From fb602fbe1e9f14f2e88ecb8179d0f76466d21ecb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Aur=C3=A8le=20DARCHE?= <152407+madarche@users.noreply.github.com> Date: Sat, 31 Dec 2022 18:45:53 +0100 Subject: [PATCH] fix-imperfect-prototype-pollution-fix (#411) --- packages/convict/src/main.js | 2 +- packages/convict/test/prototype_pollution.test.js | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/packages/convict/src/main.js b/packages/convict/src/main.js index 459b504..2474998 100644 --- a/packages/convict/src/main.js +++ b/packages/convict/src/main.js @@ -12,7 +12,7 @@ const cloneDeep = require('lodash.clonedeep') // Forbidden key paths, for protection against prototype pollution const FORBIDDEN_KEY_PATHS = [ '__proto__.', - 'this.constructor.prototype.', + 'constructor.prototype.', ] const ALLOWED_OPTION_STRICT = 'strict' diff --git a/packages/convict/test/prototype_pollution.test.js b/packages/convict/test/prototype_pollution.test.js index 4578594..f3bf11e 100644 --- a/packages/convict/test/prototype_pollution.test.js +++ b/packages/convict/test/prototype_pollution.test.js @@ -30,10 +30,17 @@ describe('Convict prototype pollution resistance', function() { expect({}).not.toHaveProperty('nested.polluted_proto_nested') }) - test('against this.constructor.prototype', function() { + test('against constructor.prototype', function() { const obj = {} const config = convict(obj) + config.set('constructor.prototype.polluted_constructor_prototype_root', 'Polluted!') + expect({}).not.toHaveProperty('polluted_constructor_prototype_root') + + config.set('constructor.prototype.nested.polluted_constructor_prototype_nested', 'Polluted!') + expect({}).not.toHaveProperty('nested') + expect({}).not.toHaveProperty('nested.polluted_constructor_prototype_nested') + config.set('this.constructor.prototype.polluted_constructor_prototype_root', 'Polluted!') expect({}).not.toHaveProperty('polluted_constructor_prototype_root')