Skip to content
Permalink
Browse files Browse the repository at this point in the history
Address different method of prototype pollution (#32)
* remove ds_store file

* Fix pototype pollution

* Bump deps

* Update docs

* Update workflow to test against latest node versions

* Ensure put returns true

* Remove node v6,8,10 from testing
  • Loading branch information
stramel committed Oct 26, 2021
1 parent 5dc501f commit 88f6186
Show file tree
Hide file tree
Showing 12 changed files with 241 additions and 191 deletions.
Binary file removed .DS_Store
Binary file not shown.
5 changes: 2 additions & 3 deletions .github/workflows/main.yml
Expand Up @@ -5,17 +5,16 @@ on:
branches:
- main
- master

jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [6.x, 8.x]
node-version: [10.x, 12.x, 14.x, 16.x]
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
uses: actions/setup-node@v2
with:
node-version: ${{ matrix.node-version }}
- run: npm install
Expand Down
12 changes: 6 additions & 6 deletions docs/docco.css
Expand Up @@ -213,7 +213,7 @@ ul.sections > li > div {

/*---------------------- Low resolutions (> 320px) ---------------------*/
@media only screen and (min-width: 320px) {
.pilwrap { display: none; }
.sswrap { display: none; }

ul.sections > li > div {
display: block;
Expand Down Expand Up @@ -330,12 +330,12 @@ ul.sections > li > div {
box-shadow: none;
}

.pilwrap {
.sswrap {
position: relative;
display: inline;
}

.pilcrow {
.ss {
font: 12px Arial;
text-decoration: none;
color: #454545;
Expand All @@ -345,14 +345,14 @@ ul.sections > li > div {
opacity: 0;
-webkit-transition: opacity 0.2s linear;
}
.for-h1 .pilcrow {
.for-h1 .ss {
top: 47px;
}
.for-h2 .pilcrow, .for-h3 .pilcrow, .for-h4 .pilcrow {
.for-h2 .ss, .for-h3 .ss, .for-h4 .ss {
top: 35px;
}

ul.sections > li > div.annotation:hover .pilcrow {
ul.sections > li > div.annotation:hover .ss {
opacity: 1;
}
}
Expand Down
194 changes: 97 additions & 97 deletions docs/lib/index.html

Large diffs are not rendered by default.

Empty file modified docs/public/fonts/roboto-black.eot 100755 → 100644
Empty file.
Empty file modified docs/public/fonts/roboto-black.ttf 100755 → 100644
Empty file.
Empty file modified docs/public/fonts/roboto-black.woff 100755 → 100644
Empty file.
4 changes: 3 additions & 1 deletion lib/index.js
Expand Up @@ -170,7 +170,7 @@ var put = (module.exports.put = function put(object, path, value) {

path = path.slice();

var key = path.shift();
var key = "" + path.shift();

if (typeof object !== "object" || object === null || key === "__proto__") {
return false;
Expand All @@ -188,6 +188,8 @@ var put = (module.exports.put = function put(object, path, value) {

return put(object[key], path, value);
}

return true;
});

//
Expand Down
175 changes: 96 additions & 79 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions package.json
Expand Up @@ -21,7 +21,7 @@
"author": "Conrad Pankoff <deoxxa@fknsrs.biz> (http://www.fknsrs.biz/)",
"license": "BSD-3-Clause",
"devDependencies": {
"vows": "^0.8.0",
"docco": "^0.8.0"
"vows": "^0.8.3",
"docco": "^0.8.1"
}
}
9 changes: 9 additions & 0 deletions test/put-test.js
Expand Up @@ -26,6 +26,15 @@ vows
assert.equal(res.a, "b");
},
},
"returns true": {
topic: (function () {
var res = dotty.put({}, ["a"], "b");
return res;
})(),
"should set the correct value": function (res) {
assert.equal(res, true);
},
},
},
"A two-level path": {
"as a string": {
Expand Down

6 comments on commit 88f6186

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stramel - was the Prototype Pollution addressed as a result of the following report? Or does the commit address the vulnerability described in the report?

If so, could you let me know which version this issue was patched in, and I can update the report on your behalf :)

@stramel
Copy link
Collaborator Author

@stramel stramel commented on 88f6186 May 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JamieSlome It was not addressed as a result of that specific report. I was contacted by another security testing company privately and fixed it as a result of that. I believe this was released in v0.1.2. Unfortunately, I'm not able to relate it to the published vulnerability since I'm just a maintainer and not the admin for the repo. Seems that I forgot to bump the package.json though.

This test covers the case described by your report test case

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stramel - appreciate the in-depth response here 👍

This helps massively, thank you.

@ready-research
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stramel Is that report shared by https://github.com/zidingz who raised security concern and raised the issue 31 for security.md file(by huntr-helper at bottom of 1st comment)? He is also from huntr.dev only. You can check the same in our huntr report that raised a issue for security.md on the same date. Thank you.

@stramel
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ready-research The report was shared by @danielelkabes in issue #25. I was also contacted by @zidingz in issue #31 but never got an email from him.

@ready-research
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stramel Thanks for the clarification.

Please sign in to comment.