mpath - npm Package Compare versions
Comparing version 0.4.1 to 0.5.0
@@ -0,1 +1,6 @@ | ||
| 0.5.0 / 2018-08-30 | ||
| ================== | ||
| * BREAKING CHANGE: disallow setting/unsetting __proto__ properties | ||
| * feat: re-add support for Node < 4 for this release | ||
| 0.4.1 / 2018-04-08 | ||
@@ -2,0 +7,0 @@ ================== |
@@ -0,1 +1,4 @@ | ||
| // Make sure Map exists for old Node.js versions | ||
| var Map = global.Map != null ? global.Map : function() {}; | ||
| /** | ||
@@ -134,2 +137,6 @@ * Returns the value of object `o` at the given `path`. | ||
| } | ||
| // Disallow any updates to __proto__. | ||
| if (parts[i] === '__proto__') { | ||
| return false; | ||
| } | ||
| if (i === len - 1) { | ||
@@ -180,2 +187,10 @@ delete cur[parts[i]]; | ||
| for (var i = 0; i < parts.length; ++i) { | ||
| // Silently ignore any updates to `__proto__`, these are potentially | ||
| // dangerous if using mpath with unsanitized data. | ||
| if (parts[i] === '__proto__') { | ||
| return; | ||
| } | ||
| } | ||
| // the existance of $ in a path tells us if the user desires | ||
@@ -182,0 +197,0 @@ // the copying of an array instead of setting each value of |
| { | ||
| "name": "mpath", | ||
| "version": "0.4.1", | ||
| "version": "0.5.0", | ||
| "description": "{G,S}et object values using MongoDB-like path notation", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -594,8 +594,14 @@ | ||
| describe('set', function(){ | ||
| describe('without `special`', function(){ | ||
| describe('set', function() { | ||
| it('prevents writing to __proto__', function() { | ||
| var obj = {}; | ||
| mpath.set('__proto__.x', 'foobar', obj); | ||
| assert.ok(!({}.x)); | ||
| }); | ||
| describe('without `special`', function() { | ||
| var o = doc(); | ||
| it('works', function(done){ | ||
| mpath.set('name', 'a new val', o, function (v) { | ||
| it('works', function(done) { | ||
| mpath.set('name', 'a new val', o, function(v) { | ||
| return 'a new val' === v ? 'changed' : v; | ||
@@ -1797,2 +1803,6 @@ }); | ||
| it('underneath a map', function(done) { | ||
| if (!global.Map) { | ||
| done(); | ||
| return; | ||
| } | ||
| assert.equal(mpath.get('a.b', { a: new Map([['b', 1]]) }), 1); | ||
@@ -1824,2 +1834,13 @@ | ||
| it('unset with __proto__', function(done) { | ||
| // Should refuse to set __proto__ | ||
| function Clazz() {} | ||
| Clazz.prototype.foobar = true; | ||
| mpath.unset('__proto__.foobar', new Clazz()); | ||
| assert.ok(Clazz.prototype.foobar); | ||
| done(); | ||
| }); | ||
| it('ignores setting a nested path that doesnt exist', function(done){ | ||
@@ -1831,5 +1852,4 @@ var o = doc(); | ||
| done(); | ||
| }) | ||
| }) | ||
| }) | ||
| }); | ||
| }); | ||
| }); |
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.32%
86966
- Lines of code
- increased by1.56%
1957