Merge pull request #2 from 418sec/1-npm-nested-objects-util

BonneVoyager · web-flow · commit 46d3fa58b691 · 2021-01-14T17:50:14.000+01:00
Security Fix for Prototype Pollution - huntr.dev
diff --git a/index.js b/index.js
@@ -17,6 +17,16 @@ var indexOf = [].indexOf || function(elt/*,from*/) {
   return -1
 }
 
+/**
+ * Returns true, if given key is included in the blacklisted
+ * keys.
+ * @param {String} key key for check, string.
+ * @returns {Boolean}.
+ */
+function isPrototypePolluted(key) {
+  return ['__proto__', 'prototype', 'constructor'].includes(key);
+}
+
 // based on Bergi's https://stackoverflow.com/questions/19098797/fastest-way-to-flatten-un-flatten-nested-json-objects
 
 function flatten(data, sortKeysFlag) {
@@ -64,7 +74,9 @@ function unflatten(data) {
     do {
       idx = indexOf.call(p, ".", last)
       temp = p.substring(last, ~idx ? idx : undefined)
-      cur = cur[prop] || (cur[prop] = (!isNaN(parseInt(temp)) ? [] : {}))
+      if (!isPrototypePolluted(prop)) {
+        cur = cur[prop] || (cur[prop] = (!isNaN(parseInt(temp)) ? [] : {}))
+      }
       prop = temp
       last = idx + 1
     } while(idx >= 0)
diff --git a/index.spec.js b/index.spec.js
@@ -64,6 +64,18 @@ describe('nested-objects-util', () => {
         }
       })
     })
+
+
+    it('should prevent prototype pollution on unflattening an object', () => {
+      const unflattened = nestedObjectsUtil.unflatten({
+        "__proto__.polluted": "Yes! Its Polluted"
+      })
+      assert.deepEqual(unflattened, {
+        polluted: "Yes! Its Polluted"
+      })
+      assert.notEqual({}.polluted, "Yes! Its Polluted")
+      assert.equal({}.polluted, undefined)
+    })
   })
 
   describe('accessProperty', () => {
