Skip to content

Commit

Permalink
do not allow invalid hazardous string as section name
Browse files Browse the repository at this point in the history
  • Loading branch information
isaacs committed Dec 8, 2020
1 parent 738eca5 commit 56d2805
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 0 deletions.
8 changes: 8 additions & 0 deletions ini.js
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,12 @@ function decode (str) {
if (!match) return
if (match[1] !== undefined) {
section = unsafe(match[1])
if (section === '__proto__') {
// not allowed
// keep parsing the section, but don't attach it.
p = {}
return
}
p = out[section] = out[section] || {}
return
}
Expand All @@ -94,6 +100,7 @@ function decode (str) {
// Convert keys with '[]' suffix to an array
if (key.length > 2 && key.slice(-2) === '[]') {
key = key.substring(0, key.length - 2)
if (key === '__proto__') return
if (!p[key]) {
p[key] = []
} else if (!Array.isArray(p[key])) {
Expand Down Expand Up @@ -125,6 +132,7 @@ function decode (str) {
var l = parts.pop()
var nl = l.replace(/\\\./g, '.')
parts.forEach(function (part, _, __) {
if (part === '__proto__') return
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
p = p[part]
})
Expand Down
45 changes: 45 additions & 0 deletions test/proto.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
var ini = require('../')
var t = require('tap')

var data = `
__proto__ = quux
foo = baz
[__proto__]
foo = bar
[other]
foo = asdf
[kid.__proto__.foo]
foo = kid
[arrproto]
hello = snyk
__proto__[] = you did a good job
__proto__[] = so you deserve arrays
thanks = true
`
var res = ini.parse(data)
t.deepEqual(res, {
foo: 'baz',
other: {
foo: 'asdf',
},
kid: {
foo: {
foo: 'kid',
},
},
arrproto: {
hello: 'snyk',
thanks: true,
},
})
t.equal(res.__proto__, Object.prototype)
t.equal(res.kid.__proto__, Object.prototype)
t.equal(res.kid.foo.__proto__, Object.prototype)
t.equal(res.arrproto.__proto__, Object.prototype)
t.equal(Object.prototype.foo, undefined)
t.equal(Object.prototype[0], undefined)
t.equal(Object.prototype['0'], undefined)
t.equal(Object.prototype[1], undefined)
t.equal(Object.prototype['1'], undefined)
t.equal(Array.prototype[0], undefined)
t.equal(Array.prototype[1], undefined)

0 comments on commit 56d2805

Please sign in to comment.