Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix prototype pollution vulnerability (#77)
* Fix prototype pollution vulnerability

* Fix test
  • Loading branch information
diegohaz committed Mar 12, 2020
1 parent fecef6e commit 1987fef
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 3 deletions.
3 changes: 1 addition & 2 deletions .travis.yml
@@ -1,7 +1,6 @@
language: node_js
services: mongodb
node_js:
- v5
- v4
- v6
after_script:
- 'npm run coveralls'
8 changes: 8 additions & 0 deletions src/index.js
Expand Up @@ -19,6 +19,14 @@ export let handlers = {
* @param {Function} [fn] - Set the handler method.
*/
export function handler (type, name, fn) {
if (
type === 'constructor' ||
type === '__proto__' ||
name === 'constructor' ||
name === '__proto__'
) {
return
}
if (arguments.length > 2) {
handlers[type][name] = fn
}
Expand Down
15 changes: 15 additions & 0 deletions test/index.js
Expand Up @@ -42,6 +42,21 @@ const route = (...args) => {
return app
}

test('Prototype pollution', (t) => {
const { toString } = {}

querymen.handler('__proto__', 'toString', 'JHU')
t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')

querymen.handler('formatters', '__proto__', { toString: 'JHU' })
t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')

querymen.handler('validators', '__proto__', { toString: 'JHU' })
t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')

t.end()
})

test('Querymen handler', (t) => {
t.notOk(querymen.parser('testParser'), 'should not get nonexistent parser')
t.notOk(querymen.formatter('testFormatter'), 'should not get nonexistent formatter')
Expand Down
2 changes: 1 addition & 1 deletion test/querymen-schema.js
Expand Up @@ -29,7 +29,7 @@ test('QuerymenSchema add', (t) => {
t.same(add('123,456', [Number]), [123, 456], 'should add a param with type option number array')
t.same(add('123,0', [Boolean]), [true, false], 'should add a param with type option boolean array')
t.same(add('2016,2017', [Date]), [new Date('2016'), new Date('2017')], 'should add a param with type option date array')
t.same(add('123,456', [RegExp]), [/123/i, /123/i], 'should add a param with type option regexp array')
t.same(add('123,456', [RegExp]), [/123/i, /456/i], 'should add a param with type option regexp array')
t.end()
})

Expand Down

0 comments on commit 1987fef

Please sign in to comment.