Merge pull request #39 from evangelion1204/fix-constructor-prototype-…

…pollution Fixed 2nd issue with prototype pollution
evangelion1204 · Dec 19, 2020 · db03595 · db03595
2 parents 49d6027 + 6b2212b
commit db03595
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -137,6 +137,12 @@ content = serializer.serialize({
 
 ## Changelog
 
+### 2.1.2
+* Fixed prototype pollution by ignoring `constructor`
+
+### 2.1.1
+* Fixed prototype pollution by ignoring `__proto__`
+
 ### 1.0.1
 * Fixed bug with `keep_quotes` ignored when writing files
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "multi-ini",
-  "version": "2.1.1",
+  "version": "2.1.2",
   "license": "MIT",
   "description": "An ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files.",
   "main": "lib/index.js",

diff --git a/src/parser.js b/src/parser.js
@@ -20,7 +20,7 @@ const defaults = {
     constants: {},
 };
 
-const REGEXP_IGNORE_KEYS = /__proto__/;
+const REGEXP_IGNORE_KEYS = /__proto__|constructor|prototype/;
 
 class Parser {
     constructor(options = {}) {

diff --git a/test/data/prototype_pollution.ini b/test/data/prototype_pollution.ini
@@ -3,4 +3,8 @@ value=key
 [__proto__]
 polluted="polluted"
 [other]
-__proto__.path_polluted="polluted"
+__proto__.path_polluted="polluted"
+[constructor]
+prototype.polluted = polluted
+[prototype]
+polluted = polluted