Skip to content

Commit

Permalink
fix more theoretical prototype pollution holes. To be clear THESE ARE…
Browse files Browse the repository at this point in the history
… NOT REAL VULNERABILITIES. These functions are never used with user input and cannot be used in an attack.
  • Loading branch information
koskimas committed Oct 3, 2021
1 parent 9bcd3a2 commit 1282059
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 8 deletions.
24 changes: 17 additions & 7 deletions lib/utils/objectUtils.js
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,6 @@ function once(func) {

function flatten(arrays) {
const out = [];
let outIdx = 0;

for (let i = 0, l = arrays.length; i < l; ++i) {
const value = arrays[i];
Expand Down Expand Up @@ -225,9 +224,11 @@ function set(obj, path, value) {

for (let i = 0, l = path.length - 1; i < l; ++i) {
const key = path[i];
if (key === '__proto__') {
return false;

if (!isSafeKey(key)) {
return inputObj;
}

let child = obj[key];

if (!isObject(child)) {
Expand All @@ -246,7 +247,11 @@ function set(obj, path, value) {
}

if (path.length > 0 && isObject(obj)) {
obj[path[path.length - 1]] = value;
const key = path[path.length - 1];

if (isSafeKey(key)) {
obj[key] = value;
}
}

return inputObj;
Expand All @@ -256,10 +261,11 @@ function zipObject(keys, values) {
const out = {};

for (let i = 0, l = keys.length; i < l; ++i) {
if (keys[i] === '__proto__') {
return false;
const key = keys[i];

if (isSafeKey(key)) {
out[key] = values[i];
}
out[keys[i]] = values[i];
}

return out;
Expand Down Expand Up @@ -363,6 +369,10 @@ function compareStrict(val1, val2) {
return val1 === val2;
}

function isSafeKey(key) {
return isNumber(key) || (isString(key) && key !== '__proto__');
}

module.exports = {
isEmpty,
isString,
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "objection",
"version": "2.2.16",
"version": "2.2.17",
"description": "An SQL-friendly ORM for Node.js",
"main": "lib/objection.js",
"license": "MIT",
Expand Down

0 comments on commit 1282059

Please sign in to comment.