express-fileupload - npm Package Compare versions

Comparing version 1.1.7-alpha.4 to 1.1.8

lib/processNested.js

		@@ -0,1 +1,3 @@
		const INVALID_KEYS = ['__proto__'];

		module.exports = function(data){
		@@ -14,6 +16,12 @@ if (!data \|\| data.length < 1) return {};
		.replace(new RegExp(/\]/g), '')
		.split('.');

		.split('.');

		for (let index = 0; index < keyParts.length; index++){
		let k = keyParts[index];

		// Ensure we don't allow prototype pollution
		if (INVALID_KEYS.includes(k)) {
		continue;
		}

		if (index >= keyParts.length - 1){
		@@ -20,0 +28,0 @@ current[k] = value;

package.json

		{
		"name": "express-fileupload",
		"version": "1.1.7-alpha.4",
		"version": "1.1.8",
		"author": "Richard Girges <richardgirges@gmail.com>",
		@@ -33,7 +33,7 @@ "description": "Simple express file upload middleware that wraps around Busboy",
		"coveralls": "^3.0.14",
		"eslint": "^6.8.0",
		"eslint": "^7.5.0",
		"express": "^4.17.1",
		"istanbul": "^0.4.5",
		"md5": "^2.2.1",
		"mocha": "^7.2.0",
		"mocha": "^8.0.1",
		"rimraf": "^3.0.2",
		@@ -40,0 +40,0 @@ "supertest": "^4.0.2"

test/processNested.spec.js

		@@ -48,2 +48,11 @@ 'use strict';
		});

		it('Do not allow prototype pollution', () => {
		const pollutionOb = JSON.parse(`{"__proto__.POLLUTED": "FOOBAR"}`);

		processNested(pollutionOb);

		// eslint-disable-next-line no-undef
		assert.equal(global.POLLUTED, undefined);
		});
		});

New alerts