Fix prototype pollution when path components are not strings

mariocasciaro · Aug 27, 2021 · 7bdf4ab · 7bdf4ab
1 parent ebc5e2c
commit 7bdf4ab
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/index.js b/index.js
@@ -111,6 +111,9 @@
         return set(obj, path.split('.').map(getKey), value, doNotReplace);
       }
       var currentPath = path[0];
+      if (typeof currentPath !== 'string' && typeof currentPath !== 'number') {
+        currentPath = String(currentPath)
+      }
       var currentValue = getShallowProperty(obj, currentPath);
       if (options.includeInheritedProps && (currentPath === '__proto__' ||
         (currentPath === 'constructor' && typeof currentValue === 'function'))) {

diff --git a/test.js b/test.js
@@ -241,12 +241,18 @@ describe('set', function () {
     objectPath.set({}, '__proto__.injected', 'this is bad')
     expect(Object.prototype.injected).to.be.undefined
 
+    objectPath.set({}, [['__proto__'], 'injected'], 'this is bad')
+    expect(Object.prototype.injected).to.be.undefined
+
     function Clazz() {}
     Clazz.prototype.test = 'original'
 
     objectPath.set(new Clazz(), '__proto__.test', 'this is bad')
     expect(Clazz.prototype.test).to.be.equal('original')
 
+    objectPath.set(new Clazz(), [['__proto__'], 'test'], 'this is bad')
+    expect(Clazz.prototype.test).to.be.equal('original')
+
     objectPath.set(new Clazz(), 'constructor.prototype.test', 'this is bad')
     expect(Clazz.prototype.test).to.be.equal('original')
   })
@@ -256,6 +262,11 @@ describe('set', function () {
       .to.throw('For security reasons')
     expect(Object.prototype.injected).to.be.undefined
 
+    expect(function() {
+      objectPath.withInheritedProps.set({}, [['__proto__'], 'injected'], 'this is bad')
+      expect(Object.prototype.injected).to.be.undefined
+    }).to.throw('For security reasons')
+
     function Clazz() {}
     Clazz.prototype.test = 'original'
 
@@ -267,8 +278,11 @@ describe('set', function () {
       .to.throw('For security reasons')
     expect(Clazz.prototype.test).to.be.equal('original')
 
-    const obj = {}
-    expect(function() {objectPath.withInheritedProps.set(obj, 'constructor.prototype.injected', 'this is OK')})
+    expect(function() {objectPath.withInheritedProps.set({}, 'constructor.prototype.injected', 'this is OK')})
+      .to.throw('For security reasons')
+    expect(Object.prototype.injected).to.be.undefined
+
+    expect(function() {objectPath.withInheritedProps.set({}, [['constructor'], 'prototype', 'injected'], 'this is bad')})
       .to.throw('For security reasons')
     expect(Object.prototype.injected).to.be.undefined
   })