Merge pull request #60 from deleonio/fix/vulnerability-prototype-pollution

Fix Vulnerability - Ready

Author: keithamus

.gitignore

@@ -16,6 +16,7 @@ components
 node_modules
 npm-debug.log
 
+.nyc_output/
 coverage/
 
 pathval.js

.travis.yml

@@ -10,10 +10,10 @@ cache:
     - node_modules
 
 node_js:
-   - 0.10 # to be removed 2016-10-01
-   - 0.12 # to be removed 2016-12-31
-   - 4 # to be removed 2018-04-01
-   - 6 # to be removed 2019-04-01
+  #  - 0.10 # to be removed 2016-10-01
+  #  - 0.12 # to be removed 2016-12-31
+  #  - 4 # to be removed 2018-04-01
+  #  - 6 # to be removed 2019-04-01
    - lts/* # safety net; don't remove
    - node # safety net; don't remove
 

index.js

@@ -76,13 +76,20 @@ function parsePath(path) {
   var str = path.replace(/([^\\])\[/g, '$1.[');
   var parts = str.match(/(\\\.|[^.]+?)+/g);
   return parts.map(function mapMatches(value) {
+    if (
+      value === 'constructor' ||
+      value === '__proto__' ||
+      value === 'prototype'
+    ) {
+      return {};
+    }
     var regexp = /^\[(\d+)\]$/;
     var mArr = regexp.exec(value);
     var parsed = null;
     if (mArr) {
       parsed = { i: parseFloat(mArr[1]) };
     } else {
-      parsed = { p: value.replace(/\\([.\[\]])/g, '$1') };
+      parsed = { p: value.replace(/\\([.[\]])/g, '$1') };
     }
 
     return parsed;
@@ -107,7 +114,7 @@ function parsePath(path) {
 function internalGetPathValue(obj, parsed, pathDepth) {
   var temporaryValue = obj;
   var res = null;
-  pathDepth = (typeof pathDepth === 'undefined' ? parsed.length : pathDepth);
+  pathDepth = typeof pathDepth === 'undefined' ? parsed.length : pathDepth;
 
   for (var i = 0; i < pathDepth; i++) {
     var part = parsed[i];
@@ -118,7 +125,7 @@ function internalGetPathValue(obj, parsed, pathDepth) {
         temporaryValue = temporaryValue[part.p];
       }
 
-      if (i === (pathDepth - 1)) {
+      if (i === pathDepth - 1) {
         res = temporaryValue;
       }
     }
@@ -152,7 +159,7 @@ function internalSetPathValue(obj, val, parsed) {
     part = parsed[i];
 
     // If it's the last part of the path, we set the 'propName' value with the property name
-    if (i === (pathDepth - 1)) {
+    if (i === pathDepth - 1) {
       propName = typeof part.p === 'undefined' ? part.i : part.p;
       // Now we set the property with the name held by 'propName' on object with the desired val
       tempObj[propName] = val;
@@ -199,7 +206,10 @@ function getPathInfo(obj, path) {
   var parsed = parsePath(path);
   var last = parsed[parsed.length - 1];
   var info = {
-    parent: parsed.length > 1 ? internalGetPathValue(obj, parsed, parsed.length - 1) : obj,
+    parent:
+      parsed.length > 1 ?
+        internalGetPathValue(obj, parsed, parsed.length - 1) :
+        obj,
     name: last.p || last.i,
     value: internalGetPathValue(obj, parsed),
   };

karma.conf.js

@@ -1,11 +1,12 @@
+/* eslint no-process-env: "off" */
+
 'use strict';
+
 var packageJson = require('./package.json');
 var defaultTimeout = 120000;
 var browserifyIstanbul = require('browserify-istanbul');
 module.exports = function configureKarma(config) {
-  var localBrowsers = [
-    'PhantomJS',
-  ];
+  var localBrowsers = [ 'PhantomJS' ];
   var sauceLabsBrowsers = {
     SauceChromeLatest: {
       base: 'SauceLabs',
@@ -41,7 +42,9 @@ module.exports = function configureKarma(config) {
   config.set({
     basePath: '',
     browsers: localBrowsers,
-    logLevel: process.env.npm_config_debug ? config.LOG_DEBUG : config.LOG_INFO,
+    logLevel: process.env.npm_config_debug ?
+      config.LOG_DEBUG :
+      config.LOG_INFO,
     frameworks: [ 'browserify', 'mocha' ],
     files: [ 'test/*.js' ],
     exclude: [],
@@ -51,9 +54,7 @@ module.exports = function configureKarma(config) {
     browserify: {
       debug: true,
       bare: true,
-      transform: [
-        browserifyIstanbul({ ignore: [ '**/node_modules/**', '**/test/**' ] }),
-      ],
+      transform: [ browserifyIstanbul({ ignore: [ '**/node_modules/**', '**/test/**' ] }) ],
     },
     reporters: [ 'progress', 'coverage' ],
     coverageReporter: {
@@ -82,14 +83,11 @@ module.exports = function configureKarma(config) {
       browsers: localBrowsers.concat(Object.keys(sauceLabsBrowsers)),
       sauceLabs: {
         testName: packageJson.name,
-        tunnelIdentifier: process.env.TRAVIS_JOB_NUMBER || new Date().getTime(),
+        tunnelIdentifier:
+          process.env.TRAVIS_JOB_NUMBER || new Date().getTime(),
         recordVideo: true,
-        startConnect: ('TRAVIS' in process.env) === false,
-        tags: [
-          'pathval_' + packageJson.version,
-          process.env.SAUCE_USERNAME + '@' + branch,
-          build,
-        ],
+        startConnect: 'TRAVIS' in process.env === false,
+        tags: [ 'pathval_' + packageJson.version, process.env.SAUCE_USERNAME + '@' + branch, build ],
       },
     });
   }

package-lock.json

@@ -19,14 +19,15 @@
     "url": "git+ssh://git@github.com/chaijs/pathval.git"
   },
   "scripts": {
-    "build": "browserify --bare $npm_package_main --standalone pathval -o pathval.js",
+    "build": "browserify --standalone pathval -o pathval.js",
     "lint": "eslint --ignore-path .gitignore .",
+    "lint:fix": "npm run lint -- --fix",
     "prepublish": "npm run build",
     "semantic-release": "semantic-release pre && npm publish && semantic-release post",
     "pretest": "npm run lint",
     "test": "npm run test:node && npm run test:browser && npm run upload-coverage",
     "test:browser": "karma start --singleRun=true",
-    "test:node": "istanbul cover _mocha",
+    "test:node": "nyc mocha",
     "upload-coverage": "lcov-result-merger 'coverage/**/lcov.info' | coveralls; exit 0"
   },
   "config": {
@@ -50,27 +51,27 @@
     }
   },
   "devDependencies": {
-    "browserify": "^13.0.0",
-    "browserify-istanbul": "^1.0.0",
-    "coveralls": "2.11.9",
-    "eslint": "^2.4.0",
-    "eslint-config-strict": "^8.5.0",
-    "eslint-plugin-filenames": "^0.2.0",
-    "ghooks": "^1.0.1",
-    "istanbul": "^0.4.2",
-    "karma": "^0.13.22",
-    "karma-browserify": "^5.0.2",
-    "karma-coverage": "^0.5.5",
-    "karma-mocha": "^0.2.2",
-    "karma-phantomjs-launcher": "^1.0.0",
-    "karma-sauce-launcher": "^0.3.1",
-    "lcov-result-merger": "^1.0.2",
-    "mocha": "^3.1.2",
-    "phantomjs-prebuilt": "^2.1.5",
-    "semantic-release": "^4.3.5",
+    "browserify": "^17.0.0",
+    "browserify-istanbul": "^3.0.1",
+    "coveralls": "^3.1.0",
+    "eslint": "^7.13.0",
+    "eslint-config-strict": "^14.0.1",
+    "eslint-plugin-filenames": "^1.3.2",
+    "ghooks": "^2.0.4",
+    "karma": "^5.2.3",
+    "karma-browserify": "^7.0.0",
+    "karma-coverage": "^2.0.3",
+    "karma-mocha": "^2.0.1",
+    "karma-phantomjs-launcher": "^1.0.4",
+    "karma-sauce-launcher": "^4.3.3",
+    "lcov-result-merger": "^3.1.0",
+    "mocha": "^8.2.1",
+    "nyc": "^15.1.0",
+    "phantomjs-prebuilt": "^2.1.16",
+    "semantic-release": "^17.2.2",
     "simple-assert": "^1.0.0",
-    "travis-after-all": "^1.4.4",
-    "validate-commit-msg": "^2.3.1"
+    "travis-after-all": "^1.4.5",
+    "validate-commit-msg": "^2.14.0"
   },
   "engines": {
     "node": "*"

package.json

@@ -7,6 +7,7 @@
     "mocha": true
   },
   "rules": {
+    "no-process-env": "off",
     "no-new-wrappers": 0,
     "no-array-constructor": 0,
     "no-new-object": 0,

test/.eslintrc

@@ -121,11 +121,7 @@ describe('getPathValue', function () {
         hello: 'world',
       },
       world: [ 'hello', 'universe' ],
-      complex: [
-        { hello: 'universe' },
-        { universe: 'world' },
-        [ { hello: 'world' } ],
-      ],
+      complex: [ { hello: 'universe' }, { universe: 'world' }, [ { hello: 'world' } ] ],
     };
 
     var arr = [ [ true ] ];
@@ -171,7 +167,7 @@ describe('setPathValue', function () {
   });
 
   it('allows value to be set in complex object', function () {
-    var obj = { hello: { } };
+    var obj = { hello: {} };
     pathval.setPathValue(obj, 'hello.universe', 42);
     assert(obj.hello.universe === 42);
   });
@@ -222,4 +218,30 @@ describe('setPathValue', function () {
     var valueReturned = pathval.setPathValue(obj, 'hello[2]', 3);
     assert(obj === valueReturned);
   });
+
+  describe('fix prototype pollution vulnerability', function () {
+
+    it('exclude constructor', function () {
+      var obj = {};
+      assert(typeof obj.constructor === 'function'); // eslint-disable-line
+      pathval.setPathValue(obj, 'constructor', null);
+      assert(typeof obj.constructor === 'function'); // eslint-disable-line
+    });
+
+    it('exclude __proto__', function () {
+      var obj = {};
+      assert(typeof polluted === 'undefined'); // eslint-disable-line
+      pathval.setPathValue(obj, '__proto__.polluted', true);
+      assert(typeof polluted === 'undefined'); // eslint-disable-line
+    });
+
+    it('exclude prototype', function () {
+      var obj = {};
+      assert(typeof obj.prototype === 'undefined'); // eslint-disable-line
+      pathval.setPathValue(obj, 'prototype', true);
+      assert(typeof obj.prototype === 'undefined'); // eslint-disable-line
+    });
+
+  });
+
 });