Commitc914124

committed

feat: patch 4.2.0 with fixes forCVE-2020-8116

1 parent70f7ed8 commitc914124Copy full SHA for c914124

File tree

+32

-5

lines changed

+32

-5

lines changed

Lines changed: 1 addition & 1 deletion

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,14 @@`
`1`	`1`	`'use strict';`
`2`	`2`	`constisObj=require('is-obj');`
`3`	`3`
	`4`	`+constdisallowedKeys=[`
	`5`	`+'__proto__',`
	`6`	`+'prototype',`
	`7`	`+'constructor'`
	`8`	`+];`
	`9`	`+`
	`10`	`+constisValidPath=pathSegments=>!pathSegments.some(segment=>disallowedKeys.includes(segment));`
	`11`	`+`
`4`	`12`	`functiongetPathSegments(path){`
`5`	`13`	`constpathArr=path.split('.');`
`6`	`14`	`constparts=[];`
`@@ -16,6 +24,10 @@ function getPathSegments(path) {`
`16`	`24`	`parts.push(p);`
`17`	`25`	`}`
`18`	`26`
	`27`	`+if(!isValidPath(parts)){`
	`28`	`+return[];`
	`29`	`+}`
	`30`	`+`
`19`	`31`	`returnparts;`
`20`	`32`	`}`
`21`	`33`
`@@ -26,6 +38,9 @@ module.exports = {`
`26`	`38`	`}`
`27`	`39`
`28`	`40`	`constpathArr=getPathSegments(path);`
	`41`	`+if(pathArr.length===0){`
	`42`	`+return;`
	`43`	`+}`
`29`	`44`
`30`	`45`	`for(leti=0;i<pathArr.length;i++){`
`31`	`46`	`if(!Object.prototype.propertyIsEnumerable.call(obj,pathArr[i])){`
`@@ -58,6 +73,9 @@ module.exports = {`
`58`	`73`
`59`	`74`	`constroot=obj;`
`60`	`75`	`constpathArr=getPathSegments(path);`
	`76`	`+if(pathArr.length===0){`
	`77`	`+return;`
	`78`	`+}`
`61`	`79`
`62`	`80`	`for(leti=0;i<pathArr.length;i++){`
`63`	`81`	`constp=pathArr[i];`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name":"dot-prop",`
`3`		`-"version":"4.2.0",`
	`3`	`+"version":"4.2.1",`
`4`	`4`	`"description":"Get, set, or delete a property from a nested object using a dot path",`
`5`	`5`	`"license":"MIT",`
`6`	`6`	`"repository":"sindresorhus/dot-prop",`
`@@ -38,9 +38,9 @@`
`38`	`38`	`"is-obj":"^1.0.0"`
`39`	`39`	`},`
`40`	`40`	`"devDependencies": {`
`41`		`-"ava":"*",`
	`41`	`+"ava":"1.4.1",`
`42`	`42`	`"matcha":"^0.7.0",`
`43`		`-"xo":"*"`
	`43`	`+"xo":"0.24.0"`
`44`	`44`	`},`
`45`	`45`	`"xo": {`
`46`	`46`	`"esnext":true`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
`85`	`85`
`86`	`86`	Use`\\.` if you have a`.` in the key.
`87`	`87`
	`88`	+The following path components are invalid and results in`undefined` being returned:`__proto__`,`prototype`,`constructor`.
	`89`	`+`
`88`	`90`	`####value`
`89`	`91`
`90`	`92`	Type:`any`

Lines changed: 8 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`importtestfrom'ava';`
`2`		`-importmfrom'./';`
	`2`	`+importmfrom'.';`
`3`	`3`
`4`	`4`	`test('get',t=>{`
`5`	`5`	`constf1={foo:{bar:1}};`
`@@ -199,3 +199,10 @@ test('has', t => {`
`199`	`199`	`t.is(m.has({'foo.baz':{bar:true}},'foo\\.baz.bar'),true);`
`200`	`200`	`t.is(m.has({'fo.ob.az':{bar:true}},'fo\\.ob\\.az.bar'),true);`
`201`	`201`	`});`
	`202`	`+`
	`203`	+test('prevent setting/getting `__proto__`',t=>{
	`204`	`+m.set({},'__proto__.unicorn','🦄');`
	`205`	`+t.not({}.unicorn,'🦄');// eslint-disable-line no-use-extend-native/no-use-extend-native`
	`206`	`+`
	`207`	`+t.is(m.get({},'__proto__'),undefined);`
	`208`	`+});`

Comments

(0)