Merge pull request #51 from dellalibera/fix-prototype-pollution

fix-prototype-pollution
janl · Oct 31, 2021 · a0345f3 · a0345f3
2 parents b67e402 + 00c9afe
commit a0345f3
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/jsonpointer.js b/jsonpointer.js
@@ -17,10 +17,9 @@ function setter (obj, pointer, value) {
   var part
   var hasNextPart
 
-  if (pointer[1] === 'constructor' && pointer[2] === 'prototype') return obj
-  if (pointer[1] === '__proto__') return obj
-
   for (var p = 1, len = pointer.length; p < len;) {
+    if (pointer[p] === 'constructor' || pointer[p] === 'prototype' || pointer[p] === '__proto__') return obj
+
     part = untilde(pointer[p++])
     hasNextPart = len > p
 
@@ -53,6 +52,11 @@ function compilePointer (pointer) {
     if (pointer[0] === '') return pointer
     throw new Error('Invalid JSON pointer.')
   } else if (Array.isArray(pointer)) {
+    for (const part of pointer) {
+      if (typeof part !== 'string' && typeof part !== 'number') {
+        throw new Error('Invalid JSON pointer. Must be of type string or number.')
+      }
+    }
     return pointer
   }
 

diff --git a/test.js b/test.js
@@ -136,4 +136,28 @@ var c = {}
 jsonpointer.set({}, '/__proto__/boo', 'polluted')
 assert(!c.boo, 'should not boo')
 
+var d = {}
+jsonpointer.set({}, '/foo/__proto__/boo', 'polluted')
+assert(!d.boo, 'should not boo')
+
+jsonpointer.set({}, '/foo/__proto__/__proto__/boo', 'polluted')
+assert(!d.boo, 'should not boo')
+
+var e = {}
+jsonpointer.set({}, '/foo/constructor/prototype/boo', 'polluted')
+assert(!e.boo, 'should not boo')
+
+jsonpointer.set({}, '/foo/constructor/constructor/prototype/boo', 'polluted')
+assert(!e.boo, 'should not boo')
+
+assert.throws(function () { jsonpointer.set({}, [['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [[['__proto__']], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['__proto__'], ['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [[['__proto__']], [['__proto__']], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['__proto__'], ['__proto__'], ['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['foo'], ['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['foo'], ['__proto__'], ['__proto__'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['constructor'], ['prototype'], 'boo'], 'polluted')}, validateError)
+assert.throws(function () { jsonpointer.set({}, [['constructor'], ['constructor'], ['prototype'], 'boo'], 'polluted')}, validateError)
+
 console.log('All tests pass.')