better fix for prototype pollution vulnerability

cheers Idan Digmi of Snyk Security
dominictarr · Mar 7, 2022 · c112986 · c112986
1 parent 49d19b0
commit c112986
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/index.js b/index.js
@@ -22,13 +22,17 @@ function isNonNegativeInteger (i) {
 function set (obj, path, value) {
   if(!obj) throw new Error('libnested.set: first arg must be an object')
   if(isBasic(path)) return obj[path] = value
-  for(var i = 0; i < path.length; i++)
+  for(var i = 0; i < path.length; i++) {
+    if (isPrototypePolluted(path[i]))
+      continue
+
     if(i === path.length - 1)
       obj[path[i]] = value
     else if(null == obj[path[i]])
       obj = (obj[path[i]] = isNonNegativeInteger(path[i+1]) ? [] : {})
-    else if (!(isPrototypePolluted(path[i])))
+    else
       obj = obj[path[i]]
+  }
   return value
 }
 
@@ -92,7 +96,7 @@ function clone (obj) {
 }
 
 function isPrototypePolluted(key) {
-  return ['__proto__', 'constructor', 'prototype'].includes(key)
+  return ['__proto__', 'constructor', 'prototype'].includes(key.toString())
 }
 
 exports.get = get

diff --git a/test.js b/test.js
@@ -151,3 +151,14 @@ tape('clone does not leave an array reference', function (t) {
 
   t.end()
 })
+
+tape('prototype pollution', function (t) {
+  t.notEqual({}.polluted, 'yes')
+  R.set({}, ['__proto__','polluted'], 'yes');
+  t.notEqual({}.polluted, 'yes')
+  R.set({}, [['__proto__'], 'polluted'], 'yes')
+  t.notEqual({}.polluted, 'yes')
+  R.set({}, [['constructor', 'prototype'], 'polluted'], 'yes')
+  t.notEqual({}.polluted, 'yes')
+  t.end()
+})