Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: __proto__ will now be replaced with ___proto___ in parse #1591

Merged
merged 2 commits into from Mar 16, 2020
Merged

fix: __proto__ will now be replaced with ___proto___ in parse #1591

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dde3e2e
fix: __proto__ will now be replaced with ___proto___ in parse
bcoe Mar 12, 2020
a1193a3
chore: update yargs-parser
bcoe Mar 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Expand Up @@ -29,7 +29,7 @@
"string-width": "^4.2.0",
"which-module": "^2.0.0",
"y18n": "^4.0.0",
"yargs-parser": "^18.1.0"
"yargs-parser": "^18.1.1"
},
"devDependencies": {
"c8": "^7.0.0",
Expand Down
31 changes: 31 additions & 0 deletions test/yargs.js
View file
Open in desktop
Expand Up @@ -2500,4 +2500,35 @@ describe('yargs dsl tests', () => {
})
})
})

// See: https://github.com/nodejs/node/issues/31951
describe('should not pollute the prototype', () => {
it('does not pollute, when .parse() is called', function () {
yargs.parse(['-f.__proto__.foo', '99', '-x.y.__proto__.bar', '100', '--__proto__', '200'])
Object.keys({}.__proto__).length.should.equal(0) // eslint-disable-line
expect({}.foo).to.equal(undefined)
expect({}.bar).to.equal(undefined)
})

it('does not pollute, when .argv is called', function () {
yargs(['-f.__proto__.foo', '99', '-x.y.__proto__.bar', '100', '--__proto__', '200']).argv // eslint-disable-line
Object.keys({}.__proto__).length.should.equal(0) // eslint-disable-line
expect({}.foo).to.equal(undefined)
expect({}.bar).to.equal(undefined)
})

// TODO(bcoe): due to replacement of __proto__ with ___proto___ parser
// hints are not properly applied, we should move to an alternate approach
// in the future:
it('does not pollute, when options are set', function () {
yargs
.option('__proto__', {
describe: 'pollute pollute',
nargs: 33
})
.default('__proto__', { hello: 'world' })
.parse(['--foo'])
Object.keys({}.__proto__).length.should.equal(0) // eslint-disable-line
})
})
})
11 changes: 10 additions & 1 deletion yargs.js
View file
Open in desktop
Expand Up @@ -259,6 +259,7 @@ function Yargs (processArgs, cwd, parentRequire) {
function populateParserHintArray (type, keys, value) {
keys = [].concat(keys)
keys.forEach((key) => {
key = sanitizeKey(key)
options[type].push(key)
})
}
Expand Down Expand Up @@ -314,8 +315,8 @@ function Yargs (processArgs, cwd, parentRequire) {

function populateParserHintObject (builder, isArray, type, key, value) {
if (Array.isArray(key)) {
const temp = Object.create(null)
// an array of keys with one value ['x', 'y', 'z'], function parse () {}
const temp = {}
key.forEach((k) => {
temp[k] = value
})
Expand All @@ -326,6 +327,7 @@ function Yargs (processArgs, cwd, parentRequire) {
builder(k, key[k])
})
} else {
key = sanitizeKey(key)
// a single key value pair 'x', parse() {}
if (isArray) {
options[type][key] = (options[type][key] || []).concat(value)
Expand All @@ -335,6 +337,13 @@ function Yargs (processArgs, cwd, parentRequire) {
}
}

// TODO(bcoe): in future major versions move more objects towards
// Object.create(null):
function sanitizeKey (key) {
if (key === '__proto__') return '___proto___'
return key
}

function deleteFromParserHintObject (optionKey) {
// delete from all parsing hints:
// boolean, array, key, alias, etc.
Expand Down