From 110dba73f7609dd69eb0411a76520de78031c5fd Mon Sep 17 00:00:00 2001 From: Steven Rockarts Date: Wed, 9 Dec 2020 08:06:50 -0700 Subject: [PATCH 1/2] Fix for Prototype Pollution --- index.js | 10 +++++---- test/index.test.js | 55 +++++++++++++++++++++++++++++----------------- 2 files changed, 41 insertions(+), 24 deletions(-) diff --git a/index.js b/index.js index 4265c69..b54bfeb 100644 --- a/index.js +++ b/index.js @@ -13,11 +13,13 @@ * @api public */ -exports = module.exports = function(a, b){ +exports = module.exports = function (a, b) { if (a && b) { - for (var key in b) { - a[key] = b[key]; + var allowedAttrs = Object.getOwnPropertyNames(b); + console.log(allowedAttrs) + for (var allowedAttrs in b) { + a[allowedAttrs] = b[allowedAttrs]; } } return a; -}; +}; \ No newline at end of file diff --git a/test/index.test.js b/test/index.test.js index 7241855..95e35f9 100644 --- a/test/index.test.js +++ b/test/index.test.js @@ -1,51 +1,66 @@ var merge = require('../index'); -describe('merge', function() { - - describe('an object', function() { +describe('merge', function () { + + describe('an object', function () { var a = { foo: 'bar' } , b = { bar: 'baz' }; var o = merge(a, b); - - it('should merge properties into first object', function() { + + it('should merge properties into first object', function () { expect(Object.keys(a)).to.have.length(2); expect(a.foo).to.be.equal('bar'); expect(a.bar).to.be.equal('baz'); }); - - it('should return first argument', function() { + + it('should return first argument', function () { expect(o).to.be.equal(a); }); }); - - describe('an object with duplicate key', function() { + + describe('an object with duplicate key', function () { var a = { foo: 'bar', qux: 'corge' } , b = { foo: 'baz' }; var o = merge(a, b); - - it('should merge properties into first object', function() { + + it('should merge properties into first object', function () { expect(Object.keys(a)).to.have.length(2); expect(a.foo).to.be.equal('baz'); expect(a.qux).to.be.equal('corge'); }); - - it('should return first argument', function() { + + it('should return first argument', function () { expect(o).to.be.equal(a); }); }); - - describe('without a source object', function() { + + describe('without a source object', function () { var a = { foo: 'bar' }; var o = merge(a); - - it('should leave first object unmodified', function() { + + it('should leave first object unmodified', function () { expect(Object.keys(a)).to.have.length(1); expect(a.foo).to.be.equal('bar'); }); - - it('should return first argument', function() { + + it('should return first argument', function () { expect(o).to.be.equal(a); }); }); - + + describe('prototype pollution', function () { + var a = { foo: 'bar', qux: 'corge' } + , b = { + "__proto__": { + "polluted": "true", + } + }; + var o = merge(a, b); + + it('should leave first object unmodified', function () { + expect(o.__proto__.polluted).to.be.equal(undefined); + }); + + }); + }); From 1678320be78932ab318e22bc1efa9d3f82b03146 Mon Sep 17 00:00:00 2001 From: Steven Rockarts Date: Wed, 2 Jun 2021 14:12:02 -0600 Subject: [PATCH 2/2] Update index.js --- index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index b54bfeb..f075226 100644 --- a/index.js +++ b/index.js @@ -16,10 +16,10 @@ exports = module.exports = function (a, b) { if (a && b) { var allowedAttrs = Object.getOwnPropertyNames(b); - console.log(allowedAttrs) + for (var allowedAttrs in b) { a[allowedAttrs] = b[allowedAttrs]; } } return a; -}; \ No newline at end of file +};