Commit 04c06f8

committed

Disable prototype pollution on returned diff object

1 parent e37b759 commit 04c06f8Copy full SHA for 04c06f8

File tree

6 files changed

+66

-80

lines changed

src
test
- pollution.test.js

6 files changed

+66

-80

lines changed

`‎src/added.js`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { isEmpty, isObject, hasOwnProperty } from './utils.js';`
	`1`	`+import { isEmpty, isObject, hasOwnProperty,makeObjectWithoutPrototype } from './utils.js';`
`2`	`2`
`3`	`3`	`const addedDiff = (lhs, rhs) => {`
`4`	`4`
`@@ -19,7 +19,7 @@ const addedDiff = (lhs, rhs) => {`
`19`	`19`
`20`	`20`	`acc[key] = r[key];`
`21`	`21`	`return acc;`
`22`		`- }, {});`
	`22`	`+ }, makeObjectWithoutPrototype());`
`23`	`23`	`};`
`24`	`24`
`25`	`25`	`export default addedDiff;`

`‎src/deleted.js`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { isEmpty, isObject, hasOwnProperty } from './utils.js';`
	`1`	`+import { isEmpty, isObject, hasOwnProperty,makeObjectWithoutPrototype } from './utils.js';`
`2`	`2`
`3`	`3`	`const deletedDiff = (lhs, rhs) => {`
`4`	`4`	`if (lhs === rhs \|\| !isObject(lhs) \|\| !isObject(rhs)) return {};`
`@@ -18,7 +18,7 @@ const deletedDiff = (lhs, rhs) => {`
`18`	`18`
`19`	`19`	`acc[key] = undefined;`
`20`	`20`	`return acc;`
`21`		`- }, {});`
	`21`	`+ }, makeObjectWithoutPrototype());`
`22`	`22`	`};`
`23`	`23`
`24`	`24`	`export default deletedDiff;`

`‎src/diff.js`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { isDate, isEmptyObject, isObject, hasOwnProperty } from './utils.js';`
	`1`	`+import { isDate, isEmptyObject, isObject, hasOwnProperty,makeObjectWithoutPrototype } from './utils.js';`
`2`	`2`
`3`	`3`	`const diff = (lhs, rhs) => {`
`4`	`4`	`if (lhs === rhs) return {}; // equal return no diff`
`@@ -15,7 +15,7 @@ const diff = (lhs, rhs) => {`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`return acc;`
`18`		`- }, {});`
	`18`	`+ }, makeObjectWithoutPrototype());`
`19`	`19`
`20`	`20`	`if (isDate(l) \|\| isDate(r)) {`
`21`	`21`	`if (l.valueOf() == r.valueOf()) return {};`

`‎src/updated.js`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { isDate, isEmptyObject, isObject, hasOwnProperty } from './utils.js';`
	`1`	`+import { isDate, isEmptyObject, isObject, hasOwnProperty,makeObjectWithoutPrototype } from './utils.js';`
`2`	`2`
`3`	`3`	`const updatedDiff = (lhs, rhs) => {`
`4`	`4`	`if (lhs === rhs) return {};`
`@@ -26,7 +26,7 @@ const updatedDiff = (lhs, rhs) => {`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`return acc;`
`29`		`- }, {});`
	`29`	`+ }, makeObjectWithoutPrototype());`
`30`	`30`	`};`
`31`	`31`
`32`	`32`	`export default updatedDiff;`

`‎src/utils.js`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,3 +3,4 @@ export const isEmpty = o => Object.keys(o).length === 0;`
`3`	`3`	`export const isObject = o => o != null && typeof o === 'object';`
`4`	`4`	`export const hasOwnProperty = (o, ...args) => Object.prototype.hasOwnProperty.call(o, ...args)`
`5`	`5`	`export const isEmptyObject = (o) => isObject(o) && isEmpty(o);`
	`6`	`+export const makeObjectWithoutPrototype = () => Object.create(null);`

`‎test/pollution.test.js`

Lines changed: 57 additions & 72 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,85 +1,70 @@`
`1`	`1`	`import addedDiff from "../src/added";`
	`2`	`+import updatedDiff from "../src/updated";`
	`3`	`+import diff from "../src/diff";`
	`4`	`+import deletedDiff from "../src/deleted";`
`2`	`5`
`3`	`6`	`describe("Prototype pollution", () => {`
`4`		`- test("Demonstrate prototype pollution globally across all objects", () => {`
`5`		`- const a = {};`
`6`		`- const b = new Object();`
`7`		`-`
`8`		`- expect(a.hello).toBeUndefined();`
`9`		`- expect(b.hello).toBeUndefined();`
`10`		`- expect({}.hello).toBeUndefined();`
`11`		`-`
`12`		`- b.__proto__.hello = "world";`
`13`		`-`
`14`		`- expect(a.hello).toBe("world");`
`15`		`- expect(b.hello).toBe("world");`
`16`		`- expect({}.hello).toBe("world");`
	`7`	`+ describe("diff", () => {`
	`8`	`+ test("should not pollute returned diffs prototype", () => {`
	`9`	`+ const l = { role: "user" };`
	`10`	`+ const r = JSON.parse('{ "role": "user", "__proto__": { "role": "admin" } }');`
	`11`	`+ const difference = diff(l, r);`
	`12`	`+`
	`13`	`+ expect(l.role).toBe("user");`
	`14`	`+ expect(r.role).toBe("user");`
	`15`	`+ expect(difference.role).toBeUndefined();`
	`16`	`+ });`
	`17`	`+`
	`18`	`+ test("should not pollute returned diffs prototype on nested diffs", () => {`
	`19`	`+ const l = { about: { role: "user" } };`
	`20`	`+ const r = JSON.parse('{ "about": { "__proto__": { "role": "admin" } } }');`
	`21`	`+ const difference = addedDiff(l, r);`
	`22`	`+`
	`23`	`+ expect(l.about.role).toBe("user");`
	`24`	`+ expect(r.about.role).toBeUndefined();`
	`25`	`+ expect(difference.about.role).toBeUndefined();`
	`26`	`+ });`
`17`	`27`	`});`
`18`	`28`
`19`		- test("addedDiff does not pollute global prototype when running diff with added `__proto__` key", () => {
`20`		`- const a = { role: "user" };`
`21`		`- const b = JSON.parse('{ "__proto__": { "role": "admin" } }');`
`22`		`-`
`23`		`- expect(a.role).toBe("user");`
`24`		`- expect(a.__proto__.role).toBeUndefined();`
`25`		`- expect(b.role).toBeUndefined();`
`26`		`- expect(b.__proto__.role).toBe("admin");`
`27`		`- expect({}.role).toBeUndefined();`
`28`		`- expect({}.__proto__role).toBeUndefined();`
`29`		`-`
`30`		`- const difference = addedDiff(a, b);`
`31`		`-`
`32`		`- expect(a.role).toBe("user");`
`33`		`- expect(a.__proto__.role).toBeUndefined();`
`34`		`- expect(b.__proto__.role).toBe("admin");`
`35`		`- expect(b.role).toBeUndefined();`
`36`		`- expect({}.role).toBeUndefined();`
`37`		`- expect({}.__proto__role).toBeUndefined();`
`38`		`-`
`39`		`- expect(difference).toEqual({ __proto__: { role: "admin" } });`
	`29`	`+ describe("addedDiff", () => {`
	`30`	`+ test("addedDiff should not pollute returned diffs prototype", () => {`
	`31`	`+ const l = { role: "user" };`
	`32`	`+ const r = JSON.parse('{ "__proto__": { "role": "admin" } }');`
	`33`	`+ const difference = addedDiff(l, r);`
	`34`	`+`
	`35`	`+ expect(l.role).toBe("user");`
	`36`	`+ expect(r.role).toBeUndefined();`
	`37`	`+ expect(difference.role).toBeUndefined();`
	`38`	`+ });`
	`39`	`+`
	`40`	`+ test("should not pollute returned diffs prototype on nested diffs", () => {`
	`41`	`+ const l = { about: { role: "user" } };`
	`42`	`+ const r = JSON.parse('{ "about": { "__proto__": { "role": "admin" } } }');`
	`43`	`+ const difference = addedDiff(l, r);`
	`44`	`+`
	`45`	`+ expect(l.about.role).toBe("user");`
	`46`	`+ expect(r.about.role).toBeUndefined();`
	`47`	`+ expect(difference.about.role).toBeUndefined();`
	`48`	`+ });`
`40`	`49`	`});`
`41`	`50`
`42`		- test("addedDiff does not pollute global prototype when running diff with added `__proto__` key generated from JSON.parse and mutating original left hand object", () => {
`43`		`- let a = { role: "user" };`
`44`		- // Note: Don't trust `JSON.parse`!!!
`45`		`- const b = JSON.parse('{ "__proto__": { "role": "admin" } }');`
`46`		`-`
`47`		`- expect(a.role).toBe("user");`
`48`		`- expect(a.__proto__.role).toBeUndefined();`
`49`		`- expect(b.role).toBeUndefined();`
`50`		`- expect(b.__proto__.role).toBe("admin");`
`51`		`- expect({}.role).toBeUndefined();`
`52`		`- expect({}.__proto__role).toBeUndefined();`
`53`		`-`
`54`		`- // Note: although this does not pollute the global proto, it does pollute the original object. (Don't mutate kids!)`
`55`		`- a = addedDiff(a, b);`
	`51`	`+ test("updatedDiff should not pollute returned diffs prototype", () => {`
	`52`	`+ const l = { role: "user" };`
	`53`	`+ const r = JSON.parse('{ "role": "user", "__proto__": { "role": "admin" } }');`
	`54`	`+ const difference = updatedDiff(l, r);`
`56`	`55`
`57`		`- expect(a.role).toBe("admin");`
`58`		`- expect(a.__proto__.role).toBe("admin");`
`59`		`- expect(b.__proto__.role).toBe("admin");`
`60`		`- expect(b.role).toBeUndefined();`
`61`		`- expect({}.role).toBeUndefined();`
`62`		`- expect({}.__proto__role).toBeUndefined();`
	`56`	`+ expect(l.role).toBe("user");`
	`57`	`+ expect(r.role).toBe("user");`
	`58`	`+ expect(difference.role).toBeUndefined();`
`63`	`59`	`});`
`64`	`60`
`65`		- test("addedDiff does not pollute global prototype or original object when running diff with added `__proto__` key", () => {
`66`		`- let a = { role: "user" };`
`67`		`- const b = { __proto__: { role: "admin" } };`
`68`		`-`
`69`		`- expect(a.role).toBe("user");`
`70`		`- expect(a.__proto__.role).toBeUndefined();`
`71`		`- expect(b.role).toBe("admin");`
`72`		`- expect(b.__proto__.role).toBe("admin");`
`73`		`- expect({}.role).toBeUndefined();`
`74`		`- expect({}.__proto__role).toBeUndefined();`
`75`		`-`
`76`		`- a = addedDiff(a, b);`
	`61`	`+ test("deletedDiff should not pollute returned diffs prototype", () => {`
	`62`	`+ const l = { role: "user" };`
	`63`	`+ const r = JSON.parse('{ "__proto__": { "role": "admin" } }');`
	`64`	`+ const difference = deletedDiff(l, r);`
`77`	`65`
`78`		`- expect(a.role).toBeUndefined();`
`79`		`- expect(a.__proto__.role).toBeUndefined();`
`80`		`- expect(b.role).toBe("admin");`
`81`		`- expect(b.__proto__.role).toBe("admin");`
`82`		`- expect({}.role).toBeUndefined();`
`83`		`- expect({}.__proto__role).toBeUndefined();`
	`66`	`+ expect(l.role).toBe("user");`
	`67`	`+ expect(r.role).toBeUndefined();`
	`68`	`+ expect(difference.role).toBeUndefined();`
`84`	`69`	`});`
`85`	`70`	`});`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit 04c06f8

File tree

6 files changed

6 files changed

`‎src/added.js`

`‎src/deleted.js`

`‎src/diff.js`

`‎src/updated.js`

`‎src/utils.js`

`‎test/pollution.test.js`

0 commit comments