Merge pull request #41 from steveukx/feature/tests-update

Snyk prototype pollution fix
steveukx · Dec 30, 2020 · 45cd522 · 45cd522
2 parents 79637cb + 4e4bc39
commit 45cd522
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/src/properties-reader.js b/src/properties-reader.js
@@ -2,6 +2,8 @@ const {readFileSync, statSync} = require('fs');
 const propertyAppender = require('./property-appender').propertyAppender;
 const propertyWriter = require('./property-writer').propertyWriter;
 
+const has = Object.prototype.hasOwnProperty.call.bind(Object.prototype.hasOwnProperty);
+
 const SECTION = Symbol('SECTION');
 
 function PropertiesReader (sourceFile, encoding, options = {}) {
@@ -213,7 +215,12 @@ PropertiesReader.prototype.set = function (key, value) {
       if (expanded.length >= 1 && typeof source[step] === 'string') {
          source[step] = {'': source[step]};
       }
-      source = (source[step] = source[step] || {});
+
+      if (!has(source, step)) {
+         Object.defineProperty(source, step, { value: {} });
+      }
+
+      source = source[step]
    }
 
    if (typeof parsedValue === 'string' && typeof  source[expanded[0]] === 'object') {

diff --git a/test/fix-prototype-pollution.spec.js b/test/fix-prototype-pollution.spec.js
@@ -0,0 +1,28 @@
+const {createTestContext} = require('./__fixtues__/create-test-context');
+
+const propertiesReader = require('../');
+
+describe('prototype-pollution', () => {
+   let context;
+
+   beforeEach(async () => {
+      context = await createTestContext();
+   });
+
+   it('does not pollute global Object.prototype', async () => {
+      const file = `
+         [__proto__]
+            polluted = polluted
+            parsed = true
+      `;
+      const props = propertiesReader(await context.file('props.ini', file));
+
+      expect(({}).polluted).toBeUndefined();
+      expect(props.path().__proto__.polluted).toBe('polluted');
+      expect(props.getRaw('__proto__.polluted')).toBe('polluted');
+      expect(props.get('__proto__.polluted')).toBe('polluted');
+      expect(props.getRaw('__proto__.parsed')).toBe('true');
+      expect(props.get('__proto__.parsed')).toBe(true);
+   });
+
+});