Skip to content

Commit

Permalink
fix: prevent code injection in copying properties
Browse files Browse the repository at this point in the history
  • Loading branch information
wdavidw committed Sep 16, 2021
1 parent 0ae9132 commit db70fe9
Show file tree
Hide file tree
Showing 6 changed files with 24 additions and 5 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@

# Changelog

## Trunk

* fix: prevent code injection in copying properties

## Version 0.5.1

* fix: dont pollute object proto #1
Expand Down
5 changes: 4 additions & 1 deletion dist/mixme.cjs.js
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,10 @@ exports.mutate = function mutate() {
}

for (name in source) {
if (name === '__proto__') {
if (/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test(name)) {
// See
// https://github.com/adaltas/node-mixme/issues/1
// https://github.com/adaltas/node-mixme/issues/2
continue;
}

Expand Down
5 changes: 4 additions & 1 deletion dist/mixme.esm.js
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,10 @@ _mutate = function mutate() {
}

for (name in source) {
if (name === '__proto__') {
if (/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test(name)) {
// See
// https://github.com/adaltas/node-mixme/issues/1
// https://github.com/adaltas/node-mixme/issues/2
continue;
}

Expand Down
5 changes: 4 additions & 1 deletion dist/mixme.umd.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,10 @@
}

for (name in source) {
if (name === '__proto__') {
if (/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test(name)) {
// See
// https://github.com/adaltas/node-mixme/issues/1
// https://github.com/adaltas/node-mixme/issues/2
continue;
}

Expand Down
5 changes: 4 additions & 1 deletion lib/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion src/index.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@ mutate = ->
if is_object_literal source
target = {} unless is_object_literal target
for name of source
continue if name is '__proto__'
# See
# https://github.com/adaltas/node-mixme/issues/1
# https://github.com/adaltas/node-mixme/issues/2
continue if /__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test name
target[name] = mutate target[name], source[name]
else if Array.isArray source
target = for v in source
Expand Down

0 comments on commit db70fe9

Please sign in to comment.