Skip to content

Commit

Permalink
Merge pull request #237 from richardgirges/fix-236-proto-pollution
Browse files Browse the repository at this point in the history
Fix prototype pollution issue in `processNested`
  • Loading branch information
richardgirges authored Jul 29, 2020
2 parents e9848fc + d81bee9 commit db49535
Show file tree
Hide file tree
Showing 4 changed files with 518 additions and 503 deletions.
12 changes: 10 additions & 2 deletions lib/processNested.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
const INVALID_KEYS = ['__proto__'];

module.exports = function(data){
if (!data || data.length < 1) return {};

Expand All @@ -11,10 +13,16 @@ module.exports = function(data){
keyParts = key
.replace(new RegExp(/\[/g), '.')
.replace(new RegExp(/\]/g), '')
.split('.');
.split('.');

for (let index = 0; index < keyParts.length; index++){
let k = keyParts[index];

// Ensure we don't allow prototype pollution
if (INVALID_KEYS.includes(k)) {
continue;
}

if (index >= keyParts.length - 1){
current[k] = value;
} else {
Expand Down
Loading

0 comments on commit db49535

Please sign in to comment.