deep-get-set - npm Package Compare versions

Comparing version 1.1.0 to 1.1.1

index.js

@@ -5,2 +5,6 @@ var hasOwnProp = Object.prototype.hasOwnProperty;
 
+function isSafeKey (key) {
+  return key !== '__proto__' && key !== 'prototype' && key !== 'constructor';
+}
+
 function deep (obj, path, value) {
@@ -15,3 +19,3 @@ if (arguments.length === 3) return set.apply(null, arguments);
     var key = keys[i];
-    if (!obj || !hasOwnProp.call(obj, key)) {
+    if (!obj || !hasOwnProp.call(obj, key) || !isSafeKey(key)) {
       obj = undefined;
@@ -29,2 +33,3 @@ break;
     var key = keys[i];
+    if (!isSafeKey(key)) return;
     if (deep.p && !hasOwnProp.call(obj, key)) obj[key] = {};
@@ -31,0 +36,0 @@ obj = obj[key];

package.json

 {
   "name": "deep-get-set",
   "description": "Set and get values on objects via dot-notation strings.",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "repository": {
@@ -6,0 +6,0 @@ "type": "git",

test.js

@@ -101,1 +101,50 @@ var test = require('tape');
 });
+
+test('do not get `__proto__`, `prototype` or `constructor` properties', function (t) {
+  var obj = {
+    isAdmin: false,
+    __proto__: {
+      isAdmin: true
+    },
+    prototype: {
+      isAdmin: true
+    },
+    constructor: {
+      isAdmin: true,
+      prototype: {
+        isAdmin: true
+      }
+    }
+  };
+
+  t.equal(deep(obj, 'isAdmin'), false);
+  t.equal(deep(obj, '__proto__.isAdmin'), undefined);
+  t.equal(deep(obj, 'prototype.isAdmin'), undefined);
+  t.equal(deep(obj, 'constructor.isAdmin'), undefined);
+  t.equal(deep(obj, 'constructor.prototype.isAdmin'), undefined);
+  t.end();
+});
+
+test('do not set `__proto__`, `prototype` or `constructor` properties', function (t) {
+  var obj = {};
+
+  deep.p = true;
+
+  deep(obj, 'isAdmin', false);
+  deep(obj, '__proto__.isAdmin', true);
+  deep(obj, 'prototype.isAdmin', true);
+  deep(obj, 'constructor.isAdmin', true);
+  deep(obj, 'constructor.prototype.isAdmin', true);
+
+  t.equal(obj.isAdmin, false);
+  t.equal(obj.__proto__ && obj.__proto__.isAdmin, undefined);
+  t.equal(obj.prototype && obj.prototype.isAdmin, undefined);
+  t.equal(obj.constructor && obj.constructor.isAdmin, undefined);
+  t.equal(
+    obj.constructor &&
+    obj.constructor.prototype &&
+    obj.constructor.prototype.isAdmin,
+    undefined
+  );
+  t.end();
+});

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

6786

increased by26.77%

Lines of code

161

increased by41.23%

Worsened metrics

Number of package files

4

decreased by-20%

No dependency changes