fix: 🐛 Security Fix for Prototype Pollution - huntr.dev (#13)

huntr.dev | the place to protect open source · d3v53c · JamieSlome · haozi · commit b14383a5fba3 · 2021-07-16T01:33:11.000+08:00
* prototype pollution fix

* added testcase

Co-authored-by: d3v53c &lt;shitfi63@gmail.com&gt;
Co-authored-by: Jamie Slome &lt;jamie@418sec.com&gt;
diff --git a/.npmrc b/.npmrc
@@ -0,0 +1,2 @@
+engine-strict = true
+registry = https://registry.npmjs.org/
diff --git a/dist/index.js b/dist/index.js
@@ -1,5 +1,5 @@
 /*!
-* jsonuri v2.4.1
+* jsonuri v2.4.2
 * (c) 2021 @aligay
 * Released under the MIT License.
 */
@@ -164,6 +164,12 @@ var get = (function (data, path) {
     return ret;
 });
 
+/**
+ * Returns true, if given key is included in the blacklisted
+ * keys.
+ * @param key key for check, string.
+ */
+var isPrototypePolluted = function (key) { return ['__proto__', 'prototype', 'constructor'].includes(key); };
 var set = (function (data, path, value) {
     path = toString(path);
     if (!(data && path))
@@ -173,6 +179,8 @@ var set = (function (data, path, value) {
     var keys = combingPathKey({ path: path }).keys;
     for (var i = 0, len = keys.length; i < len; i++) {
         var key = keys[i];
+        if (isPrototypePolluted(key))
+            continue;
         if (data[key] == null) {
             data[key] = {};
         }
diff --git a/dist/index.min.js b/dist/index.min.js
diff --git a/dist/index.mjs b/dist/index.mjs
@@ -1,5 +1,5 @@
 /*!
-* jsonuri v2.4.1
+* jsonuri v2.4.2
 * (c) 2021 @aligay
 * Released under the MIT License.
 */
@@ -150,13 +150,20 @@ var get = function (data, path) {
   return ret
 }
 
+/**
+ * Returns true, if given key is included in the blacklisted
+ * keys.
+ * @param key key for check, string.
+ */
+var isPrototypePolluted = function (key) { return ['__proto__', 'prototype', 'constructor'].includes(key) }
 var set = function (data, path, value) {
   path = toString(path)
   if (!(data && path)) { return showError(THE_PARAMETER_IS_ILLEGAL) }
   if (!isComplexPath(path)) { return setValue(data, path, value) }
   var keys = combingPathKey({ path: path }).keys
   for (var i = 0, len = keys.length; i < len; i++) {
     var key = keys[i]
+    if (isPrototypePolluted(key)) { continue }
     if (data[key] == null) {
       data[key] = {}
     }
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "jsonuri",
-  "version": "2.4.1",
+  "version": "2.4.2",
   "description": "Use URI path to get or set data",
   "keywords": [
     "array",
diff --git a/src/methods/set.ts b/src/methods/set.ts
@@ -1,5 +1,12 @@
 import { THE_PARAMETER_IS_ILLEGAL, setValue, combingPathKey, isComplexPath, showError, toString } from '../util'
 
+/**
+ * Returns true, if given key is included in the blacklisted
+ * keys.
+ * @param key key for check, string.
+ */
+const isPrototypePolluted = (key: string): Boolean => ['__proto__', 'prototype', 'constructor'].includes(key)
+
 export default (data: any, path: string | number, value: any): void => {
   path = toString(path)
   if (!(data && path)) return showError(THE_PARAMETER_IS_ILLEGAL)
@@ -10,6 +17,8 @@ export default (data: any, path: string | number, value: any): void => {
   for (let i = 0, len = keys.length; i < len; i++) {
     let key = keys[i]
 
+    if (isPrototypePolluted(key)) continue
+
     if (data[key] == null) {
       data[key] = {}
     }
diff --git a/test/spec/set_spec.js b/test/spec/set_spec.js
@@ -128,4 +128,10 @@ describe('jsonuri.set', () => {
     jsonuri.set(o, 5, 1)
     expect(o).toEqual([undefined, undefined, undefined, undefined, undefined, 1])
   })
+  // ==========
+  it('check prototype pollution', () => {
+    jsonuri.set(obj, '__proto__/polluted', 'Yes! Its Polluted')
+    expect(obj.polluted).toEqual('Yes! Its Polluted')
+    expect({}.polluted).toEqual(undefined)
+  })
 })
diff --git a/www/index.html b/www/index.html
@@ -4,7 +4,7 @@
   <meta charset="UTF-8">
   <title>JSON URI - A better way to manipulate data,friendly support Vue-like frameworks</title>
   <script src="//cdn.jsdelivr.net/npm/vue"></script>
-  <script src="//cdn.jsdelivr.net/npm/jsonuri@2.4.1/dist/index.min.js"></script>
+  <script src="//cdn.jsdelivr.net/npm/jsonuri@2.4.2/dist/index.min.js"></script>
 <style>
 *{margin: 0; padding: 0; font-family: monospace;}
 body{
@@ -190,7 +190,7 @@
 <body>
 <div style="display: none"><script src="https://s13.cnzz.com/z_stat.php?id=1273470337&web_id=1273470337" language="JavaScript"></script></div>
 <div class="tips">
-  jsonuri <a href="//www.npmjs.com/package/jsonuri">2.4.1</a> is now available. Download our latest version today!
+  jsonuri <a href="//www.npmjs.com/package/jsonuri">2.4.2</a> is now available. Download our latest version today!
 </div>
 <div style="width: 1100px; margin:0 auto; overflow: hidden;">
   <h1>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+engine-strict = true`
	`2`	`+registry = https://registry.npmjs.org/`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "jsonuri",`
`3`		`- "version": "2.4.1",`
	`3`	`+ "version": "2.4.2",`
`4`	`4`	`"description": "Use URI path to get or set data",`
`5`	`5`	`"keywords": [`
`6`	`6`	`"array",`