Skip to content

Commit

Permalink
Merge pull request #34 from AdamGold/master
Browse files Browse the repository at this point in the history 
fix: 🐛 fix prototype pollution
  • Loading branch information
@manuelstofer
manuelstofer committed Sep 24, 2020
2 parents 018e488 + 8c998b5 commit 1dbd1ed
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 0 deletions.
3 changes: 3 additions & 0 deletions index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ api.set = function set (obj, pointer, value) {

for (var i = 0; i < refTokens.length - 1; ++i) {
var tok = refTokens[i];
if (tok === "__proto__" || tok === "constructor" || tok === "prototype") {
continue
}
if (tok === '-' && Array.isArray(obj)) {
tok = obj.length;
}
Expand Down
27 changes: 27 additions & 0 deletions test/test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -436,4 +436,31 @@ describe('convenience api wrapper', function() {
objPointer.get(immutable(['oo-style'])).should.equal('bla');
objPointer.get(immutable(['example', '0'])).should.equal('bla2');
});

it('should not set __proto__', function () {
var obj = {}, objPointer = pointer(obj);
expect(obj.polluted).to.be.undefined();
objPointer.set('/__proto__/polluted', true);
expect(obj.polluted).to.be.undefined();
var obj2 = {};
expect(obj2.polluted).to.be.undefined();
});

it('should not set prototype', function () {
var obj = {}, objPointer = pointer(obj);
expect(obj.polluted).to.be.undefined();
objPointer.set('/prototype/polluted', true);
expect(obj.polluted).to.be.undefined();
var obj2 = {};
expect(obj2.polluted).to.be.undefined();
});

it('should not set constructor', function () {
var obj = {}, objPointer = pointer(obj);
expect(obj.polluted).to.be.undefined();
objPointer.set('/constructor/prototype/polluted', true);
expect(obj.polluted).to.be.undefined();
var obj2 = {};
expect(obj2.polluted).to.be.undefined();
});
});

0 comments on commit 1dbd1ed

Please sign in to comment.