Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ban prototype pollution and document it #219

Merged
merged 3 commits into from Mar 27, 2019
Merged

Ban prototype pollution and document it #219

merged 3 commits into from Mar 27, 2019

Conversation

alshakero
Copy link
Collaborator

fixes #216

@alshakero alshakero mentioned this pull request Jan 4, 2019
Closed
tomalec
tomalec requested changes Jan 9, 2019
View reviewed changes
dist/fast-json-patch.js
@@ -504,7 +511,7 @@ function applyPatch(document, patch, validateOperation, mutateDocument) {
}
var results = new Array(patch.length);
for (var i = 0, length_1 = patch.length; i < length_1; i++) {
results[i] = applyOperation(document, patch[i], validateOperation);
results[i] = applyOperation(document, patch[i], validateOperation, true, banPrototypeModifications);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cosmetics,
You can consider explaining why you hard-code one parameter and forward the others, as it caused me to think for a second.
Like, "mutateDocument was already covered for the entire sequence, we will apply operations on cloned document if applicable"

test/spec/coreSpec.js Outdated
@@ -1910,5 +1916,56 @@ describe('undefined - JS to JSON projection / JSON to JS extension', function()
bar: null
});
});

it(`should allow __proto__ modifications when the flag is set`, function() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To me more descriptive

Suggested change
it(`should allow __proto__ modifications when the flag is set`, function() {
it(`should allow __proto__ modifications when the mutateDocument flag is set`, function() {

test/spec/coreSpec.js Outdated
expect(otherDoc.x).toEqual('polluted');
});

it(`should not allow __proto__ modifications without setting the flag and should throw an error`, function() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it(`should not allow __proto__ modifications without setting the flag and should throw an error`, function() {
it(`should not allow __proto__ modifications without setting the mutateDocument flag and should throw an error`, function() {

test/spec/coreSpec.js Outdated
jsonpatch.applyPatch(doc, patch);
} catch (e) {
expect(e.message).toEqual(expectedErrorMessage);
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered expect(()=>{jsonpatch.applyPatch(doc, patch)}).to.throw(TypeError, expectedErrorMessage); to make test easier to read, and check for the error type as well?
https://www.chaijs.com/api/bdd/#method_throw

I'm afraid the code above would pass the test if jsonpatch.applyPatch(doc, patch); does not throw at all, as then the expect function is not called either.

@warpech
Copy link
Collaborator

warpech commented Mar 27, 2019
edited

Please consider that PR #221 also proposes to change the signature of the method applyOperation

@alshakero
Copy link
Collaborator Author

Addressed all and tests are passing. merging.

@alshakero alshakero merged commit c9939b4 into master Mar 27, 2019
@alshakero alshakero deleted the ban-proto-edits branch March 27, 2019 15:24
@snyk-bot snyk-bot mentioned this pull request Mar 26, 2020
Closed
@snyk-bot snyk-bot mentioned this pull request Apr 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomalec tomalec tomalec requested changes

@warpech warpech Awaiting requested review from warpech

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prevent prototype injection
3 participants
@alshakero @warpech @tomalec