Skip to content

Commit

Permalink
Fix prototype pollution vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
@diegohaz
diegohaz committed Feb 16, 2020
1 parent ad8881d commit 63b4ed4
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,14 @@ export const handlers = {
* @param {Function} [fn] - Set the handler method.
*/
export function handler (type, name, fn) {
if (
type === 'constructor' ||
type === '__proto__' ||
name === 'constructor' ||
name === '__proto__'
) {
return
}
if (arguments.length > 2) {
handlers[type][name] = fn
}
Expand Down
15 changes: 15 additions & 0 deletions test/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,3 +116,18 @@ test('Bodymen middleware', (t) => {
t.same(res.body, {links: [{icon: 'path to icon'}]}, 'should respond with correct object')
})
})

test('Prototype pollution', (t) => {
const { toString } = {}

bodymen.handler('__proto__', 'toString', 'JHU')
t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')

bodymen.handler('formatters', '__proto__', { toString: 'JHU' })
t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')

bodymen.handler('validators', '__proto__', { toString: 'JHU' })
t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')

t.end()
})

0 comments on commit 63b4ed4

Please sign in to comment.