Skip to content

Commit

Permalink
Fix prototype pollution
Browse files Browse the repository at this point in the history
  • Loading branch information
yeikos committed Oct 27, 2018
1 parent 6fc27c2 commit 6ad6035
Show file tree
Hide file tree
Showing 6 changed files with 47 additions and 7 deletions.
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
The MIT License (MIT)

Copyright (c) 2014 yeikos - http://www.yeikos.com
Copyright (c) 2014 yeikos

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
2 changes: 1 addition & 1 deletion bower.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "merge",
"version": "1.2.0",
"version": "1.2.1",
"homepage": "https://github.com/yeikos/js.merge",
"authors": [
"yeikos <[email protected]>"
Expand Down
4 changes: 3 additions & 1 deletion merge.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*!
* @name JavaScript/NodeJS Merge v1.2.0
* @name JavaScript/NodeJS Merge v1.2.1
* @author yeikos
* @repository https://github.com/yeikos/js.merge
Expand Down Expand Up @@ -128,6 +128,8 @@

for (var key in item) {

if (key === '__proto__') continue;

var sitem = clone ? Public.clone(item[key]) : item[key];

if (recursive) {
Expand Down
4 changes: 2 additions & 2 deletions merge.min.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "merge",
"version": "1.2.0",
"author": "yeikos (http://www.yeikos.com)",
"version": "1.2.1",
"author": "yeikos",
"description": "Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.",
"main": "merge.js",
"license": "MIT",
Expand Down
38 changes: 38 additions & 0 deletions tests/tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,25 @@ test('merge', function() {

});

test('merge (prototype pollution attack)', function() {

deepEqual(

merge({}, JSON.parse('{"__proto__": {"a": true}}')),
{}

);

deepEqual(

{}.a,

undefined

);

});

test('merge (clone)', function() {

var input = {
Expand Down Expand Up @@ -143,6 +162,25 @@ test('merge.recursive', function() {

});

test('merge.recursive (prototype pollution attack)', function() {

deepEqual(

merge.recursive({}, JSON.parse('{"__proto__": {"a": true}}')),
{}

);

deepEqual(

{}.a,

undefined

);

});

test('merge.recursive (clone)', function() {

var input = { a: { b: 1 } };
Expand Down

1 comment on commit 6ad6035

@xixilive
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Please sign in to comment.