mpath - npm Package Compare versions

Comparing version 0.5.0 to 0.5.1

History.md

		@@ -0,1 +1,5 @@
		0.5.1 / 2018-08-30
		==================
		* fix: prevent writing to constructor and prototype as well as __proto__

		0.5.0 / 2018-08-30
		@@ -2,0 +6,0 @@ ==================

lib/index.js

		// Make sure Map exists for old Node.js versions
		var Map = global.Map != null ? global.Map : function() {};

		// These properties are special and can open client libraries to security
		// issues
		var ignoreProperties = ['__proto__', 'constructor', 'prototype'];

		/**
		@@ -137,4 +141,4 @@ * Returns the value of object `o` at the given `path`.
		}
		// Disallow any updates to __proto__.
		if (parts[i] === '__proto__') {
		// Disallow any updates to __proto__ or special properties.
		if (ignoreProperties.indexOf(parts[i]) !== -1) {
		return false;
		@@ -190,3 +194,3 @@ }
		// dangerous if using mpath with unsanitized data.
		if (parts[i] === '__proto__') {
		if (ignoreProperties.indexOf(parts[i]) !== -1) {
		return;
		@@ -193,0 +197,0 @@ }

package.json

		{
		"name": "mpath",
		"version": "0.5.0",
		"version": "0.5.1",
		"description": "{G,S}et object values using MongoDB-like path notation",
		@@ -5,0 +5,0 @@ "main": "index.js",

test/index.js

		@@ -599,2 +599,5 @@
		assert.ok(!({}.x));

		mpath.set('constructor.prototype.x', 'foobar', obj);
		assert.ok(!({}.x));
		});
		@@ -1841,2 +1844,5 @@

		mpath.unset('constructor.prototype.foobar', new Clazz());
		assert.ok(Clazz.prototype.foobar);

		done();
		@@ -1843,0 +1849,0 @@ });

New alerts