Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent Object prototype pollution. #40

Closed
wants to merge 1 commit into from
Closed

Prevent Object prototype pollution. #40

wants to merge 1 commit into from

Conversation

mwakerman
Copy link
Contributor

@gustavo-rodrigues-dev
Copy link

gustavo-rodrigues-dev commented Apr 27, 2018
edited

If you want to fix ci test, follow me:

  • remove the yarn cache, because yarn don't supports Node < 4 natively and I was looking the yarn lock history and this file only created to caching ci test.

  • add this config into .travis file: config
    before_install:

I know that removing ssl in this case isn't the best solution however for older versions of the node you can use proxy but that solution fix the ci test.

my last test

I believe that next release that repo can remove the Node < 4 support, but that fix is most important than next release.

@mwakerman
Prevent Object prototype pollution.
9423fae 
See https://hackerone.com/reports/311333.

Remove yarn.lock and disabled SSL checks to pass CI for older versions
of node.
@mwakerman
Copy link
Contributor Author

@gustavobeavis done (I think)

@unclechu
Copy link
Owner

@mwakerman Thanks, I'll make a release soon.

@unclechu unclechu self-assigned this Apr 27, 2018
@unclechu
Copy link
Owner

Merged to dev branch, closing this.

@unclechu unclechu closed this Apr 28, 2018
@caub caub mentioned this pull request May 8, 2018
Closed
6 tasks
@macpham macpham mentioned this pull request May 9, 2018
Closed
@Pablodotnet
Copy link

Vulnerability alert still pops up with 0.5.1

@husseinbob
Copy link

husseinbob commented Jan 11, 2019
edited

Vulnerability alert still pops up with 0.5.1 @Pablodotnet

is this an erroneous alert or is the package still vulnerable?

@unclechu
Copy link
Owner

I don't think so, at least I don't have any proofs that it happens.
There is a test for that:

node-deep-extend/test/index.spec.js

Lines 260 to 266 in f3f2b4f

it('should not modify Object prototype (hacker1 #311333)', function () {
var a = {};
extend({}, JSON.parse('{"__proto__":{"oops":"It works!"}}'))
should.not.exist(a.oops);
should.not.exist(Object.prototype.oops);
});

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@unclechu unclechu

Labels
bug to-be-released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mwakerman @gustavo-rodrigues-dev @unclechu @Pablodotnet @husseinbob