[v,src,deps,spec,doc] v2.3.0

- Fix vulnerabilities. - Update outdated deps. - Increase coverage to 100%.
rumkin · Nov 22, 2020 · 17d15b6 · 17d15b6
1 parent 3198d6c
commit 17d15b6
Show file tree

Hide file tree

Showing 7 changed files with 2,436 additions and 55 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,11 +1,31 @@
-node_modules
-npm-debug.log
-coverage
+# Repo-wide
+# -----------------------------------------------------------------------------
+
+# Dirs
+node_modules/
+
+# OS files
+.DS_Store
+Thumbs.db
+Desktop.ini
+
+# Runtime files
+*.lock
+*.log
 *.pid
+*.pid.lock
 
+# Repo root
+# -----------------------------------------------------------------------------
 
-**/.DS_Store
+# Technical output
+/build/
+/coverage/
+/dist/
+/logs/
+/pids/
+/tmp/
+/.nyc_output/
 
-tmp
-local
-build
+# Local data
+/local/
diff --git a/.npmignore b/.npmignore
diff --git a/changelog.md b/changelog.md
@@ -1,16 +1,25 @@
-# v2.1
+# CHANGELOG
+
+### v2.3
+
+* Fix security vulnerabilities:
+  * Prototype pollution in methods `set`, `push` and `at`.
+* Fix inconsistency in method `method` when calling on function as a target.
+  Previousely it was bind to itself, now to null.
+
+### v2.1
 
 * Add `breadcrumbs` method.
 
-# v2.0
+### v2.0
 
 Refactored and reviewed 1.0 version. Has some breaking changes:
 
 * Path could be empty array or string. This will be interpreted as path
   to target itself.
 * Update methods always return target.
 
-# v1.0
+### v1.0
 
 Initial version.
 

diff --git a/index.js b/index.js
@@ -104,6 +104,8 @@ function setByPath(target, path, value) {
     target = {};
   }
 
+  validateKey(key);
+
   if (path.length > 1) {
     target[key] = setByPath(target[key], path.slice(1), value);
   }
@@ -115,7 +117,7 @@ function setByPath(target, path, value) {
 }
 
 /**
- * Push deeply nested value into target object. If nested properties are not an
+ * Push deeply nested value into target object. If nested properties are not
  * objects or not exists creates them.
  *
  * @param {*} target Parent object.
@@ -184,6 +186,7 @@ function at(target, path, update) {
     target = {};
   }
 
+  validateKey(key);
   if (path.length > 1) {
     target[key] = at(target[key], path.slice(1), update);
   }
@@ -234,7 +237,7 @@ function methodByPath(target, path) {
     return values[values.length - 1].bind(values[values.length - 2]);
   }
   else {
-    return values[0].bind(target);
+    return values[0].bind(null);
   }
 }
 
@@ -248,9 +251,6 @@ function methodByPath(target, path) {
  */
 function callByPath(target, path, args) {
   var fn = methodByPath(target, path);
-  if (! fn) {
-    return;
-  }
 
   return fn.apply(null, args);
 }
@@ -267,7 +267,7 @@ function getStructure(target, prefix) {
   if (Array.isArray(target)) {
     return target.reduce(function (result, value, i) {
       return result.concat(
-        getPropStructure(value, prefix.concat(i))
+        getPropStructure(value, prefix.concat(i)),
       );
     }, []);
   }
@@ -277,7 +277,7 @@ function getStructure(target, prefix) {
       const value = target[key];
 
       return result.concat(
-        getPropStructure(value, prefix.concat(key))
+        getPropStructure(value, prefix.concat(key)),
       );
     }, []);
   }
@@ -318,3 +318,15 @@ function pathToArray(path) {
     return path;
   }
 }
+
+const usafeProperties = [
+  '__proto__',
+  'constructor',
+  'prototype',
+];
+
+function validateKey(key) {
+  if (usafeProperties.includes(key)) {
+    throw new Error('Property "' + key + '" is not a valid key');
+  }
+}
diff --git a/package.json b/package.json
@@ -1,17 +1,23 @@
 {
   "name": "keyget",
-  "description": "Is nested object modification kit. It can find, get, set, push or call nested properties.",
-  "version": "2.2.0",
+  "description": "Is nested object manipulation kit. It can find, get, set, push or call nested properties.",
+  "version": "2.3.0-rc.2",
   "main": "index.js",
   "scripts": {
-    "cov": "istanbul cover node_modules/mocha/bin/_mocha -- -u exports -R spec test/**.spec.js",
-    "test": "mocha test/**.spec.js"
+    "cov": "nyc npm run test",
+    "cov:report": "nyc report --reporter=lcov --reporter=text",
+    "test": "mocha test/**.spec.js",
+    "lint": "eslint index.js test",
+    "prepublishOnly": "npm run lint && npm run test"
   },
+  "files": [
+    "index.js",
+    "license"
+  ],
   "license": "MIT",
   "devDependencies": {
     "husky": "^1.3.0",
-    "istanbul": "^0.4.4",
-    "mocha": "^5.2.0",
+    "mocha": "^8.2.1",
     "should": "^13.2.3"
   },
   "bin": {
@@ -20,7 +26,6 @@
   "directories": {
     "test": "test"
   },
-  "dependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/rumkin/keyget.git"
@@ -45,5 +50,9 @@
     "hooks": {
       "pre-commit": "npm test"
     }
+  },
+  "dependencies": {
+    "eslint": "^7.14.0",
+    "nyc": "^15.1.0"
   }
 }