Fixed 2nd issue with prototype pollution

evangelion1204 · Dec 19, 2020 · 3c7e751 · 3c7e751
1 parent 49d6027
commit 3c7e751
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -137,6 +137,12 @@ content = serializer.serialize({
 
 ## Changelog
 
+### 2.1.2
+* Fixed prototype pollution by ignoring `constructor`
+
+### 2.1.1
+* Fixed prototype pollution by ignoring `__proto__`
+
 ### 1.0.1
 * Fixed bug with `keep_quotes` ignored when writing files
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "multi-ini",
-  "version": "2.1.1",
+  "version": "2.1.2",
   "license": "MIT",
   "description": "An ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files.",
   "main": "lib/index.js",

diff --git a/src/parser.js b/src/parser.js
@@ -20,7 +20,7 @@ const defaults = {
     constants: {},
 };
 
-const REGEXP_IGNORE_KEYS = /__proto__/;
+const REGEXP_IGNORE_KEYS = /__proto__|constructor/;
 
 class Parser {
     constructor(options = {}) {

diff --git a/test/data/prototype_pollution.ini b/test/data/prototype_pollution.ini
@@ -3,4 +3,6 @@ value=key
 [__proto__]
 polluted="polluted"
 [other]
-__proto__.path_polluted="polluted"
+__proto__.path_polluted="polluted"
+[constructor]
+prototype.polluted = polluted