@@ -5,6 +5,10 @@ module.exports = setIn
55function setIn ( object , path , value ) {
66 assert . equal ( typeof object , 'object' , 'setIn: expected object as first argument.' )
77 assert . ok ( Array . isArray ( path ) , 'setIn: expected array path as second argument.' )
8+ assert . ok (
9+ path . every ( p => typeof p === 'number' || typeof p === 'string' ) ,
10+ 'setIn: expected array path (of strings and numbers) as second argument.'
11+ )
812
913 return recursivelySetIn ( object , path , value , 0 )
1014}
@@ -16,18 +20,6 @@ function recursivelySetIn (object, path, value, index) {
1620
1721 object = object || { }
1822
19- // https://stackoverflow.com/a/60850027
20- assert . ok (
21- path [ index ] !== '__proto__' ,
22- 'setIn: "__proto__" is disallowed in path due to possible prototype pollution attack.'
23- )
24- if ( index < path . length - 1 ) {
25- assert . ok (
26- path [ index ] !== 'constructor' && path [ index + 1 ] !== 'prototype' ,
27- 'setIn: ["constructor", "prototype"] is disallowed in path due to possible prototype pollution attack.'
28- )
29- }
30-
3123 var key = path [ index ]
3224
3325 if ( key === '-' ) {
@@ -40,7 +32,12 @@ function recursivelySetIn (object, path, value, index) {
4032 return set ( object , key , next )
4133}
4234
35+ const POLLUTED_KEYS = [ '__proto__' , 'constructor' , 'prototype' ]
36+
4337function set ( object , key , value ) {
38+ // CVE-2020-28273
39+ assert . ok ( ! POLLUTED_KEYS . includes ( key ) , `setIn: ${ key } is disallowed in path due to possible prototype pollution attack.` )
40+
4441 object [ key ] = value
4542 return object
4643}
0 commit comments