Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix prototype pollution vulnerability
  • Loading branch information
fiznool committed May 19, 2021
2 parents f025695 + cb1609a commit d46ca62
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 1 deletion.
11 changes: 10 additions & 1 deletion index.js
Expand Up @@ -43,7 +43,16 @@ module.exports = function (bodyParser) {
return next(err);
}

req.body = xml || req.body;
if (xml) {
// Guard against prototype pollution
delete xml.__proto__;
delete xml.constructor;
delete xml.prototype;

// Set result on the request body
req.body = xml;
}

next();
});
});
Expand Down
27 changes: 27 additions & 0 deletions test.js
Expand Up @@ -130,4 +130,31 @@ describe('XML Body Parser', function () {
.send('x<foo>test</foo><bar>test</bar></data>')
.expect(400, done);
});

it('should not set/change prototype using __proto__', function (done) {
createServer();
request(app)
.post('/')
.set('Content-Type', 'application/xml')
.send('<__proto__><name>Bob</name></__proto__>')
.expect(200, { parsed: {} }, done);
});

it('should not set/change using prototype', function (done) {
createServer();
request(app)
.post('/')
.set('Content-Type', 'application/xml')
.send('<prototype><name>Bob</name></prototype>')
.expect(200, { parsed: {} }, done);
});

it('should not set/change using constructor', function (done) {
createServer();
request(app)
.post('/')
.set('Content-Type', 'application/xml')
.send('<constructor><name>Bob</name></constructor>')
.expect(200, { parsed: {} }, done);
});
});

0 comments on commit d46ca62

Please sign in to comment.