Skip to content

Commit

Permalink
Merge pull request #118 from mario-canva/master
Browse files Browse the repository at this point in the history
Fix prototype pollution #114
  • Loading branch information
mreinstein authored Mar 21, 2022
2 parents aff22f4 + 5e86ee5 commit 96e2303
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
6 changes: 6 additions & 0 deletions lib/parse.js
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,12 @@ function parsePlistXML (node) {
if (isEmptyNode(node)) {
return '';
}

invariant(
node.childNodes[0].nodeValue !== '__proto__',
'__proto__ keys can lead to prototype pollution. More details on CVE-2022-22912'
);

return node.childNodes[0].nodeValue;
} else if (node.nodeName === 'string') {
res = '';
Expand Down
12 changes: 12 additions & 0 deletions test/parse.js
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,18 @@ U=</data>
);
assert.deepEqual(parsed, { a: { a1: true } });
});

/* Test to protect against CVE-2022-22912 */
it('should throw if key value is __proto__', function () {
assert.throws(function () {
parseFixture('<dict><key>__proto__</key><dict><key>length</key><string>polluted</string></dict></dict>');
});

// adding backslash should still be protected.
assert.throws(function () {
parseFixture('<dict><key>_\_proto_\_</key><dict><key>length</key><string>polluted</string></dict></dict>');
});
});
});

describe('integration', function () {
Expand Down

0 comments on commit 96e2303

Please sign in to comment.