mattphillips · mattphillips · Nov 12, 2022 · Nov 12, 2022 · Nov 12, 2022
diff --git a/src/added.js b/src/added.js
@@ -1,25 +1,23 @@
-import { isEmpty, isObject, hasOwnProperty } from './utils.js';
+import { isEmpty, isObject, hasOwnProperty, makeObjectWithoutPrototype } from './utils.js';
 
 const addedDiff = (lhs, rhs) => {
 
   if (lhs === rhs || !isObject(lhs) || !isObject(rhs)) return {};
 
-  const l = lhs;
-  const r = rhs;
 
-  return Object.keys(r).reduce((acc, key) => {
-    if (hasOwnProperty(l, key)) {
-      const difference = addedDiff(l[key], r[key]);
+  return Object.keys(rhs).reduce((acc, key) => {
+    if (hasOwnProperty(lhs, key)) {
+      const difference = addedDiff(lhs[key], rhs[key]);
 
       if (isObject(difference) && isEmpty(difference)) return acc;
 
       acc[key] = difference;
       return acc;
     }
 
-    acc[key] = r[key];
+    acc[key] = rhs[key];
     return acc;
-  }, {});
+  }, makeObjectWithoutPrototype());
 };
 
 export default addedDiff;
diff --git a/src/deleted.js b/src/deleted.js
@@ -1,14 +1,11 @@
-import { isEmpty, isObject, hasOwnProperty } from './utils.js';
+import { isEmpty, isObject, hasOwnProperty, makeObjectWithoutPrototype } from './utils.js';
 
 const deletedDiff = (lhs, rhs) => {
   if (lhs === rhs || !isObject(lhs) || !isObject(rhs)) return {};
 
-  const l = lhs;
-  const r = rhs;
-
-  return Object.keys(l).reduce((acc, key) => {
-    if (hasOwnProperty(r, key)) {
-      const difference = deletedDiff(l[key], r[key]);
+  return Object.keys(lhs).reduce((acc, key) => {
+    if (hasOwnProperty(rhs, key)) {
+      const difference = deletedDiff(lhs[key], rhs[key]);
 
       if (isObject(difference) && isEmpty(difference)) return acc;
 
@@ -18,7 +15,7 @@ const deletedDiff = (lhs, rhs) => {
 
     acc[key] = undefined;
     return acc;
-  }, {});
+  }, makeObjectWithoutPrototype());
 };
 
 export default deletedDiff;
diff --git a/src/diff.js b/src/diff.js
@@ -1,37 +1,34 @@
-import { isDate, isEmptyObject, isObject, hasOwnProperty } from './utils.js';
+import { isDate, isEmptyObject, isObject, hasOwnProperty, makeObjectWithoutPrototype } from './utils.js';
 
 const diff = (lhs, rhs) => {
   if (lhs === rhs) return {}; // equal return no diff
 
   if (!isObject(lhs) || !isObject(rhs)) return rhs; // return updated rhs
 
-  const l = lhs;
-  const r = rhs;
-
-  const deletedValues = Object.keys(l).reduce((acc, key) => {
-    if (!hasOwnProperty(r, key)) {
+  const deletedValues = Object.keys(lhs).reduce((acc, key) => {
+    if (!hasOwnProperty(rhs, key)) {
       acc[key] = undefined;
 
     }
 
     return acc;
-  }, {});
+  }, makeObjectWithoutPrototype());
 
-  if (isDate(l) || isDate(r)) {
-    if (l.valueOf() == r.valueOf()) return {};
-    return r;
+  if (isDate(lhs) || isDate(rhs)) {
+    if (lhs.valueOf() == rhs.valueOf()) return {};
+    return rhs;
   }
 
-  return Object.keys(r).reduce((acc, key) => {
-    if (!hasOwnProperty(l, key)){
-      acc[key] = r[key]; // return added r key
+  return Object.keys(rhs).reduce((acc, key) => {
+    if (!hasOwnProperty(lhs, key)){
+      acc[key] = rhs[key]; // return added r key
       return acc;
     } 
 
-    const difference = diff(l[key], r[key]);
+    const difference = diff(lhs[key], rhs[key]);
 
     // If the difference is empty, and the lhs is an empty object or the rhs is not an empty object
-    if (isEmptyObject(difference) && !isDate(difference) && (isEmptyObject(l[key]) || !isEmptyObject(r[key])))
+    if (isEmptyObject(difference) && !isDate(difference) && (isEmptyObject(lhs[key]) || !isEmptyObject(rhs[key])))
       return acc; // return no diff
 
     acc[key] = difference // return updated key

diff --git a/src/updated.js b/src/updated.js
@@ -1,32 +1,29 @@
-import { isDate, isEmptyObject, isObject, hasOwnProperty } from './utils.js';
+import { isDate, isEmptyObject, isObject, hasOwnProperty, makeObjectWithoutPrototype } from './utils.js';
 
 const updatedDiff = (lhs, rhs) => {
   if (lhs === rhs) return {};
 
   if (!isObject(lhs) || !isObject(rhs)) return rhs;
 
-  const l = lhs;
-  const r = rhs;
-
-  if (isDate(l) || isDate(r)) {
-    if (l.valueOf() == r.valueOf()) return {};
-    return r;
+  if (isDate(lhs) || isDate(rhs)) {
+    if (lhs.valueOf() == rhs.valueOf()) return {};
+    return rhs;
   }
 
-  return Object.keys(r).reduce((acc, key) => {
-    if (hasOwnProperty(l, key)) {
-      const difference = updatedDiff(l[key], r[key]);
+  return Object.keys(rhs).reduce((acc, key) => {
+    if (hasOwnProperty(lhs, key)) {
+      const difference = updatedDiff(lhs[key], rhs[key]);
 
       // If the difference is empty, and the lhs is an empty object or the rhs is not an empty object
-      if (isEmptyObject(difference) && !isDate(difference) && (isEmptyObject(l[key]) || !isEmptyObject(r[key])))
+      if (isEmptyObject(difference) && !isDate(difference) && (isEmptyObject(lhs[key]) || !isEmptyObject(rhs[key])))
         return acc; // return no diff
 
       acc[key] = difference;
       return acc;
     }
 
     return acc;
-  }, {});
+  }, makeObjectWithoutPrototype());
 };
 
 export default updatedDiff;
diff --git a/src/utils.js b/src/utils.js
@@ -3,3 +3,4 @@ export const isEmpty = o => Object.keys(o).length === 0;
 export const isObject = o => o != null && typeof o === 'object';
 export const hasOwnProperty = (o, ...args) => Object.prototype.hasOwnProperty.call(o, ...args)
 export const isEmptyObject = (o) => isObject(o) && isEmpty(o);
+export const makeObjectWithoutPrototype = () => Object.create(null);
diff --git a/test/pollution.test.js b/test/pollution.test.js
@@ -1,85 +1,70 @@
 import addedDiff from "../src/added";
+import updatedDiff from "../src/updated";
+import diff from "../src/diff";
+import deletedDiff from "../src/deleted";
 
 describe("Prototype pollution", () => {
-  test("Demonstrate prototype pollution globally across all objects", () => {
-    const a = {};
-    const b = new Object();
-
-    expect(a.hello).toBeUndefined();
-    expect(b.hello).toBeUndefined();
-    expect({}.hello).toBeUndefined();
-
-    b.__proto__.hello = "world";
-
-    expect(a.hello).toBe("world");
-    expect(b.hello).toBe("world");
-    expect({}.hello).toBe("world");
+  describe("diff", () => {
+    test("should not pollute returned diffs prototype", () => {
+      const l = { role: "user" };
+      const r = JSON.parse('{ "role": "user", "__proto__": { "role": "admin" } }');
+      const difference = diff(l, r);
+
+      expect(l.role).toBe("user");
+      expect(r.role).toBe("user");
+      expect(difference.role).toBeUndefined();
+    });
+
+    test("should not pollute returned diffs prototype on nested diffs", () => {
+      const l = { about: { role: "user" } };
+      const r = JSON.parse('{ "about": { "__proto__": { "role": "admin" } } }');
+      const difference = addedDiff(l, r);
+
+      expect(l.about.role).toBe("user");
+      expect(r.about.role).toBeUndefined();
+      expect(difference.about.role).toBeUndefined();
+    });
   });
 
-  test("addedDiff does not pollute global prototype when running diff with added `__proto__` key", () => {
-    const a = { role: "user" };
-    const b = JSON.parse('{ "__proto__": { "role": "admin" } }');
-
-    expect(a.role).toBe("user");
-    expect(a.__proto__.role).toBeUndefined();
-    expect(b.role).toBeUndefined();
-    expect(b.__proto__.role).toBe("admin");
-    expect({}.role).toBeUndefined();
-    expect({}.__proto__role).toBeUndefined();
-
-    const difference = addedDiff(a, b);
-
-    expect(a.role).toBe("user");
-    expect(a.__proto__.role).toBeUndefined();
-    expect(b.__proto__.role).toBe("admin");
-    expect(b.role).toBeUndefined();
-    expect({}.role).toBeUndefined();
-    expect({}.__proto__role).toBeUndefined();
-
-    expect(difference).toEqual({ __proto__: { role: "admin" } });
+  describe("addedDiff", () => {
+    test("addedDiff should not pollute returned diffs prototype", () => {
+      const l = { role: "user" };
+      const r = JSON.parse('{ "__proto__": { "role": "admin" } }');
+      const difference = addedDiff(l, r);
+
+      expect(l.role).toBe("user");
+      expect(r.role).toBeUndefined();
+      expect(difference.role).toBeUndefined();
+    });
+
+    test("should not pollute returned diffs prototype on nested diffs", () => {
+      const l = { about: { role: "user" } };
+      const r = JSON.parse('{ "about": { "__proto__": { "role": "admin" } } }');
+      const difference = addedDiff(l, r);
+
+      expect(l.about.role).toBe("user");
+      expect(r.about.role).toBeUndefined();
+      expect(difference.about.role).toBeUndefined();
+    });
   });
 
-  test("addedDiff does not pollute global prototype when running diff with added `__proto__` key generated from JSON.parse and mutating original left hand object", () => {
-    let a = { role: "user" };
-    // Note: Don't trust `JSON.parse`!!!
-    const b = JSON.parse('{ "__proto__": { "role": "admin" } }');
-
-    expect(a.role).toBe("user");
-    expect(a.__proto__.role).toBeUndefined();
-    expect(b.role).toBeUndefined();
-    expect(b.__proto__.role).toBe("admin");
-    expect({}.role).toBeUndefined();
-    expect({}.__proto__role).toBeUndefined();
-
-    // Note: although this does not pollute the global proto, it does pollute the original object. (Don't mutate kids!)
-    a = addedDiff(a, b);
+  test("updatedDiff should not pollute returned diffs prototype", () => {
+    const l = { role: "user" };
+    const r = JSON.parse('{ "role": "user", "__proto__": { "role": "admin" } }');
+    const difference = updatedDiff(l, r);
 
-    expect(a.role).toBe("admin");
-    expect(a.__proto__.role).toBe("admin");
-    expect(b.__proto__.role).toBe("admin");
-    expect(b.role).toBeUndefined();
-    expect({}.role).toBeUndefined();
-    expect({}.__proto__role).toBeUndefined();
+    expect(l.role).toBe("user");
+    expect(r.role).toBe("user");
+    expect(difference.role).toBeUndefined();
   });
 
-  test("addedDiff does not pollute global prototype or original object when running diff with added `__proto__` key", () => {
-    let a = { role: "user" };
-    const b = { __proto__: { role: "admin" } };
-
-    expect(a.role).toBe("user");
-    expect(a.__proto__.role).toBeUndefined();
-    expect(b.role).toBe("admin");
-    expect(b.__proto__.role).toBe("admin");
-    expect({}.role).toBeUndefined();
-    expect({}.__proto__role).toBeUndefined();
-
-    a = addedDiff(a, b);
+  test("deletedDiff should not pollute returned diffs prototype", () => {
+    const l = { role: "user" };
+    const r = JSON.parse('{ "__proto__": { "role": "admin" } }');
+    const difference = deletedDiff(l, r);
 
-    expect(a.role).toBeUndefined();
-    expect(a.__proto__.role).toBeUndefined();
-    expect(b.role).toBe("admin");
-    expect(b.__proto__.role).toBe("admin");
-    expect({}.role).toBeUndefined();
-    expect({}.__proto__role).toBeUndefined();
+    expect(l.role).toBe("user");
+    expect(r.role).toBeUndefined();
+    expect(difference.role).toBeUndefined();
   });
 });