Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: prevent prototype pollution attack
  • Loading branch information
loge5 committed Dec 9, 2020
1 parent abbaf8b commit 3a88a6c
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
6 changes: 5 additions & 1 deletion conf-cfg-ini.js
Expand Up @@ -35,6 +35,7 @@ Config.prototype.decode = function(data){
throw new Error('expecting string but got '+typeof data);
}
}
var protectedKeys = ['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', '__proto__'];
var result = {};
var currentSection = undefined;
var lines = data.split(this.options.lineEnding);
Expand All @@ -51,7 +52,7 @@ Config.prototype.decode = function(data){
var newSection = line.match(sectionRegExp);
if(newSection !== null){
currentSection = newSection[1];
if(typeof result[currentSection] === 'undefined'){
if(typeof result[currentSection] === 'undefined' && !protectedKeys.includes(currentSection)){
result[currentSection] = {};
}
continue;
Expand All @@ -78,6 +79,9 @@ Config.prototype.decode = function(data){
if (typeof this.options.valueIdentifier === 'string') {
value = this.valueTrim(value, this.options.valueIdentifier);
}
if (protectedKeys.includes(currentSection) || protectedKeys.includes(key)) {
continue;
}
if(typeof currentSection === 'undefined'){
result[key] = value;
} else {
Expand Down
10 changes: 10 additions & 0 deletions conf-cfg-ini.spec.js
Expand Up @@ -112,6 +112,16 @@ describe('Config', function() {
expect(result.Section.foo).to.equal("bar");
});

it('decode should prevent prototype pollution attacks', function () {
var config = new Config();
config.options.lineEnding = "\n";
config.options.assignIdentifier = ":";
var result = config.decode("[__proto__]\nfoo:bar\n");
should.not.exist(result.__proto__.foo);
result = config.decode("[Section]\n__proto__:bar\n");
expect(result.Section.__proto__).to.not.equal("bar");
});

it('valueTrim should trim custom chars', function () {
var config = new Config();
expect(config.valueTrim('"Te"s"t"', '"')).to.equal('Te"s"t');
Expand Down

1 comment on commit 3a88a6c

@loge5
Copy link
Owner Author

@loge5 loge5 commented on 3a88a6c Aug 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.