Skip to content

Commit

Permalink
datastore: prevent manipulating user input during save
Browse files Browse the repository at this point in the history
  • Loading branch information
stephenplusplus committed Sep 21, 2015
1 parent 1716bae commit 53c4328
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
4 changes: 3 additions & 1 deletion lib/datastore/request.js
Original file line number Diff line number Diff line change
Expand Up @@ -390,7 +390,9 @@ DatastoreRequest.prototype.save = function(entities, callback) {

if (Array.isArray(entityObject.data)) {
ent.property = entityObject.data.map(function(data) {
data.value = entity.valueToProperty(data.value);
data = extend(true, {}, data, {
value: entity.valueToProperty(data.value)
});

if (is.boolean(data.excludeFromIndexes)) {
var indexed = !data.excludeFromIndexes;
Expand Down
23 changes: 23 additions & 0 deletions test/datastore/request.js
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,29 @@ describe('Request', function() {
], done);
});

it('should not alter the provided data object', function(done) {
var data = [
{
name: 'test-name',
value: {
a: 'b',
c: [1, 2, 3]
},
indexed: false
}
];
var expectedData = extend(true, {}, data);

request.makeReq_ = function(method, req) {
// By the time the request is made, the original object has already been
// transformed into a raw request.
assert.deepEqual(data, expectedData);
done();
};

request.save({ key: key, data: data }, assert.ifError);
});

it('should return apiResponse in callback', function(done) {
var key = new entity.Key({ namespace: 'ns', path: ['Company'] });
var mockCommitResponse = {
Expand Down

0 comments on commit 53c4328

Please sign in to comment.