Skip to content

Ban prototype pollution and document it #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alshakero merged 3 commits into from
Mar 27, 2019
Merged

Ban prototype pollution and document it #219

alshakero merged 3 commits into from
Mar 27, 2019

Conversation

@alshakero
Copy link
Collaborator

@alshakero alshakero commented Jan 4, 2019

fixes #216

@alshakero alshakero requested review from tomalec and warpech January 4, 2019 16:28
@alshakero alshakero mentioned this pull request Jan 4, 2019
Closed
tomalec
tomalec requested changes Jan 9, 2019
View reviewed changes
dist/fast-json-patch.js
var results = new Array(patch.length);
for (var i = 0, length_1 = patch.length; i < length_1; i++) {
results[i] = applyOperation(document, patch[i], validateOperation);
results[i] = applyOperation(document, patch[i], validateOperation, true, banPrototypeModifications);
Copy link
Collaborator

@tomalec tomalec Jan 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cosmetics,
You can consider explaining why you hard-code one parameter and forward the others, as it caused me to think for a second.
Like, "mutateDocument was already covered for the entire sequence, we will apply operations on cloned document if applicable"

test/spec/coreSpec.js Outdated
});
});

it(`should allow __proto__ modifications when the flag is set`, function() {
Copy link
Collaborator

@tomalec tomalec Jan 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To me more descriptive

Suggested change
it(`should allow __proto__ modifications when the flag is set`, function() {
it(`should allow __proto__ modifications when the mutateDocument flag is set`, function() {

test/spec/coreSpec.js Outdated
expect(otherDoc.x).toEqual('polluted');
});

it(`should not allow __proto__ modifications without setting the flag and should throw an error`, function() {
Copy link
Collaborator

@tomalec tomalec Jan 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it(`should not allow __proto__ modifications without setting the flag and should throw an error`, function() {
it(`should not allow __proto__ modifications without setting the mutateDocument flag and should throw an error`, function() {

test/spec/coreSpec.js Outdated
jsonpatch.applyPatch(doc, patch);
} catch (e) {
expect(e.message).toEqual(expectedErrorMessage);
}
Copy link
Collaborator

@tomalec tomalec Jan 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered expect(()=>{jsonpatch.applyPatch(doc, patch)}).to.throw(TypeError, expectedErrorMessage); to make test easier to read, and check for the error type as well?
https://www.chaijs.com/api/bdd/#method_throw

I'm afraid the code above would pass the test if jsonpatch.applyPatch(doc, patch); does not throw at all, as then the expect function is not called either.

@warpech
Copy link
Collaborator

warpech commented Mar 27, 2019
edited
Loading

Please consider that PR #221 also proposes to change the signature of the method applyOperation

@alshakero
Copy link
Collaborator Author

alshakero commented Mar 27, 2019

Addressed all and tests are passing. merging.

@alshakero alshakero merged commit c9939b4 into master Mar 27, 2019
@alshakero alshakero deleted the ban-proto-edits branch March 27, 2019 15:24
@snyk-bot snyk-bot mentioned this pull request Mar 26, 2020
Closed
@snyk-bot snyk-bot mentioned this pull request Apr 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomalec tomalec tomalec requested changes

@warpech warpech Awaiting requested review from warpech

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Prevent prototype injection

4 participants

@alshakero @warpech @tomalec