Skip to content
Permalink
Browse files Browse the repository at this point in the history
better fix for prototype pollution vulnerability
cheers Idan Digmi of Snyk Security
  • Loading branch information
ahdinosaur committed Mar 7, 2022
1 parent dfc226d commit 6bad255
Show file tree
Hide file tree
Showing 3 changed files with 3,359 additions and 27 deletions.
21 changes: 9 additions & 12 deletions index.js
Expand Up @@ -5,6 +5,10 @@ module.exports = setIn
function setIn (object, path, value) {
assert.equal(typeof object, 'object', 'setIn: expected object as first argument.')
assert.ok(Array.isArray(path), 'setIn: expected array path as second argument.')
assert.ok(
path.every(p => typeof p === 'number' || typeof p === 'string'),
'setIn: expected array path (of strings and numbers) as second argument.'
)

return recursivelySetIn(object, path, value, 0)
}
Expand All @@ -16,18 +20,6 @@ function recursivelySetIn (object, path, value, index) {

object = object || {}

// https://stackoverflow.com/a/60850027
assert.ok(
path[index] !== '__proto__',
'setIn: "__proto__" is disallowed in path due to possible prototype pollution attack.'
)
if (index < path.length - 1) {
assert.ok(
path[index] !== 'constructor' && path[index + 1] !== 'prototype',
'setIn: ["constructor", "prototype"] is disallowed in path due to possible prototype pollution attack.'
)
}

var key = path[index]

if (key === '-') {
Expand All @@ -40,7 +32,12 @@ function recursivelySetIn (object, path, value, index) {
return set(object, key, next)
}

const POLLUTED_KEYS = ['__proto__', 'constructor', 'prototype']

function set (object, key, value) {
// CVE-2020-28273
assert.ok(!POLLUTED_KEYS.includes(key), `setIn: ${key} is disallowed in path due to possible prototype pollution attack.`)

object[key] = value
return object
}

0 comments on commit 6bad255

Please sign in to comment.