Prevent mutation of Object.prototype and throw ObjectPrototypeMutatio…

…nError

- Fix Hackerone issue  #788883

CHANGELOG

@@ -1,5 +1,9 @@
 # CHANGELOG
 
+### 3.0.0 - 27 SEP 2020
+
+* Prevent mutation of Object.prototype to address a security issue. (Full report coming soon)
+
 ### 2.0.2 - 22 AUG 2020
 
 * Upgrade dependencies to fix vulnerabilites reported by dependa bot

README.md

@@ -236,6 +236,14 @@ nestedProperty.isIn(obj, "nested.0.property", obj.nested[0].property); // true
 nestedProperty.isIn(obj, "nested.0.property", true); // true
 ```
 
+### nestedProperty.ObjectPrototypeMutationError
+
+__Note that it's not permitted to mutate Object.prototype:__
+
+```
+nestedProperty.set({}, '__protot__.a', 1); // throws nestedProperty.ObjectPrototypeMutationError
+```
+
 # LICENSE
 
 MIT

index.js

@@ -10,14 +10,24 @@
 const ARRAY_WILDCARD = "+";
 const PATH_DELIMITER = ".";
 
+class ObjectPrototypeMutationError extends Error {
+    constructor(params) {
+        super(params);
+
+        this.name = "ObjectPrototypeMutationError";
+    }
+}
+
+
 module.exports = {
     set: setNestedProperty,
     get: getNestedProperty,
     has: hasNestedProperty,
     hasOwn: function (object, property, options) {
         return this.has(object, property, options || { own: true });
     },
-    isIn: isInNestedProperty
+    isIn: isInNestedProperty,
+    ObjectPrototypeMutationError
 };
 
 /**
@@ -120,6 +130,10 @@ function setNestedProperty(object, property, value) {
 
     try {
         return traverse(object, property, function _setNestedProperty(currentObject, currentProperty, segments, index) {
+            if (currentObject === Reflect.getPrototypeOf({})) {
+                throw new ObjectPrototypeMutationError("Attempting to mutate Object.prototype");
+            }
+
             if (!currentObject[currentProperty]) {
                 const nextPropIsNumber = Number.isInteger(Number(segments[index + 1]));
                 const nextPropIsArrayWildcard = segments[index + 1] === ARRAY_WILDCARD;
@@ -138,7 +152,12 @@ function setNestedProperty(object, property, value) {
             return currentObject[currentProperty];
         });
     } catch (err) {
-        return object;
+        if (err instanceof ObjectPrototypeMutationError) {
+            // rethrow
+            throw err;
+        } else {
+            return object;
+        }
     }
 }
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "nested-property",
   "description": "Read, write or test a data structure's nested property via a string like 'my.nested.property'. It works through arrays and objects.'",
-  "version": "2.0.2",
+  "version": "3.0.0",
   "homepage": "https://github.com/cosmosio/nested-property",
   "license": "MIT",
   "files": [

test/set.spec.js

@@ -369,4 +369,33 @@ describe("nested-property.set()", function () {
             });
         });
     });
+
+    describe("When setting a property on an object's prototype", () => {
+        let newObj, protoObj;
+
+        beforeEach(function () {
+            protoObj = {};
+            newObj = Object.create(protoObj);
+
+            sut.set(newObj, "__proto__.a", 1);
+        });
+
+        it("Then mutates the prototype", function () {
+            expect(protoObj.hasOwnProperty("a")).to.be.true;
+        });
+    });
+
+    describe("When setting a property on Object.prototype", () => {
+        let newObj;
+
+        beforeEach(function () {
+            newObj = {};
+        });
+
+        it("Then throws an error", function () {
+            expect(function () {
+                sut.set(newObj, "__proto__.a", 1);
+            }).to.throw(sut.ObjectPrototypeMutationError);
+        });
+    });
 });