mquery - npm Package Compare versions

Comparing version 3.2.2 to 3.2.3

SECURITY.md

History.md

		@@ -0,1 +1,5 @@
		3.2.3 / 2020-12-10
		==================
		* fix(utils): avoid copying special properties like `__proto__` when merging and cloning

		3.2.2 / 2019-09-22
		@@ -2,0 +6,0 @@ ==================

lib/utils.js

		@@ -10,2 +10,4 @@ 'use strict';

		var specialProperties = ['__proto__', 'constructor', 'prototype'];

		/**
		@@ -73,2 +75,8 @@ * Clones objects
		for (k in obj) {
		// Not technically prototype pollution because this wouldn't merge properties
		// onto `Object.prototype`, but avoid properties like __proto__ as a precaution.
		if (specialProperties.indexOf(k) !== -1) {
		continue;
		}

		val = clone(obj[k], options);
		@@ -138,2 +146,5 @@
		key = keys[i];
		if (specialProperties.indexOf(key) !== -1) {
		continue;
		}
		if ('undefined' === typeof to[key]) {
		@@ -140,0 +151,0 @@ to[key] = from[key];

package.json

		{
		"name": "mquery",
		"version": "3.2.2",
		"version": "3.2.3",
		"description": "Expressive query building for MongoDB",
		@@ -28,3 +28,3 @@ "main": "lib/mquery.js",
		"mocha": "4.1.0",
		"mongodb": "3.1.1"
		"mongodb": "3.6.1"
		},
		@@ -31,0 +31,0 @@ "bugs": {

test/utils.test.js

		@@ -143,3 +143,21 @@ 'use strict';
		});

		it('skips __proto__', function() {
		var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}');
		var res = utils.clone(payload);

		assert.strictEqual({}.polluted, void 0);
		assert.strictEqual(res.__proto__, Object.prototype);
		});
		});

		describe('merge', function() {
		it('avoids prototype pollution', function() {
		var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}');
		var obj = {};
		utils.merge(obj, payload);

		assert.strictEqual({}.polluted, void 0);
		});
		});
		});

New alerts