Skip to content

Commit 027457f

Browse files
dellaliberadellalibera
committed
fix-prototype-pollution
1 parent b67e402 commit 027457f

2 files changed

Lines changed: 52 additions & 3 deletions

File tree

jsonpointer.js

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,9 @@ function setter (obj, pointer, value) {
1717
var part
1818
var hasNextPart
1919

20-
if (pointer[1] === 'constructor' && pointer[2] === 'prototype') return obj
21-
if (pointer[1] === '__proto__') return obj
22-
2320
for (var p = 1, len = pointer.length; p < len;) {
21+
if (pointer[p] === 'constructor' || pointer[p] === 'prototype' || pointer[p] === '__proto__') return obj
22+
2423
part = untilde(pointer[p++])
2524
hasNextPart = len > p
2625

@@ -53,6 +52,11 @@ function compilePointer (pointer) {
5352
if (pointer[0] === '') return pointer
5453
throw new Error('Invalid JSON pointer.')
5554
} else if (Array.isArray(pointer)) {
55+
pointer.forEach(function (part, i) {
56+
if (typeof part !== 'string' && typeof part !== 'number') {
57+
pointer[i] = '' + part
58+
}
59+
})
5660
return pointer
5761
}
5862

test.js

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,4 +136,49 @@ var c = {}
136136
jsonpointer.set({}, '/__proto__/boo', 'polluted')
137137
assert(!c.boo, 'should not boo')
138138

139+
var d = {}
140+
jsonpointer.set({}, '/foo/__proto__/boo', 'polluted')
141+
assert(!d.boo, 'should not boo')
142+
143+
jsonpointer.set({}, '/foo/__proto__/__proto__/boo', 'polluted')
144+
assert(!d.boo, 'should not boo')
145+
146+
var e = {}
147+
jsonpointer.set({}, '/constructor/prototype/boo', 'polluted')
148+
assert(!e.boo, 'should not boo')
149+
150+
jsonpointer.set({}, '/foo/constructor/prototype/boo', 'polluted')
151+
assert(!e.boo, 'should not boo')
152+
153+
jsonpointer.set({}, '/foo/constructor/constructor/prototype/boo', 'polluted')
154+
assert(!e.boo, 'should not boo')
155+
156+
var f = {}
157+
jsonpointer.set({}, [['__proto__'], 'boo'], 'polluted')
158+
assert(!f.boo, 'should not f.boo')
159+
160+
jsonpointer.set({}, [[['__proto__']], 'boo'], 'polluted')
161+
assert(!f.boo, 'should not f.boo')
162+
163+
jsonpointer.set({}, [['__proto__'], ['__proto__'], 'boo'], 'polluted')
164+
assert(!f.boo, 'should not f.boo')
165+
166+
jsonpointer.set({}, [[['__proto__']], [['__proto__']], 'boo'], 'polluted')
167+
assert(!f.boo, 'should not f.boo')
168+
169+
jsonpointer.set({}, [['__proto__'], ['__proto__'], ['__proto__'], 'boo'], 'polluted')
170+
assert(!f.boo, 'should not f.boo')
171+
172+
jsonpointer.set({}, [['foo'], ['__proto__'], 'boo'], 'polluted')
173+
assert(!f.boo, 'should not boo')
174+
175+
jsonpointer.set({}, [['foo'], ['__proto__'], ['__proto__'], 'boo'], 'polluted')
176+
assert(!f.boo, 'should not boo')
177+
178+
jsonpointer.set({}, [['constructor'], ['prototype'], 'boo'], 'polluted')
179+
assert(!f.boo, 'should not boo')
180+
181+
jsonpointer.set({}, [['constructor'], ['constructor'], ['prototype'], 'boo'], 'polluted')
182+
assert(!f.boo, 'should not boo')
183+
139184
console.log('All tests pass.')

0 commit comments

Comments
 (0)