Skip to content

Commit

Permalink
Merge pull request #19 from mrodrig/fix/issue-18
Browse files Browse the repository at this point in the history 
Fix #18
  • Loading branch information
@mrodrig
mrodrig committed Jan 5, 2021
2 parents e7466c1 + 03750c4 commit 4e0da2b
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 8 deletions.
2 changes: 1 addition & 1 deletion dist/path.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions lib/path.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,6 @@ function setPath(obj, kp, v) {
throw new Error('No keyPath was provided.');
}

// If this is clearly a prototype pollution attempt, then refuse to modify the path
if (kp.startsWith('__proto__') || kp.startsWith('constructor') || kp.startsWith('prototype')) {
return obj;
}

return _sp(obj, kp, v);
}

Expand All @@ -67,6 +62,11 @@ function setPath(obj, kp, v) {
function _sp(obj, kp, v) {
let {dotIndex, key, remaining} = state(kp);

// If this is clearly a prototype pollution attempt, then refuse to modify the path
if (kp.startsWith('__proto__') || kp.startsWith('constructor') || kp.startsWith('prototype')) {
return obj;
}

if (dotIndex >= 0) {
// If there is a '.' in the key path, recur on the subdoc and ...
if (!obj[key] && Array.isArray(obj)) {
Expand Down
2 changes: 1 addition & 1 deletion package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"author": "mrodrig",
"name": "doc-path",
"description": "A document path library for Node",
"version": "2.2.0",
"version": "2.3.0",
"homepage": "https://mrodrig.github.io/doc-path",
"repository": {
"type": "git",
Expand Down
13 changes: 13 additions & 0 deletions test/tests.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,10 +230,12 @@ describe('doc-path Module', function() {

it('should protect against prototype pollution via __proto__', (done) => {
doc = {};
assert.equal(doc.polluted, undefined);
path.setPath(doc, '__proto__.polluted', 'prototype-polluted');
assert.equal(doc.__proto__.polluted, undefined);
assert.equal(doc.polluted, undefined);
assert.equal({}.polluted, undefined);
assert.equal(Object.polluted, undefined);
done();
});

Expand Down Expand Up @@ -266,5 +268,16 @@ describe('doc-path Module', function() {
assert.equal({}.test, undefined);
done();
});

it('should protect against prototype pollution against a nested document', (done) => {
doc = {};
assert.equal(doc.polluted, undefined);
path.setPath(doc, 'a.__proto__.polluted', 'polluted!');
assert.equal(typeof doc.a, 'object');
assert.equal(doc.polluted, undefined);
assert.equal({}.polluted, undefined);
assert.equal(Object.polluted, undefined);
done();
});
});
});

0 comments on commit 4e0da2b

Please sign in to comment.