deeply
Advanced tools
Comparing version 3.0.0 to 3.1.0
@@ -20,5 +20,6 @@ var reduceObject = require('../lib/reduce_object.js'); | ||
// transfer source values | ||
reduceObject(to, from, merge); | ||
// pass context down the line, to allow behavior overrides | ||
reduceObject.call(this, to, from, merge); | ||
return to; | ||
} |
// list of available flags | ||
module.exports = | ||
{ | ||
// allow (original) unsafe behavior of merge all properties, including ones like `__proto__` | ||
allowDangerousObjectKeys: 'deeply:allowDangerousObjectKeys:' + Math.random(), | ||
// to prevent (reduce chance of) accidental leaking of the global variables into runtime flags | ||
@@ -5,0 +8,0 @@ useCustomAdapters: 'deeply:useCustomAdapters:' + Math.random(), |
@@ -0,1 +1,3 @@ | ||
var behaviors = require('../flags.js'); | ||
// Public API | ||
@@ -16,5 +18,12 @@ module.exports = reduceObject; | ||
{ | ||
var context = this; | ||
// clone exposed properties | ||
Object.keys(source).reduce(function(acc, key) | ||
{ | ||
if (context.allowDangerousObjectKeys !== behaviors.allowDangerousObjectKeys && isUnsafeKey(key)) | ||
{ | ||
return acc; | ||
} | ||
acc[key] = merge(acc[key], source[key]); | ||
@@ -27,1 +36,12 @@ | ||
} | ||
/** | ||
* Checks if provide key is unsafe to use within object | ||
* | ||
* @param {string} key - object key to check against | ||
* @returns {boolean} - `true` if key is unsafe to use (e.g. __proto__), `false` otherwise | ||
*/ | ||
function isUnsafeKey(key) { | ||
return ['__proto__'].indexOf(key) != -1; | ||
} |
{ | ||
"name": "deeply", | ||
"version": "3.0.0", | ||
"version": "3.1.0", | ||
"description": "A toolkit for deep structure manipulations, provides deep merge/clone functionality out of the box, and exposes hooks and custom adapters for more control and greater flexibility.", | ||
"main": "index.js", | ||
"scripts": { | ||
"clean": "rimraf coverage", | ||
"clean": "rimraf .nyc_output coverage", | ||
"lint": "eslint *.js adapters/*.js test/*.js", | ||
@@ -54,11 +54,17 @@ "test": "nyc --reporter=json tape test/test-*.js | tap-spec", | ||
}, | ||
"resolutions": { | ||
"toc-md/vow-fs": "^0.3.6", | ||
"toc-md/marked": "^0.3.18" | ||
}, | ||
"devDependencies": { | ||
"browserify": "^16.2.3", | ||
"browserify-istanbul": "^3.0.1", | ||
"coveralls": "^3.0.2", | ||
"coveralls": "^3.0.4", | ||
"eslint": "^5.9.0", | ||
"handlebars": "^4.1.2", | ||
"istanbul": "^0.4.5", | ||
"js-yaml": "^3.13.1", | ||
"lodash.partialright": "^4.2.1", | ||
"moment": "^2.22.2", | ||
"nyc": "^13.1.0", | ||
"nyc": "^14.1.1", | ||
"obake": "^0.1.2", | ||
@@ -65,0 +71,0 @@ "phantomjs-prebuilt": "^2.1.12", |
@@ -7,5 +7,5 @@ # Deeply [![NPM Module](https://img.shields.io/npm/v/deeply.svg?style=flat)](https://www.npmjs.com/package/deeply) | ||
[![PhantomJS Build](https://img.shields.io/travis/alexindigo/deeply/master.svg?label=browser&style=flat)](https://travis-ci.org/alexindigo/deeply) | ||
[![Linux Build](https://img.shields.io/travis/alexindigo/deeply/master.svg?label=linux:6.x-11.x&style=flat)](https://travis-ci.org/alexindigo/deeply) | ||
[![MacOS Build](https://img.shields.io/travis/alexindigo/deeply/master.svg?label=macos:6.x-11.x&style=flat)](https://travis-ci.org/alexindigo/deeply) | ||
[![Windows Build](https://img.shields.io/appveyor/ci/alexindigo/deeply/master.svg?label=windows:6.x-11.x&style=flat)](https://ci.appveyor.com/project/alexindigo/deeply) | ||
[![Linux Build](https://img.shields.io/travis/alexindigo/deeply/master.svg?label=linux:6.x-12.x&style=flat)](https://travis-ci.org/alexindigo/deeply) | ||
[![MacOS Build](https://img.shields.io/travis/alexindigo/deeply/master.svg?label=macos:6.x-12.x&style=flat)](https://travis-ci.org/alexindigo/deeply) | ||
[![Windows Build](https://img.shields.io/travis/alexindigo/deeply/master.svg?label=windows:6.x-12.x&style=flat)](https://travis-ci.org/alexindigo/deeply) | ||
@@ -18,7 +18,7 @@ [![Coverage Status](https://img.shields.io/coveralls/alexindigo/deeply/master.svg?label=code+coverage&style=flat)](https://coveralls.io/github/alexindigo/deeply?branch=master) | ||
| compression | size | | ||
| :--------------- | ------: | | ||
| deeply.js | 15.6 kB | | ||
| deeply.min.js | 5.11 kB | | ||
| deeply.min.js.gz | 1.53 kB | | ||
| compression | size | | ||
| :--------------- | -------: | | ||
| deeply.js | 16.35 kB | | ||
| deeply.min.js | 5.36 kB | | ||
| deeply.min.js.gz | 1.63 kB | | ||
@@ -32,2 +32,3 @@ | ||
- [Merging](#merging) | ||
- [Security concerns](#security-concerns) | ||
- [Cloning](#cloning) | ||
@@ -43,3 +44,4 @@ - [Arrays Custom Merging](#arrays-custom-merging) | ||
- [Extend Original Function Prototype](#extend-original-function-prototype) | ||
- [Custom hooks](#custom-hooks) | ||
- [Custom flags and hooks](#custom-flags-and-hooks) | ||
- [`allowDangerousObjectKeys`](#allowdangerousobjectkeys) | ||
- [`useCustomAdapters`](#usecustomadapters) | ||
@@ -78,2 +80,18 @@ - [`useCustomTypeOf`](#usecustomtypeof) | ||
#### Security concerns | ||
Due to Prototype Pollution security vulnerability concerns, default behavior of when merging objects is to skip unsafe keys, like `__proto__`, please refer to the [test/compatability.js](test/compatability.js) file for code examples. | ||
If there is a use case where such behavior is desired, pass `allowDangerousObjectKeys` flag to the context to skip keys safety checks. | ||
```javascript | ||
var merge = require('deeply'); | ||
var result; | ||
var context = { allowDangerousObjectKeys: merge.behaviors.allowDangerousObjectKeys }; | ||
result = merge.call(context, {}, JSON.parse('{"__proto__": {"a0": true}}')); | ||
// end of the world, cats live with dogs... | ||
``` | ||
### Cloning | ||
@@ -368,4 +386,13 @@ | ||
### Custom hooks | ||
### Custom flags and hooks | ||
#### `allowDangerousObjectKeys` | ||
As shown in (Security Concerns)[#security-concerns] section, | ||
you can skip safety checks for unsafe object keys (e.g. `__proto__`) by passing `allowDangerousObjectKeys` flag to the context. | ||
```js | ||
merge.call({ allowDangerousObjectKeys: merge.behaviors.allowDangerousObjectKeys }, {}, JSON.parse('{"__proto__": {"a0": true}}')); | ||
``` | ||
#### `useCustomAdapters` | ||
@@ -372,0 +399,0 @@ |
425
515
30056
19
19