fix(nessy) security fix: prototype pollution (#14)

coderaiser · Nov 3, 2020 · 8443c0f · 8443c0f
1 parent a3e805a
commit 8443c0f
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/lib/nessy.js b/lib/nessy.js
@@ -1,5 +1,7 @@
 'use strict';
 
+const notSecure = (a) => /__proto__|prototype/.test(a);
+
 module.exports = (selector, value, divider, obj) => {
     if (!obj) {
         obj = divider || {};
@@ -15,6 +17,9 @@ module.exports = (selector, value, divider, obj) => {
     for (let i = 0; i < arr.length ; i++) {
         const name = arr[i];
 
+        if (notSecure(name))
+            continue;
+
         if (i === arr.length - 1)
             obj[name] = value;
         else if (!obj[name])

diff --git a/test/nessy.js b/test/nessy.js
@@ -74,6 +74,29 @@ test('nessy: custom divider', (t) => {
 test('result: should modify object', (t) => {
     const obj = {};
     const actual = nessy('hello.world', 'good', obj);
+
     t.deepEqual(actual, obj, 'object should be changed');
     t.end();
 });
+
+test('nessy: prototype pollution: __proto__', (t) => {
+    const obj = {};
+    nessy('a/__proto__/polluted', 'Yes! Its Polluted', '/', obj);
+
+    t.notOk({}.polluted);
+    t.end();
+});
+
+test('nessy: prototype pollution: prototype', (t) => {
+    const obj = {};
+    nessy(
+        'a/constructor/prototype/polluted',
+        'Yes! Its Polluted',
+        '/',
+        obj,
+    );
+
+    t.notOk({}.polluted);
+    t.end();
+});
+