fix: remove unintended exposure of private material via enumerables

panva · Mar 28, 2019 · 946d9df · 946d9df
1 parent 988bbaf
commit 946d9df
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/lib/jwk/key/base.js b/lib/jwk/key/base.js
@@ -28,8 +28,8 @@ class Key {
 
  Object.defineProperties(this, {
  [KEYOBJECT]: { value: isObject(keyObject) ? undefined : keyObject },
- private: { value: keyObject.type === 'private', enumerable: keyObject.type === 'private' },
- public: { value: keyObject.type === 'public', enumerable: keyObject.type === 'public' },
+ private: { value: keyObject.type === 'private' },
+ public: { value: keyObject.type === 'public' },
  alg: { value: alg, enumerable: alg !== undefined },
  use: { value: use, enumerable: use !== undefined },
  kid: {
@@ -57,11 +57,8 @@ class Key {
  members = this.constructor[PUBLIC_MEMBERS]
  }
 
- const result = Object.entries(this).reduce((acc, [prop, value]) => {
- if (members.has(prop)) {
- acc[prop] = value
- }
-
+ const result = [...members].reduce((acc, key) => {
+ acc[key] = this[key]
  return acc
  }, { kty: this.kty, kid: this.kid })
 
@@ -87,14 +84,14 @@ class Key {
  Object.entries(jwk)
  .filter(([key]) => props.has(key))
  .reduce((acc, [key, value]) => {
- acc[key] = { value, enumerable: true, configurable: false }
+ acc[key] = { value, enumerable: this.constructor[PUBLIC_MEMBERS].has(key), configurable: false }
  return acc
  }, {})
  )
 
  return this[component]
  },
- enumerable: true,
+ enumerable: this.constructor[PUBLIC_MEMBERS].has(component),
  configurable: true
  }
  return acc

diff --git a/lib/jwk/key/oct.js b/lib/jwk/key/oct.js
@@ -30,7 +30,7 @@ class OctKey extends Key {
  value: this[KEYOBJECT] ? this[KEYOBJECT].symmetricKeySize * 8 : undefined
  },
  k: {
- enumerable: true,
+ enumerable: false,
  get () {
  if (this[KEYOBJECT]) {
  Object.defineProperty(this, 'k', {