@eivifj/dot - npm Package Compare versions

Comparing version 1.0.2 to 1.0.3

index.js

@@ -11,3 +11,3 @@ /**
 
-exports.set = function (obj, path, val) {
+exports.set = function(obj, path, val) {
   var segs = path.split('.');
@@ -19,2 +19,3 @@ var attr = segs.pop();
     var seg = segs[i];
+    if (!isSafe(obj, seg)) return src;
     obj[seg] = obj[seg] || {};
@@ -24,3 +25,5 @@ obj = obj[seg];
 
-  obj[attr] = val;
+  if (isSafe(obj, attr)) {
+    obj[attr] = val;
+  }
 
@@ -39,3 +42,3 @@ return src;
 
-exports.get = function (obj, path) {
+exports.get = function(obj, path) {
   var segs = path.split('.');
@@ -62,3 +65,3 @@ var attr = segs.pop();
 
-exports.delete = function (obj, path) {
+exports.delete = function(obj, path) {
   var segs = path.split('.');
@@ -70,7 +73,10 @@ var attr = segs.pop();
     if (!obj[seg]) return;
+    if (!isSafe(obj, seg)) return;
     obj = obj[seg];
   }
 
+  if (!isSafe(obj, attr)) return;
+
   if (Array.isArray(obj)) {
-    obj.splice(path, 1);
+    obj.splice(attr, 1);
   } else {
@@ -80,1 +86,21 @@ delete obj[attr];
 };
+
+function isSafe(obj, prop) {
+  if (isObject(obj)) {
+    return obj[prop] === undefined || hasOwnProperty(obj, prop);
+  }
+
+  if (Array.isArray(obj)) {
+    return !isNaN(parseInt(prop, 10));
+  }
+
+  return false;
+}
+
+function hasOwnProperty(obj, prop) {
+  return Object.prototype.hasOwnProperty.call(obj, prop);
+}
+
+function isObject(obj) {
+  return Object.prototype.toString.call(obj) === '[object Object]';
+}

package.json

@@ -6,3 +6,3 @@ {
   },
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "Get and set object properties with dot notation",
@@ -9,0 +9,0 @@ "main": "index.js",

test/index.js

 var assert = require('assert');
 var dot = require('..');
 
-var tests = module.exports = {
-  'test set': function () {
+var tests = (module.exports = {
+  'test set': function() {
     var obj = {};
@@ -12,3 +12,3 @@ var ret = dot.set(obj, 'cool.aid', 'rocks');
 
-  'test get': function () {
+  'test get': function() {
     var obj = {};
@@ -21,3 +21,3 @@ obj.cool = {};
 
-  'test delete': function () {
+  'test delete': function() {
     var obj = {};
@@ -29,6 +29,33 @@ obj.cool = {};
     dot.delete(obj, 'cool.hello.0');
-    assert(!obj.cool.hasOwnProperty('aid'))
+    assert(!obj.cool.hasOwnProperty('aid'));
     assert(obj.cool.hello.length == 0);
+  },
+
+  'test prototype pollution': function() {
+    var obj = {};
+    obj.cool = {};
+    obj.cool.aid = 'rocks';
+    obj.cool.hello = ['world'];
+    dot.set(obj, '__proto__', 'test');
+    dot.set(obj, '__proto__.toString', 'test');
+    dot.set(obj, 'toString', 'test');
+    dot.set(obj, 'cool.hello.__proto__', 'test');
+    dot.set(obj, 'cool.hello.__proto__.toString', 'test');
+    dot.set(obj, 'cool.hello.toString', 'test');
+    assert(obj.__proto__ === {}.__proto__);
+    assert(obj.toString === Object.prototype.toString);
+    assert(obj.cool.hello.__proto__ === [].__proto__);
+    assert(obj.cool.hello.toString === Array.prototype.toString);
+    dot.delete(obj, '__proto__.toString', 'test');
+    dot.delete(obj, '__proto__', 'test');
+    dot.delete(obj, 'toString', 'test');
+    dot.delete(obj, 'cool.hello.__proto__.toString', 'test');
+    dot.delete(obj, 'cool.hello.__proto__', 'test');
+    dot.delete(obj, 'cool.hello.toString', 'test');
+    assert(obj.__proto__ === {}.__proto__);
+    assert(obj.toString === Object.prototype.toString);
+    assert(obj.cool.hello.__proto__ === [].__proto__);
+    assert(obj.cool.hello.toString === Array.prototype.toString);
   }
-}
+});
 
@@ -35,0 +62,0 @@ for (var t in tests) {

No alert changes

Improved metrics

Total package byte prevSize

4539

increased by60.96%

Lines of code

138

increased by50%

No dependency changes