fix: prototype pollution

b-heilman · Sep 17, 2020 · 7d4a086 · 7d4a086
1 parent 57084c5
commit 7d4a086
Show file tree

Hide file tree

Showing 4 changed files with 178 additions and 108 deletions.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "bmoor",
-  "version": "0.8.11",
+  "version": "0.8.12",
   "author": "Brian Heilman <das.ist.junk@gmail.com>",
   "description": "A basic foundation for other libraries, establishing useful patterbs, and letting them be more.",
   "license": "MIT",

diff --git a/src/core.js b/src/core.js
@@ -184,6 +184,10 @@ function set( root, space, value ){
 	for( i = 0, c = space.length; i < c; i++ ){
 		nextSpace = space[ i ];
 
+		if (nextSpace === '__proto__'){
+			return null;
+		}
+
 		if ( isUndefined(curSpace[nextSpace]) ){
 			curSpace[ nextSpace ] = {};
 		}
@@ -197,6 +201,10 @@ function set( root, space, value ){
 }
 
 function _makeSetter( property, next ){
+	if (property === '__proto__'){
+		throw new Error('unable to access __proto__');
+	}
+
 	if ( next ){
 		return function setter( ctx, value ){
 			var t = ctx[property];
@@ -250,6 +258,10 @@ function get( root, path ){
 		for( i = 0, c = space.length; i < c; i++ ){
 			nextSpace = space[i];
 
+			if (nextSpace === '__proto__'){
+				return null;
+			}
+
 			if ( isUndefined(curSpace[nextSpace]) ){
 				return;
 			}
@@ -262,6 +274,10 @@ function get( root, path ){
 }
 
 function _makeGetter( property, next ){
+	if (property === '__proto__'){
+		throw new Error('unable to access __proto__');
+	}
+
 	if (next){
 		return function getter( obj ){
 			try {

diff --git a/src/core.spec.js b/src/core.spec.js
@@ -4,75 +4,127 @@ const {expect} = require('chai');
 const bmoor = require('./index.js');
 
 describe('Testing object setting/getting', function() {
-	it('should have get working', function(){
-		var t = {
-				eins : 1,
-				zwei: {
-					drei: 3
-				}
-			};
 
-		expect( bmoor.get(t,'eins') ).to.equal(1);
-		expect( bmoor.get(t,'zwei.drei') ).to.equal(3);
-	});
+	describe('::get', function(){
+		it('should be working', function(){
+			var t = {
+					eins : 1,
+					zwei: {
+						drei: 3
+					}
+				};
 
-	it('should have get working with empty strings', function(){
-		var t = {
-				eins : 1,
-				zwei: {
-					drei: 3
-				}
-			};
+			expect( bmoor.get(t,'eins') ).to.equal(1);
+			expect( bmoor.get(t,'zwei.drei') ).to.equal(3);
+		});
 
-		expect( bmoor.get(t,'') ).to.equal(t);
-	});
+		it('should be working with empty strings', function(){
+			var t = {
+					eins : 1,
+					zwei: {
+						drei: 3
+					}
+				};
 
-	it('should have makeGetter working', function(){
-		var t = {
-				eins : 1,
-				zwei: {
-					drei: 3
-				}
-			},
-			f1 = bmoor.makeGetter('eins'),
-			f2 = bmoor.makeGetter('zwei.drei');
+			expect( bmoor.get(t,'') ).to.equal(t);
+		});
 
-		expect( f1(t) ).to.equal(1);
-		expect( f2(t) ).to.equal(3);
+		it('should not allow __proto__', function(){
+			var t = bmoor.get({}, '__proto__');
+
+			expect(t)
+			.to.equal(null);
+		});
 	});
+
+	describe('::makeGetter', function(){
+		it('should be working', function(){
+			var t = {
+					eins : 1,
+					zwei: {
+						drei: 3
+					}
+				},
+				f1 = bmoor.makeGetter('eins'),
+				f2 = bmoor.makeGetter('zwei.drei');
 
-	it('should have makeGetter working with empty strings', function(){
-		var t = {
-				eins : 1,
-				zwei: {
-					drei: 3
-				}
-			},
-			f1 = bmoor.makeGetter('');
+			expect( f1(t) ).to.equal(1);
+			expect( f2(t) ).to.equal(3);
+		});
 
-		expect( f1(t) ).to.equal(t);
-	});
+		it('should fail with __proto__', function(){
+			let failed = false;
 
-	it('should have set working', function(){
-		var t = {};
+			try {
+				bmoor.makeGetter('__proto__.polluted');
+			} catch(ex){
+				failed = true;
+			}
+
+			expect(failed)
+			.to.equal(true);
+		});
 
-		bmoor.set(t,'eins',1);
-		bmoor.set(t,'zwei.drei',3);
+		it('should work with empty strings', function(){
+			var t = {
+					eins : 1,
+					zwei: {
+						drei: 3
+					}
+				},
+				f1 = bmoor.makeGetter('');
+
+			expect( f1(t) ).to.equal(t);
+		});
+	});	
 
-		expect( t.eins ).to.equal(1);
-		expect( t.zwei.drei ).to.equal(3);
+	describe('::set', function(){
+		it('should be working working', function(){
+			var t = {};
+
+			bmoor.set(t,'eins',1);
+			bmoor.set(t,'zwei.drei',3);
+
+			expect( t.eins ).to.equal(1);
+			expect( t.zwei.drei ).to.equal(3);
+		});
+
+		it('should not allow __proto__', function(){
+			var t = {};
+
+			bmoor.set(t,'__proto__.polluted', true);
+
+			expect( t.polluted )
+			.to.not.equal(true);
+		});
 	});
 
-	it('should have makeSetter working', function(){
-		var t = {},
-			f1 = bmoor.makeSetter('eins'),
-			f2 = bmoor.makeSetter('zwei.drei');
+	describe('::makeSetter', function(){
+		it('should actually work', function(){
+			var t = {},
+				f1 = bmoor.makeSetter('eins'),
+				f2 = bmoor.makeSetter('zwei.drei');
 
-		f1(t,1);
-		f2(t,3);
+			f1(t,1);
+			f2(t,3);
 
-		expect( t.eins ).to.equal(1);
-		expect( t.zwei.drei ).to.equal(3);
+			expect( t.eins ).to.equal(1);
+			expect( t.zwei.drei ).to.equal(3);
+		});
+
+		it('should fail with __proto__', function(){
+			let failed = false;
+
+			try {
+				bmoor.makeGetter('__proto__.polluted');
+			} catch(ex){
+				failed = true;
+			}
+
+
+			expect(failed)
+			.to.equal(true);
+		});
 	});
 
 	it('should have del working', function(){

diff --git a/src/object.spec.js b/src/object.spec.js
@@ -5,42 +5,44 @@ describe('bmoor.object', function() {
 
 	const bmoor = require('./index.js');
 
-	it('should operate explode correctly', function(){
-		var t = {
-			'eins.zwei': 12,
-			'eins.drei': 13,
-			'fier': 4
-		};
-
-		expect(bmoor.object.explode(t))
-		.to.deep.equal({
-			eins: {
-				zwei: 12,
-				drei: 13
-			},
-			fier: 4
-		});
-	});
-
-	it('should operate makeExploder correctly', function(){
-		var t = {
+	describe('::explode', function(){
+		it('should operate explode correctly', function(){
+			var t = {
 				'eins.zwei': 12,
 				'eins.drei': 13,
 				'fier': 4
-			},
-			explode = bmoor.object.makeExploder( Object.keys(t) );
+			};
+
+			expect(bmoor.object.explode(t))
+			.to.deep.equal({
+				eins: {
+					zwei: 12,
+					drei: 13
+				},
+				fier: 4
+			});
+		});
+
+		it('should operate makeExploder correctly', function(){
+			var t = {
+					'eins.zwei': 12,
+					'eins.drei': 13,
+					'fier': 4
+				},
+				explode = bmoor.object.makeExploder( Object.keys(t) );
 
-		expect(explode(t))
-		.to.deep.equal({
-			eins: {
-				zwei: 12,
-				drei: 13
-			},
-			fier: 4
+			expect(explode(t))
+			.to.deep.equal({
+				eins: {
+					zwei: 12,
+					drei: 13
+				},
+				fier: 4
+			});
 		});
 	});
 
-	describe(':: implode', function(){
+	describe('::implode', function(){
 		it('should operate correctly', function(){
 			var t = {
 				time: {
@@ -113,32 +115,32 @@ describe('bmoor.object', function() {
 				]
 			});
 		});
-	});
 
-	it('should operate implode correctly - with an ignore', function(){
-		var t = {
-			time: {
-				start: 99,
-				stop: 100
-			},
-			id: 'woot',
-			foo: {
-				bar: {
-					hello: 'world'
+		it('should operate implode correctly - with an ignore', function(){
+			var t = {
+				time: {
+					start: 99,
+					stop: 100
+				},
+				id: 'woot',
+				foo: {
+					bar: {
+						hello: 'world'
+					}
 				}
-			}
-		};
+			};
 
-		expect(bmoor.object.implode(t, {
-			ignore: {
-				time:{
-					start:true
-				},
-				id: true,
-				foo: true
-			}
-		})).to.deep.equal({
-			'time.stop': 100
+			expect(bmoor.object.implode(t, {
+				ignore: {
+					time:{
+						start:true
+					},
+					id: true,
+					foo: true
+				}
+			})).to.deep.equal({
+				'time.stop': 100
+			});
 		});
 	});
 
@@ -177,4 +179,4 @@ describe('bmoor.object', function() {
 			});
 		});
 	});
-});
+});