Merge pull request #262 from 418sec/1-npm-fast-json-patch

Starcounter-Jack · web-flow · commit 7ad6af41eabb · 2021-08-13T12:10:25.000+02:00
Security Fix for Prototype Pollution - huntr.dev
diff --git a/commonjs/core.js b/commonjs/core.js
@@ -188,8 +188,10 @@ function applyOperation(document, operation, validateOperation, mutateDocument,
             if (key && key.indexOf('~') != -1) {
                 key = helpers_js_1.unescapePathComponent(key);
             }
-            if (banPrototypeModifications && key == '__proto__') {
-                throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+            if (banPrototypeModifications &&
+                (key == '__proto__' ||
+                    (key == 'prototype' && t > 0 && keys[t - 1] == 'constructor'))) {
+                throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
             }
             if (validateOperation) {
                 if (existingPathFragment === undefined) {
diff --git a/module/core.mjs b/module/core.mjs
@@ -186,8 +186,10 @@ export function applyOperation(document, operation, validateOperation, mutateDoc
             if (key && key.indexOf('~') != -1) {
                 key = unescapePathComponent(key);
             }
-            if (banPrototypeModifications && key == '__proto__') {
-                throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+            if (banPrototypeModifications &&
+                (key == '__proto__' ||
+                    (key == 'prototype' && t > 0 && keys[t - 1] == 'constructor'))) {
+                throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
             }
             if (validateOperation) {
                 if (existingPathFragment === undefined) {
diff --git a/src/core.ts b/src/core.ts
@@ -251,8 +251,11 @@ export function applyOperation<T>(document: T, operation: Operation, validateOpe
         key = unescapePathComponent(key);
       }
 
-      if(banPrototypeModifications && key == '__proto__') {
-        throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+      if(banPrototypeModifications && 
+          (key == '__proto__' || 
+          (key == 'prototype' && t>0 && keys[t-1] == 'constructor'))
+        ) {
+        throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
       }
 
       if (validateOperation) {

Original file line number	Diff line number	Diff line change
`@@ -188,8 +188,10 @@ function applyOperation(document, operation, validateOperation, mutateDocument,`
`188`	`188`	`if (key && key.indexOf('~') != -1) {`
`189`	`189`	`key = helpers_js_1.unescapePathComponent(key);`
`190`	`190`	`}`
`191`		`- if (banPrototypeModifications && key == '__proto__') {`
`192`		- throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
	`191`	`+ if (banPrototypeModifications &&`
	`192`	`+ (key == '__proto__' \|\|`
	`193`	`+ (key == 'prototype' && t > 0 && keys[t - 1] == 'constructor'))) {`
	`194`	+ throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
`193`	`195`	`}`
`194`	`196`	`if (validateOperation) {`
`195`	`197`	`if (existingPathFragment === undefined) {`
Original file line number	Diff line number	Diff line change
`@@ -186,8 +186,10 @@ export function applyOperation(document, operation, validateOperation, mutateDoc`
`186`	`186`	`if (key && key.indexOf('~') != -1) {`
`187`	`187`	`key = unescapePathComponent(key);`
`188`	`188`	`}`
`189`		`- if (banPrototypeModifications && key == '__proto__') {`
`190`		- throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
	`189`	`+ if (banPrototypeModifications &&`
	`190`	`+ (key == '__proto__' \|\|`
	`191`	`+ (key == 'prototype' && t > 0 && keys[t - 1] == 'constructor'))) {`
	`192`	+ throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
`191`	`193`	`}`
`192`	`194`	`if (validateOperation) {`
`193`	`195`	`if (existingPathFragment === undefined) {`
Original file line number	Diff line number	Diff line change
`@@ -251,8 +251,11 @@ export function applyOperation<T>(document: T, operation: Operation, validateOpe`
`251`	`251`	`key = unescapePathComponent(key);`
`252`	`252`	`}`
`253`	`253`
`254`		`- if(banPrototypeModifications && key == '__proto__') {`
`255`		- throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
	`254`	`+ if(banPrototypeModifications &&`
	`255`	`+ (key == '__proto__' \|\|`
	`256`	`+ (key == 'prototype' && t>0 && keys[t-1] == 'constructor'))`
	`257`	`+ ) {`
	`258`	+ throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
`256`	`259`	`}`
`257`	`260`
`258`	`261`	`if (validateOperation) {`