Skip to content

Commit

Permalink
Fix prototype pollution when pointer is not a string or number
Browse files Browse the repository at this point in the history
  • Loading branch information
@hhomar
hhomar committed Nov 11, 2021
1 parent 9b5ea8e commit 47dae1d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
3 changes: 3 additions & 0 deletions index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ api.set = function set (obj, pointer, value) {

for (var i = 0; i < refTokens.length - 1; ++i) {
var tok = refTokens[i];
if (typeof tok !== 'string' && typeof tok !== 'number') {
tok = String(tok)
}
if (tok === "__proto__" || tok === "constructor" || tok === "prototype") {
continue
}
Expand Down
9 changes: 9 additions & 0 deletions test/test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,15 @@ describe('convenience api wrapper', function() {
expect(obj2.polluted).to.be.undefined();
});

it('should not set __proto__ (array)', function () {
var obj = {}, objPointer = pointer(obj);
expect(obj.polluted).to.be.undefined();
objPointer.set([['__proto__'], 'polluted'], true);
expect(obj.polluted).to.be.undefined();
var obj2 = {};
expect(obj2.polluted).to.be.undefined();
});

it('should not set prototype', function () {
var obj = {}, objPointer = pointer(obj);
expect(obj.polluted).to.be.undefined();
Expand Down

0 comments on commit 47dae1d

Please sign in to comment.