File: CVE-2020-15256.diff

package info (click to toggle)
node-object-path 0.11.4-2%2Bdeb10u1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 220 kB
  • sloc: javascript: 2,071; makefile: 6; sh: 2
file content (21 lines) | stat: -rw-r--r-- 901 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
Description: Fix prototype pollution in set()
Author: Mario Casciaro <mariocasciaro@gmail.com>
Origin: upstream, https://github.com/mariocasciaro/object-path/commit/2be3354c6
Bug: https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2020-10-22

--- a/index.js
+++ b/index.js
@@ -105,6 +105,10 @@
       }
       var currentPath = path[0];
       var currentValue = getShallowProperty(obj, currentPath);
+      if (options.includeInheritedProps && (currentPath === '__proto__' ||
+        (currentPath === 'constructor' && typeof currentValue === 'function'))) {
+        throw new Error('For security reasons, object\'s magic properties cannot be set')
+      }
       if (path.length === 1) {
         if (currentValue === void 0 || !doNotReplace) {
           obj[currentPath] = value;