Comparing version 3.2.2 to 3.2.3
@@ -0,1 +1,5 @@ | ||
3.2.3 / 2020-12-10 | ||
================== | ||
* fix(utils): avoid copying special properties like `__proto__` when merging and cloning | ||
3.2.2 / 2019-09-22 | ||
@@ -2,0 +6,0 @@ ================== |
@@ -10,2 +10,4 @@ 'use strict'; | ||
var specialProperties = ['__proto__', 'constructor', 'prototype']; | ||
/** | ||
@@ -73,2 +75,8 @@ * Clones objects | ||
for (k in obj) { | ||
// Not technically prototype pollution because this wouldn't merge properties | ||
// onto `Object.prototype`, but avoid properties like __proto__ as a precaution. | ||
if (specialProperties.indexOf(k) !== -1) { | ||
continue; | ||
} | ||
val = clone(obj[k], options); | ||
@@ -138,2 +146,5 @@ | ||
key = keys[i]; | ||
if (specialProperties.indexOf(key) !== -1) { | ||
continue; | ||
} | ||
if ('undefined' === typeof to[key]) { | ||
@@ -140,0 +151,0 @@ to[key] = from[key]; |
{ | ||
"name": "mquery", | ||
"version": "3.2.2", | ||
"version": "3.2.3", | ||
"description": "Expressive query building for MongoDB", | ||
@@ -28,3 +28,3 @@ "main": "lib/mquery.js", | ||
"mocha": "4.1.0", | ||
"mongodb": "3.1.1" | ||
"mongodb": "3.6.1" | ||
}, | ||
@@ -31,0 +31,0 @@ "bugs": { |
@@ -143,3 +143,21 @@ 'use strict'; | ||
}); | ||
it('skips __proto__', function() { | ||
var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}'); | ||
var res = utils.clone(payload); | ||
assert.strictEqual({}.polluted, void 0); | ||
assert.strictEqual(res.__proto__, Object.prototype); | ||
}); | ||
}); | ||
describe('merge', function() { | ||
it('avoids prototype pollution', function() { | ||
var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}'); | ||
var obj = {}; | ||
utils.merge(obj, payload); | ||
assert.strictEqual({}.polluted, void 0); | ||
}); | ||
}); | ||
}); |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
247311
21
6332