Skip to content
Permalink
Browse files Browse the repository at this point in the history
add proto check (#267)
  • Loading branch information
angus-c committed May 8, 2021
1 parent 165a5ca commit dd57a47
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 1 deletion.
8 changes: 8 additions & 0 deletions packages/object-safe-set/index.js
Expand Up @@ -34,8 +34,10 @@ function set(obj, props, value) {
if (!lastProp) {
return false;
}
prototypeCheck(lastProp);
var thisProp;
while ((thisProp = props.shift())) {
prototypeCheck(thisProp);
if (typeof obj[thisProp] == 'undefined') {
obj[thisProp] = {};
}
Expand All @@ -47,3 +49,9 @@ function set(obj, props, value) {
obj[lastProp] = value;
return true;
}

function prototypeCheck(prop) {
if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') {
throw new Error('setting of prototype values not supported');
}
}
2 changes: 1 addition & 1 deletion packages/object-safe-set/package.json
@@ -1,6 +1,6 @@
{
"name": "just-safe-set",
"version": "2.2.1",
"version": "2.2.2",
"description": "set value at property, create intermediate properties if necessary",
"main": "index.js",
"types": "index.d.ts",
Expand Down
21 changes: 21 additions & 0 deletions test/object-safe-set/index.js
Expand Up @@ -66,6 +66,27 @@ test("doesn't interrupt property chain, using array arg", function(t) {
t.end();
});

test("doesn't support setting of prototype (and related) values", function(t) {
t.plan(4);
t.throws(function() {
var obj1 = {a: {}};
set(obj1, '__proto__.x', function malice() {});
});
t.throws(function() {
var obj1 = {a: {}};
set(obj1, ['a', 'b', '__proto__'], {toString: 'hehehe'});
});
t.throws(function() {
var obj2 = {a: {}};
set(obj2, 'constructor', function FakeConstructor() {});
});
t.throws(function() {
var obj3 = {a: {}};
set(obj3, 'prototype.y', 'hahahaha');
});
t.end();
});

/* eslint-disable no-undef*/
if (typeof Symbol === 'function') {
test('supports symbol prop', function(t) {
Expand Down

0 comments on commit dd57a47

Please sign in to comment.