even more aggressive checks for protocol pollution

minimistjs · Mar 10, 2020 · 38a4d1c · 38a4d1c
1 parent 13c01a5
commit 38a4d1c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/index.js b/index.js
@@ -68,13 +68,21 @@ module.exports = function (args, opts) {
 
  function setKey (obj, keys, value) {
  var o = obj;
- keys.slice(0,-1).forEach(function (key) {
+ for (var i = 0; i < keys.length-1; i++) {
+ var key = keys[i];
+ if (key === '__proto__') return;
  if (o[key] === undefined) o[key] = {};
- if (o[key] === {}.__proto__) o[key] = {};
+ if (o[key] === Object.prototype || o[key] === Number.prototype
+ || o[key] === String.prototype) o[key] = {};
+ if (o[key] === Array.prototype) o[key] = [];
  o = o[key];
- });
+ }
 
  var key = keys[keys.length - 1];
+ if (key === '__proto__') return;
+ if (o === Object.prototype || o === Number.prototype
+ || o === String.prototype) o = {};
+ if (o === Array.prototype) o = [];
  if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
  o[key] = value;
  }

diff --git a/test/proto.js b/test/proto.js
@@ -4,7 +4,7 @@ var test = require('tape');
 test('proto pollution', function (t) {
  var argv = parse(['--__proto__.x','123']);
  t.equal({}.x, undefined);
- t.equal(argv.__proto__.x, 123);
+ t.equal(argv.__proto__.x, undefined);
  t.equal(argv.x, undefined);
  t.end();
 });
@@ -14,7 +14,7 @@ test('proto pollution (array)', function (t) {
  t.equal({}.z, undefined);
  t.deepEqual(argv.x, [4,5]);
  t.equal(argv.x.z, undefined);
- t.equal(argv.x.__proto__.z, 789);
+ t.equal(argv.x.__proto__.z, undefined);
  t.end();
 });