File tree Expand file tree Collapse file tree 2 files changed +53
-0
lines changed Expand file tree Collapse file tree 2 files changed +53
-0
lines changed Original file line number Diff line number Diff line change @@ -80,6 +80,12 @@ function decode (str) {
8080 if ( ! match ) return
8181 if ( match [ 1 ] !== undefined ) {
8282 section = unsafe ( match [ 1 ] )
83+ if ( section === '__proto__' ) {
84+ // not allowed
85+ // keep parsing the section, but don't attach it.
86+ p = { }
87+ return
88+ }
8389 p = out [ section ] = out [ section ] || { }
8490 return
8591 }
@@ -94,6 +100,7 @@ function decode (str) {
94100 // Convert keys with '[]' suffix to an array
95101 if ( key . length > 2 && key . slice ( - 2 ) === '[]' ) {
96102 key = key . substring ( 0 , key . length - 2 )
103+ if ( key === '__proto__' ) return
97104 if ( ! p [ key ] ) {
98105 p [ key ] = [ ]
99106 } else if ( ! Array . isArray ( p [ key ] ) ) {
@@ -125,6 +132,7 @@ function decode (str) {
125132 var l = parts . pop ( )
126133 var nl = l . replace ( / \\ \. / g, '.' )
127134 parts . forEach ( function ( part , _ , __ ) {
135+ if ( part === '__proto__' ) return
128136 if ( ! p [ part ] || typeof p [ part ] !== 'object' ) p [ part ] = { }
129137 p = p [ part ]
130138 } )
Original file line number Diff line number Diff line change 1+ var ini = require ( '../' )
2+ var t = require ( 'tap' )
3+
4+ var data = `
5+ __proto__ = quux
6+ foo = baz
7+ [__proto__]
8+ foo = bar
9+ [other]
10+ foo = asdf
11+ [kid.__proto__.foo]
12+ foo = kid
13+ [arrproto]
14+ hello = snyk
15+ __proto__[] = you did a good job
16+ __proto__[] = so you deserve arrays
17+ thanks = true
18+ `
19+ var res = ini . parse ( data )
20+ t . deepEqual ( res , {
21+ foo : 'baz' ,
22+ other : {
23+ foo : 'asdf' ,
24+ } ,
25+ kid : {
26+ foo : {
27+ foo : 'kid' ,
28+ } ,
29+ } ,
30+ arrproto : {
31+ hello : 'snyk' ,
32+ thanks : true ,
33+ } ,
34+ } )
35+ t . equal ( res . __proto__ , Object . prototype )
36+ t . equal ( res . kid . __proto__ , Object . prototype )
37+ t . equal ( res . kid . foo . __proto__ , Object . prototype )
38+ t . equal ( res . arrproto . __proto__ , Object . prototype )
39+ t . equal ( Object . prototype . foo , undefined )
40+ t . equal ( Object . prototype [ 0 ] , undefined )
41+ t . equal ( Object . prototype [ '0' ] , undefined )
42+ t . equal ( Object . prototype [ 1 ] , undefined )
43+ t . equal ( Object . prototype [ '1' ] , undefined )
44+ t . equal ( Array . prototype [ 0 ] , undefined )
45+ t . equal ( Array . prototype [ 1 ] , undefined )
You can’t perform that action at this time.
0 commit comments