Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix prototype pollution (#26)
  • Loading branch information
stramel committed Jan 25, 2021
1 parent 8e157c2 commit cd997d3
Show file tree
Hide file tree
Showing 19 changed files with 670 additions and 525 deletions.
2 changes: 1 addition & 1 deletion docs/lib/index.html
Expand Up @@ -5,7 +5,7 @@
<title>index.js</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, target-densitydpi=160dpi, initial-scale=1.0; maximum-scale=1.0; user-scalable=0;">
<link rel="stylesheet" media="all" href="..\docco.css" />
<link rel="stylesheet" media="all" href="../docco.css" />
</head>
<body>
<div id="container">
Expand Down
Empty file modified docs/public/fonts/aller-bold.eot 100755 → 100644
Empty file.
Empty file modified docs/public/fonts/aller-bold.ttf 100755 → 100644
Empty file.
Empty file modified docs/public/fonts/aller-bold.woff 100755 → 100644
Empty file.
Empty file modified docs/public/fonts/aller-light.eot 100755 → 100644
Empty file.
Empty file modified docs/public/fonts/aller-light.ttf 100755 → 100644
Empty file.
Empty file modified docs/public/fonts/aller-light.woff 100755 → 100644
Empty file.
Empty file modified docs/public/fonts/roboto-black.eot 100644 → 100755
Empty file.
Empty file modified docs/public/fonts/roboto-black.ttf 100644 → 100755
Empty file.
Empty file modified docs/public/fonts/roboto-black.woff 100644 → 100755
Empty file.
83 changes: 53 additions & 30 deletions lib/index.js
Expand Up @@ -13,7 +13,7 @@
// Returns `true` if the path can be completely resolved, `false` otherwise.
//

var exists = module.exports.exists = function exists(object, path) {
var exists = (module.exports.exists = function exists(object, path) {
if (typeof path === "string") {
path = path.split(".");
}
Expand All @@ -35,19 +35,19 @@ var exists = module.exports.exists = function exists(object, path) {
} else {
return exists(object[key], path);
}
};
});

//
// These arguments are the same as those for `exists`.
//
// The return value, however, is the property you're trying to access, or
// `undefined` if it can't be found. This means you won't be able to tell
// the difference between an unresolved path and an undefined property, so you
// the difference between an unresolved path and an undefined property, so you
// should not use `get` to check for the existence of a property. Use `exists`
// instead.
//

var get = module.exports.get = function get(object, path) {
var get = (module.exports.get = function get(object, path) {
if (typeof path === "string") {
path = path.split(".");
}
Expand All @@ -71,7 +71,7 @@ var get = module.exports.get = function get(object, path) {
if (path.length) {
return get(object[key], path);
}
};
});

//
// Arguments are similar to `exists` and `get`, with the exception that path
Expand All @@ -85,7 +85,7 @@ var get = module.exports.get = function get(object, path) {
// match. Action params are value, parent and key.
//

var search = module.exports.search = function search(object, path, action) {
var search = (module.exports.search = function search(object, path, action) {
if (typeof path === "string") {
path = path.split(".");
}
Expand All @@ -111,29 +111,41 @@ var search = module.exports.search = function search(object, path, action) {
}

if (path.length === 0) {
return Object.keys(object).filter(key.test.bind(key)).map(function(k) {
var value = object[k];
if(action){
action(value, object, k);
}
return value;
});
return Object.keys(object)
.filter(key.test.bind(key))
.map(function (k) {
var value = object[k];
if (action) {
action(value, object, k);
}
return value;
});
} else {
return Array.prototype.concat.apply([], Object.keys(object).filter(key.test.bind(key)).map(function(k) { return search(object[k], path, action); }));
return Array.prototype.concat.apply(
[],
Object.keys(object)
.filter(key.test.bind(key))
.map(function (k) {
return search(object[k], path, action);
})
);
}
};
});

//
// Perform a search and remove the matched keys.
// The return value is the same object argument with modifications.
//

var removeSearch = module.exports.removeSearch = function removeSearch(object, path){
search(object, path, function(value, object, key){
var removeSearch = (module.exports.removeSearch = function removeSearch(
object,
path
) {
search(object, path, function (value, object, key) {
delete object[key];
});
return object;
};
});

//
// The first two arguments for `put` are the same as `exists` and `get`.
Expand All @@ -147,23 +159,22 @@ var removeSearch = module.exports.removeSearch = function removeSearch(object, p
// successfully, or `false` otherwise.
//

var put = module.exports.put = function put(object, path, value) {
var put = (module.exports.put = function put(object, path, value) {
if (typeof path === "string") {
path = path.split(".");
}

if (!(path instanceof Array) || path.length === 0) {
return false;
}

path = path.slice();

var key = path.shift();

if (typeof object !== "object" || object === null) {
if (typeof object !== "object" || object === null || key === "__proto__") {
return false;
}

if (path.length === 0) {
object[key] = value;
} else {
Expand All @@ -177,7 +188,7 @@ var put = module.exports.put = function put(object, path, value) {

return put(object[key], path, value);
}
};
});

//
// `remove` is like `put` in reverse!
Expand All @@ -186,15 +197,15 @@ var put = module.exports.put = function put(object, path, value) {
// successfully, or `false` otherwise.
//

var remove = module.exports.remove = function remove(object, path, value) {
var remove = (module.exports.remove = function remove(object, path, value) {
if (typeof path === "string") {
path = path.split(".");
}

if (!(path instanceof Array) || path.length === 0) {
return false;
}

path = path.slice();

var key = path.shift();
Expand All @@ -214,7 +225,7 @@ var remove = module.exports.remove = function remove(object, path, value) {
} else {
return remove(object[key], path, value);
}
};
});

//
// `deepKeys` creates a list of all possible key paths for a given object.
Expand All @@ -231,7 +242,11 @@ var remove = module.exports.remove = function remove(object, path, value) {
// *Note: this will probably explode on recursive objects. Be careful.*
//

var deepKeys = module.exports.deepKeys = function deepKeys(object, options, prefix) {
var deepKeys = (module.exports.deepKeys = function deepKeys(
object,
options,
prefix
) {
options = options || {};

if (typeof prefix === "undefined") {
Expand All @@ -250,13 +265,21 @@ var deepKeys = module.exports.deepKeys = function deepKeys(object, options, pref
}

if (typeof object[k] === "object" && object[k] !== null) {
keys = keys.concat(deepKeys(object[k], {leavesOnly: options.leavesOnly}, prefix.concat([k])));
keys = keys.concat(
deepKeys(
object[k],
{ leavesOnly: options.leavesOnly },
prefix.concat([k])
)
);
}
}

if (options.asStrings) {
keys = keys.map(function(e) { return e.join("."); });
keys = keys.map(function (e) {
return e.join(".");
});
}

return keys;
};
});
40 changes: 20 additions & 20 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit cd997d3

Please sign in to comment.