Skip to content
Permalink
Browse files Browse the repository at this point in the history
prevent against prototype pollution
  • Loading branch information
Raice Hannay committed Jul 10, 2022
1 parent cc56cc8 commit 9be5148
Show file tree
Hide file tree
Showing 6 changed files with 1,253 additions and 1,045 deletions.
1 change: 1 addition & 0 deletions .npmrc
@@ -0,0 +1 @@
registry=https://registry.npmjs.org/
4 changes: 2 additions & 2 deletions jest.config.js
Expand Up @@ -11,7 +11,7 @@ module.exports = {
},
globals: {
"ts-jest": {
tsConfig: {
tsconfig: {
target: "es6",
},
},
Expand All @@ -20,8 +20,8 @@ module.exports = {
preset: "ts-jest",
roots: ["<rootDir>/src"],
testEnvironment: "jsdom",
testEnvironmentOptions: { url: "http://localhost" },
testMatch: ["**/*.test.{ts,tsx}"],
testURL: "http://localhost",
transformIgnorePatterns: ["/node_modules/.+\\.js$"],
verbose: true,
};
25 changes: 13 additions & 12 deletions package.json
Expand Up @@ -3,7 +3,7 @@
"author": "Raice Hannay <voodoocreation@gmail.com>",
"description": "A TypeScript deep merge function.",
"license": "ISC",
"version": "2.0.1",
"version": "2.0.2",
"keywords": [
"typescript",
"deep",
Expand All @@ -23,9 +23,9 @@
"test": "cross-env NODE_ENV=test jest --no-cache --config ./jest.config.js",
"test:all": "npm-run-all format typecheck lint test:coverage",
"test:coverage": "cross-env NODE_ENV=test jest --no-cache --coverage --config ./jest.config.js",
"typecheck": "tsc"
"typecheck": "tsc",
"prepack": "tsc"
},
"prepublish": "tsc",
"repository": {
"type": "git",
"url": "git@github.com:voodoocreation/ts-deepmerge.git"
Expand All @@ -36,18 +36,19 @@
"homepage": "https://github.com/voodoocreation/ts-deepmerge#readme",
"types": "dist/index.d.ts",
"devDependencies": {
"@types/jest": "^27.0.2",
"@typescript-eslint/eslint-plugin": "^5.0.0",
"@types/jest": "^28.1.4",
"@typescript-eslint/eslint-plugin": "^5.30.5",
"cross-env": "^7.0.3",
"eslint": "^8.0.0",
"eslint": "^8.19.0",
"eslint-config-voodoocreation": "^2.0.1",
"eslint-plugin-import": "^2.25.1",
"eslint-plugin-jest": "^25.0.5",
"eslint-plugin-import": "^2.26.0",
"eslint-plugin-jest": "^26.5.3",
"eslint-plugin-prefer-arrow": "^1.2.3",
"jest": "^27.2.5",
"jest": "^28.1.2",
"jest-environment-jsdom": "^28.1.2",
"npm-run-all": "^4.1.5",
"prettier": "^2.4.1",
"ts-jest": "^27.0.5",
"typescript": "^4.4.4"
"prettier": "^2.7.1",
"ts-jest": "^28.0.5",
"typescript": "^4.7.4"
}
}
12 changes: 12 additions & 0 deletions src/index.test.ts
Expand Up @@ -142,4 +142,16 @@ describe("merge", () => {
expect(merge(object1, object2, object3).array).toEqual(["a", "b", "c"]);
});
});

describe("reported vulnerabilities", () => {
it("safeguards against prototype pollution", () => {
const merged: any = merge(
{},
JSON.parse('{ "__proto__": { "hasProto": true } }')
);

// eslint-disable-next-line no-proto
expect(merged.__proto__.hasProto).toBe(undefined);
});
});
});
6 changes: 6 additions & 0 deletions src/index.ts
Expand Up @@ -23,11 +23,17 @@ const isObject = (obj: any) => {
return false;
};

const PROTECTED_KEYS = ["__proto__"];

const merge = <T extends IObject[]>(
...objects: T
): TUnionToIntersection<T[number]> =>
objects.reduce((result, current) => {
Object.keys(current).forEach((key) => {
if (PROTECTED_KEYS.includes(key)) {
return;
}

if (Array.isArray(result[key]) && Array.isArray(current[key])) {
result[key] = merge.options.mergeArrays
? Array.from(new Set((result[key] as unknown[]).concat(current[key])))
Expand Down

0 comments on commit 9be5148

Please sign in to comment.