Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed security issue in U.set() and U.get().
  • Loading branch information
petersirka committed Jun 4, 2021
1 parent 2fe92a6 commit 887b0fa
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 4 deletions.
1 change: 1 addition & 0 deletions changes.txt
Expand Up @@ -4,6 +4,7 @@
- added `insecure` flag into the `U.request()` method
- added `RESTBuilder.insecure()` method
- fixed security issue when parsing query arguments (reported by <https://github.com/fl4x>)
- fixed security in `U.get()` and `U.set()` (reported by Agustin Gianni)

======= 3.4.8

Expand Down
12 changes: 8 additions & 4 deletions utils.js
Expand Up @@ -6617,12 +6617,16 @@ exports.parseTheme = function(value) {
return value === '?' ? CONF.default_theme : value;
};


exports.set = function(obj, path, value) {
var cachekey = 'S+' + path;

if (F.temporary.other[cachekey])
return F.temporary.other[cachekey](obj, value);

if ((/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/).test(path))
return value;

var arr = parsepath(path);
var builder = [];

Expand All @@ -6636,12 +6640,9 @@ exports.set = function(obj, path, value) {
var ispush = v.lastIndexOf('[]') !== -1;
var a = builder.join(';') + ';var v=typeof(a)===\'function\'?a(U.get(b)):a;w' + (v[0] === '[' ? '' : '.') + (ispush ? v.replace(REGREPLACEARR, '.push(v)') : (v + '=v')) + ';return v';

if ((/__proto__|constructor|prototype|eval/).test(a))
throw new Error('Potential vulnerability');

var fn = new Function('w', 'a', 'b', a);
F.temporary.other[cachekey] = fn;
fn(obj, value, path);
return fn(obj, value, path);
};

exports.get = function(obj, path) {
Expand All @@ -6651,6 +6652,9 @@ exports.get = function(obj, path) {
if (F.temporary.other[cachekey])
return F.temporary.other[cachekey](obj);

if ((/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/).test(path))
return;

var arr = parsepath(path);
var builder = [];

Expand Down

0 comments on commit 887b0fa

Please sign in to comment.