @@ -30,12 +30,6 @@
aPath = ("" + path).split(".");
value = object;
key = aPath.shift();
if (key === 'constructor' && typeof object[key] === 'function') {
return;
}
if (key === '__proto__') {
return;
}
if (aPath.length === 0) {
value = value[key.replace("%2E", ".")];
if (value == null) {
Expand Down Expand Up @@ -64,17 +58,14 @@
aPath = ("" + path).split(".");
value = object;
key = aPath.shift();
if (key === 'constructor' && typeof object[key] === 'function') {
return object;
}
if (key === '__proto__') {
return object;
}
while (key) {
key = key.replace("%2E", ".");
if (value[key] == null) {
value[key] = {};
}
if (!value.hasOwnProperty(key)) {
return;
}
if (aPath.length === 0) {
if (defaultValue != null) {
value[key] = defaultValue;
Expand Down
13 changes: 3 additions & 10 deletions src/utils.coffee
Expand Up @@ -31,11 +31,6 @@
value = object
key = aPath.shift()

if key is 'constructor' and typeof object[key] is 'function'
return
if key is '__proto__'
return

if aPath.length is 0
# This is only a 1 deep check
#
Expand All @@ -60,11 +55,6 @@
value = object
key = aPath.shift()

if key is 'constructor' and typeof object[key] is 'function'
return object
if key is '__proto__'
return object

while key
key = key.replace( "%2E", "." )

Expand All @@ -73,6 +63,9 @@
if not value[ key ]?
value[ key ] = {}

if not value.hasOwnProperty(key)
return

if aPath.length is 0
# Assign the default value to the newly created key if supplied
#
Expand Down
4 changes: 3 additions & 1 deletion test/prototype-pollution.coffee
Expand Up @@ -5,8 +5,10 @@ describe( "Prototype pollution", () ->
describe( "#setValue()", () ->
it( "Should not pollute value", () ->
objectUtils.setValue( '__proto__.polluted', {}, true )

chai.expect( global.polluted ).to.eql( undefined )

objectUtils.setValue('this.constructor.prototype.polluted', {}, 'yes');
chai.expect( {}.polluted ).to.eql( undefined )
)
)
)

0 comments on commit 8d5d54c

Please sign in to comment.