Skip to content

Commit 6bad255

Browse files
committed
better fix for prototype pollution vulnerability
cheers Idan Digmi of Snyk Security
1 parent dfc226d commit 6bad255

File tree

3 files changed

+3359
-27
lines changed

3 files changed

+3359
-27
lines changed

Diff for: index.js

+9-12
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ module.exports = setIn
55
function setIn (object, path, value) {
66
assert.equal(typeof object, 'object', 'setIn: expected object as first argument.')
77
assert.ok(Array.isArray(path), 'setIn: expected array path as second argument.')
8+
assert.ok(
9+
path.every(p => typeof p === 'number' || typeof p === 'string'),
10+
'setIn: expected array path (of strings and numbers) as second argument.'
11+
)
812

913
return recursivelySetIn(object, path, value, 0)
1014
}
@@ -16,18 +20,6 @@ function recursivelySetIn (object, path, value, index) {
1620

1721
object = object || {}
1822

19-
// https://stackoverflow.com/a/60850027
20-
assert.ok(
21-
path[index] !== '__proto__',
22-
'setIn: "__proto__" is disallowed in path due to possible prototype pollution attack.'
23-
)
24-
if (index < path.length - 1) {
25-
assert.ok(
26-
path[index] !== 'constructor' && path[index + 1] !== 'prototype',
27-
'setIn: ["constructor", "prototype"] is disallowed in path due to possible prototype pollution attack.'
28-
)
29-
}
30-
3123
var key = path[index]
3224

3325
if (key === '-') {
@@ -40,7 +32,12 @@ function recursivelySetIn (object, path, value, index) {
4032
return set(object, key, next)
4133
}
4234

35+
const POLLUTED_KEYS = ['__proto__', 'constructor', 'prototype']
36+
4337
function set (object, key, value) {
38+
// CVE-2020-28273
39+
assert.ok(!POLLUTED_KEYS.includes(key), `setIn: ${key} is disallowed in path due to possible prototype pollution attack.`)
40+
4441
object[key] = value
4542
return object
4643
}

0 commit comments

Comments
 (0)