fix prototype pollution vulnerability

cheers Daniel Elkabes of WhiteSource Software
ahdinosaur · Nov 23, 2020 · e431eff · e431eff
1 parent a883c87
commit e431eff
Show file tree

Hide file tree

Showing 3 changed files with 2,765 additions and 3 deletions.
diff --git a/index.js b/index.js
@@ -16,13 +16,31 @@ function recursivelySetIn (object, path, value, index) {
 
   object = object || {}
 
+  // https://stackoverflow.com/a/60850027
+  assert.ok(
+    path[index] !== '__proto__',
+    'setIn: "__proto__" is disallowed in path due to possible prototype pollution attack.'
+  )
+  if (index < path.length - 1) {
+    assert.ok(
+      path[index] !== 'constructor' && path[index + 1] !== 'prototype',
+      'setIn: ["constructor", "prototype"] is disallowed in path due to possible prototype pollution attack.'
+    )
+  }
+
   var key = path[index]
 
   if (key === '-') {
     assert.ok(Array.isArray(object), 'setIn: "-" in path must correspond to array.')
     key = object.length
   }
 
+  if (
+    key === '__proto__' ||
+    (key === 'constructor' && path[index + 1] === 'prototype')) {
+
+  }
+
   var next = recursivelySetIn(object[key], path, value, ++index)
 
   return set(object, key, next)