Showing with 59 additions and 9 deletions.
  1. +18 −0 CHANGELOG.md
  2. +1 −1 package-lock.json
  3. +1 −1 package.json
  4. +34 −7 src/parse.js
  5. +5 −0 test/parse.js
18 changes: 18 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,18 @@
### Unreleased [[code][c-unreleased], [diff][d-unreleased]]

[c-unreleased]: https://github.com/json5/json5/tree/v1
[d-unreleased]: https://github.com/json5/json5/compare/v1.0.2...v1

### v1.0.2 [[code][c1.0.2], [diff][d1.0.2]]

[c1.0.2]: https://github.com/json5/json5/tree/v1.0.2
[d1.0.2]: https://github.com/json5/json5/compare/v1.0.1...v1.0.2

- Fix: Properties with the name `__proto__` are added to objects and arrays.
([#199]) This also fixes a prototype pollution vulnerability reported by
Jonathan Gregson! ([#295]). This has been backported to v1. ([#298])


### v1.0.1 [[code][c1.0.1], [diff][d1.0.1]]

[c1.0.1]: https://github.com/json5/json5/tree/v1.0.1
Expand Down Expand Up @@ -272,3 +287,6 @@ parser for the regular JSON format.
[#108]: https://github.com/json5/json5/pull/108
[#134]: https://github.com/json5/json5/pull/134
[#154]: https://github.com/json5/json5/issues/154
[#199]: https://github.com/json5/json5/issues/199
[#295]: https://github.com/json5/json5/issues/295
[#298]: https://github.com/json5/json5/pull/298
2 changes: 1 addition & 1 deletion package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "json5",
"version": "1.0.1",
"version": "1.0.2",
"description": "JSON for humans.",
"main": "lib/index.js",
"bin": "lib/cli.js",
Expand Down
41 changes: 34 additions & 7 deletions src/parse.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,34 @@ export default function parse (text, reviver) {
function internalize (holder, name, reviver) {
const value = holder[name]
if (value != null && typeof value === 'object') {
for (const key in value) {
const replacement = internalize(value, key, reviver)
if (replacement === undefined) {
delete value[key]
} else {
value[key] = replacement
if (Array.isArray(value)) {
for (let i = 0; i < value.length; i++) {
const key = String(i)
const replacement = internalize(value, key, reviver)
if (replacement === undefined) {
delete value[key]
} else {
Object.defineProperty(value, key, {
value: replacement,
writable: true,
enumerable: true,
configurable: true,
})
}
}
} else {
for (const key in value) {
const replacement = internalize(value, key, reviver)
if (replacement === undefined) {
delete value[key]
} else {
Object.defineProperty(value, key, {
value: replacement,
writable: true,
enumerable: true,
configurable: true,
})
}
}
}
}
Expand Down Expand Up @@ -973,7 +995,12 @@ function push () {
if (Array.isArray(parent)) {
parent.push(value)
} else {
parent[key] = value
Object.defineProperty(parent, key, {
value,
writable: true,
enumerable: true,
configurable: true,
})
}
}

Expand Down
5 changes: 5 additions & 0 deletions test/parse.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@ describe('JSON5', () => {
assert.deepStrictEqual(JSON5.parse('{\\u0061\\u0062:1,\\u0024\\u005F:2,\\u005F\\u0024:3}'), {ab: 1, $_: 2, _$: 3})
})

it('preserves __proto__ property names', () => {
// eslint-disable-next-line no-proto
assert.strictEqual(JSON5.parse('{"__proto__":1}').__proto__, 1)
})

it('parses multiple properties', () => {
assert.deepStrictEqual(JSON5.parse('{abc:1,def:2}'), {abc: 1, def: 2})
})
Expand Down