Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Use a null prototype object for this.files #766

Merged
merged 3 commits into from Jun 29, 2021
Merged

fix: Use a null prototype object for this.files #766

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2235749
fix: Use a null prototype object for this.files
MichaelAquilina Jun 14, 2021
d024c22
test: Add test case for loading zip filenames which shadow method names
MichaelAquilina Jun 14, 2021
bb38812
Ensure prototype isn't modified by zip file
Stuk Jun 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 4 additions & 1 deletion lib/index.js
View file
Open in desktop
Expand Up @@ -19,7 +19,10 @@ function JSZip() {
// "folder/" : {...},
// "folder/data.txt" : {...}
// }
this.files = {};
// NOTE: we use a null prototype because we do not
// want filenames like "toString" coming from a zip file
// to overwrite methods and attributes in a normal Object.
this.files = Object.create(null);

this.comment = null;

Expand Down
6 changes: 3 additions & 3 deletions lib/object.js
View file
Open in desktop
Expand Up @@ -179,16 +179,16 @@ var out = {
*/
forEach: function(cb) {
var filename, relativePath, file;
/* jshint ignore:start */
// ignore warning about unwanted properties because this.files is a null prototype object
for (filename in this.files) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Stuk we could use for(filename of Object.keys(this.files)) { here instead, but it seems jszip is targetting es3 in jshintrc.

We could set this to es6 but I assume this would break for a number of users and you would want to avoid that?

This is the error that comes up if I change it:

   ./lib/object.js
    182 |        for (filename of Object.keys(this.files)) {
                               ^ 'for of' is available in ES6 (use 'esversion: 6') or Mozilla JS extensions (use moz).

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, there's a bigger task for upgrading the tooling and browser compatibility for this library. The approach here looks good.

if (!this.files.hasOwnProperty(filename)) {
continue;
}
file = this.files[filename];
relativePath = filename.slice(this.root.length, filename.length);
if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root
cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn...
}
}
/* jshint ignore:end */
},

/**
Expand Down
13 changes: 13 additions & 0 deletions test/asserts/load.js
View file
Open in desktop
Expand Up @@ -17,6 +17,19 @@ QUnit.module("load", function () {
})['catch'](JSZipTestUtils.assertNoError);
});

JSZipTestUtils.testZipFile("Load files which shadow Object prototype methods", "ref/pollution.zip", function(assert, file) {
var done = assert.async();
assert.ok(typeof file === "string");
JSZip.loadAsync(file)
.then(function (zip) {
assert.notEqual(Object.getPrototypeOf(zip.files), zip.files.__proto__);
return zip.file("__proto__").async("string"); })
.then(function(result) {
assert.equal(result, "hello\n", "the zip was correctly read.");
done();
})['catch'](JSZipTestUtils.assertNoError);
});
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried removing the Object.create(null) fix, to see if this test failed and it didn't, so I don't think this is actually catching the issue?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point - but I'm not entirely sure how to test this change because essentially this change is about making sure toString / __proto__ / __constructor__ etc are not available in the first place.

I guess I could add a test that shows that toString raises an error - but I'm not sure how useful that would be in the long run?

The reasoning for this test specifically was to show that files with names that shadow standard Object method names can still be accessed correctly


JSZipTestUtils.testZipFile("load(string) handles bytes > 255", "ref/all.zip", function(assert, file) {
var done = assert.async();
// the method used to load zip with ajax will remove the extra bits.
Expand Down
Binary file added test/ref/pollution.zip
View file
Open in desktop
Binary file not shown.