Upgrade latest packages; run npm audit fix; add logic to prevent prototype pollution in parseNested

4 years ago · d81bee9bc0
parent e9848fc1b5
commit d81bee9bc0
4 changed files with 518 additions and 503 deletions
--- a/lib/processNested.js
+++ b/lib/processNested.js
@ -1,3 +1,5 @@
+const INVALID_KEYS = ['__proto__'];
+
 module.exports = function(data){
  if (!data || data.length < 1) return {};
  
@ -11,10 +13,16 @@ module.exports = function(data){
      keyParts = key
        .replace(new RegExp(/\[/g), '.')
        .replace(new RegExp(/\]/g), '')
-        .split('.');
-  
+        .split('.');  
+
    for (let index = 0; index < keyParts.length; index++){
      let k = keyParts[index];
+
+      // Ensure we don't allow prototype pollution
+      if (INVALID_KEYS.includes(k)) {
+        continue;
+      }
+
      if (index >= keyParts.length - 1){
        current[k] = value;
      } else {
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -30,11 +30,11 @@
  "devDependencies": {
    "body-parser": "^1.19.0",
    "coveralls": "^3.0.14",
-    "eslint": "^6.8.0",
+    "eslint": "^7.5.0",
    "express": "^4.17.1",
    "istanbul": "^0.4.5",
    "md5": "^2.2.1",
-    "mocha": "^7.2.0",
+    "mocha": "^8.0.1",
    "rimraf": "^3.0.2",
    "supertest": "^4.0.2"
  }
--- a/test/processNested.spec.js
+++ b/test/processNested.spec.js
@ -45,4 +45,13 @@ describe('Test Convert Flatten object to Nested object', function() {

    assert.deepEqual(processed, excerpt);
  });
+
+  it('Do not allow prototype pollution', () => {
+    const pollutionOb = JSON.parse(`{"__proto__.POLLUTED": "FOOBAR"}`);
+
+    processNested(pollutionOb);
+
+    // eslint-disable-next-line no-undef
+    assert.equal(global.POLLUTED, undefined);
+  });
 });