prototype pollution fix #2

richardgirges · richardgirges · commit 94c9cf9c8b30 · 2020-07-31T05:59:45.000-07:00
diff --git a/lib/processNested.js b/lib/processNested.js
@@ -1,4 +1,4 @@
-const INVALID_KEYS = ['__proto__'];
+const INVALID_KEYS = ['__proto__', 'constructor'];
 
 module.exports = function(data){
   if (!data || data.length < 1) return {};
diff --git a/test/processNested.spec.js b/test/processNested.spec.js
@@ -47,11 +47,13 @@ describe('Test Convert Flatten object to Nested object', function() {
   });
 
   it('Do not allow prototype pollution', () => {
-    const pollutionOb = JSON.parse(`{"__proto__.POLLUTED": "FOOBAR"}`);
+    const pollutionOb1 = JSON.parse(`{"__proto__.POLLUTED1": "FOOBAR"}`);
+    const pollutionOb2 = JSON.parse(`{"constructor.prototype.POLLUTED2": "FOOBAR"}`);
 
-    processNested(pollutionOb);
+    processNested(pollutionOb1);
+    processNested(pollutionOb2);
 
-    // eslint-disable-next-line no-undef
-    assert.equal(global.POLLUTED, undefined);
+    assert.equal(global.POLLUTED1, undefined);
+    assert.equal(global.POLLUTED2, undefined);
   });
 });

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-const INVALID_KEYS = ['__proto__'];`
	`1`	`+const INVALID_KEYS = ['__proto__', 'constructor'];`
`2`	`2`
`3`	`3`	`module.exports = function(data){`
`4`	`4`	`if (!data \|\| data.length < 1) return {};`