Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

object-path

Package Overview
Dependencies
Maintainers
1
Versions
27
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

object-path - npm Package Compare versions

Comparing version 0.11.5 to 0.11.6

3

index.js

@@ -114,2 +114,5 @@ (function (root, factory){

var currentPath = path[0];
if (typeof currentPath !== 'string' && typeof currentPath !== 'number') {
currentPath = String(currentPath)
}
var currentValue = getShallowProperty(obj, currentPath);

@@ -116,0 +119,0 @@ if (options.includeInheritedProps && (currentPath === '__proto__' ||

12

package.json
{
"name": "object-path",
"description": "Access deep object properties using a path",
"version": "0.11.5",
"version": "0.11.6",
"author": {

@@ -18,7 +18,7 @@ "name": "Mario Casciaro"

"@mariocasciaro/benchpress": "^0.1.3",
"chai": "^4.2.0",
"coveralls": "^3.1.0",
"nyc": "^15.1.0",
"mocha": "^8.1.3",
"mocha-lcov-reporter": "^1.3.0"
"chai": "^4.3.4",
"coveralls": "^3.1.1",
"mocha": "^9.1.0",
"mocha-lcov-reporter": "^1.3.0",
"nyc": "^15.1.0"
},

@@ -25,0 +25,0 @@ "scripts": {

2

README.md

@@ -18,3 +18,3 @@

* **SECURITY FIX**. Fix a prototype pollution vulnerability in the `set()` function when using the "inherited props" mode (e.g. when a new `object-path` instance is created with the `includeInheritedProps` option set to `true` or when using the `withInheritedProps` default instance. The vulnerability does not exist in the default instance exposed by object path (e.g `objectPath.set()`).
* **SECURITY FIX**. Fix a prototype pollution vulnerability in the `set()` function when using the "inherited props" mode (e.g. when a new `object-path` instance is created with the `includeInheritedProps` option set to `true` or when using the `withInheritedProps` default instance. The vulnerability does not exist in the default instance exposed by object path (e.g `objectPath.set()`) if using version >= `0.11.0`.

@@ -21,0 +21,0 @@ ### 0.11.0

18

test.js

@@ -244,2 +244,5 @@ 'use strict'

objectPath.set({}, [['__proto__'], 'injected'], 'this is bad')
expect(Object.prototype.injected).to.be.undefined
function Clazz() {}

@@ -251,2 +254,5 @@ Clazz.prototype.test = 'original'

objectPath.set(new Clazz(), [['__proto__'], 'test'], 'this is bad')
expect(Clazz.prototype.test).to.be.equal('original')
objectPath.set(new Clazz(), 'constructor.prototype.test', 'this is bad')

@@ -261,2 +267,7 @@ expect(Clazz.prototype.test).to.be.equal('original')

expect(function() {
objectPath.withInheritedProps.set({}, [['__proto__'], 'injected'], 'this is bad')
expect(Object.prototype.injected).to.be.undefined
}).to.throw('For security reasons')
function Clazz() {}

@@ -273,6 +284,9 @@ Clazz.prototype.test = 'original'

const obj = {}
expect(function() {objectPath.withInheritedProps.set(obj, 'constructor.prototype.injected', 'this is OK')})
expect(function() {objectPath.withInheritedProps.set({}, 'constructor.prototype.injected', 'this is OK')})
.to.throw('For security reasons')
expect(Object.prototype.injected).to.be.undefined
expect(function() {objectPath.withInheritedProps.set({}, [['constructor'], 'prototype', 'injected'], 'this is bad')})
.to.throw('For security reasons')
expect(Object.prototype.injected).to.be.undefined
})

@@ -279,0 +293,0 @@ })

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc