From 234e3437019c6c07537ed2ad1e03b3e132b85e34 Mon Sep 17 00:00:00 2001 From: Jan Lehnardt Date: Fri, 3 Jul 2020 09:50:07 +0200 Subject: [PATCH] fix: prototype pollution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit for curiousity’s sake, I checked if this has any significant performance impact and it does not. Based on 10 runs before and after, all values in percent: MED AVG get first level property 0.37 0.42 get second level property 0.40 0.61 get third level property 0.26 0.41 set first level property 2.25 2.16 set second level property 1.45 1.67 set third level property 2.05 1.98 push property into array -0.41 -0.51 2.25% slowdown as a worst case is not significant. --- jsonpointer.js | 3 +++ test.js | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/jsonpointer.js b/jsonpointer.js index 7cfaec0..3635882 100644 --- a/jsonpointer.js +++ b/jsonpointer.js @@ -17,6 +17,9 @@ function setter (obj, pointer, value) { var part var hasNextPart + if (pointer[1] === 'constructor' && pointer[2] === 'prototype') return obj + if (pointer[1] === '__proto__') return obj + for (var p = 1, len = pointer.length; p < len;) { part = untilde(pointer[p++]) hasNextPart = len > p diff --git a/test.js b/test.js index e3d9963..746148c 100644 --- a/test.js +++ b/test.js @@ -128,4 +128,12 @@ assert.equal(pointer.set(a, 'test'), 'bar') assert.equal(pointer.get(a), 'test') assert.deepEqual(a, {foo: 'test'}) +var b = {} +jsonpointer.set({}, '/constructor/prototype/boo', 'polluted') +assert(!b.boo, 'should not boo') + +var c = {} +jsonpointer.set({}, '/__proto__/boo', 'polluted') +assert(!c.boo, 'should not boo') + console.log('All tests pass.')