From 38a4d1caead72ef99e824bb420a2528eec03d9ab Mon Sep 17 00:00:00 2001 From: substack Date: Tue, 10 Mar 2020 09:08:00 -1000 Subject: [PATCH] even more aggressive checks for protocol pollution --- index.js | 14 +++++++++++--- test/proto.js | 4 ++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/index.js b/index.js index 3b13f44..d2afe5e 100644 --- a/index.js +++ b/index.js @@ -68,13 +68,21 @@ module.exports = function (args, opts) { function setKey (obj, keys, value) { var o = obj; - keys.slice(0,-1).forEach(function (key) { + for (var i = 0; i < keys.length-1; i++) { + var key = keys[i]; + if (key === '__proto__') return; if (o[key] === undefined) o[key] = {}; - if (o[key] === {}.__proto__) o[key] = {}; + if (o[key] === Object.prototype || o[key] === Number.prototype + || o[key] === String.prototype) o[key] = {}; + if (o[key] === Array.prototype) o[key] = []; o = o[key]; - }); + } var key = keys[keys.length - 1]; + if (key === '__proto__') return; + if (o === Object.prototype || o === Number.prototype + || o === String.prototype) o = {}; + if (o === Array.prototype) o = []; if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') { o[key] = value; } diff --git a/test/proto.js b/test/proto.js index a2499ec..7713559 100644 --- a/test/proto.js +++ b/test/proto.js @@ -4,7 +4,7 @@ var test = require('tape'); test('proto pollution', function (t) { var argv = parse(['--__proto__.x','123']); t.equal({}.x, undefined); - t.equal(argv.__proto__.x, 123); + t.equal(argv.__proto__.x, undefined); t.equal(argv.x, undefined); t.end(); }); @@ -14,7 +14,7 @@ test('proto pollution (array)', function (t) { t.equal({}.z, undefined); t.deepEqual(argv.x, [4,5]); t.equal(argv.x.z, undefined); - t.equal(argv.x.__proto__.z, 789); + t.equal(argv.x.__proto__.z, undefined); t.end(); });