Skip to content

Commit

Permalink
prototype pollution fix #2
Browse files Browse the repository at this point in the history
  • Loading branch information
richardgirges committed Jul 31, 2020
1 parent 829f395 commit 94c9cf9
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
2 changes: 1 addition & 1 deletion lib/processNested.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
const INVALID_KEYS = ['__proto__'];
const INVALID_KEYS = ['__proto__', 'constructor'];

module.exports = function(data){
if (!data || data.length < 1) return {};
Expand Down
10 changes: 6 additions & 4 deletions test/processNested.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,13 @@ describe('Test Convert Flatten object to Nested object', function() {
});

it('Do not allow prototype pollution', () => {
const pollutionOb = JSON.parse(`{"__proto__.POLLUTED": "FOOBAR"}`);
const pollutionOb1 = JSON.parse(`{"__proto__.POLLUTED1": "FOOBAR"}`);
const pollutionOb2 = JSON.parse(`{"constructor.prototype.POLLUTED2": "FOOBAR"}`);

processNested(pollutionOb);
processNested(pollutionOb1);
processNested(pollutionOb2);

// eslint-disable-next-line no-undef
assert.equal(global.POLLUTED, undefined);
assert.equal(global.POLLUTED1, undefined);
assert.equal(global.POLLUTED2, undefined);
});
});

0 comments on commit 94c9cf9

Please sign in to comment.