74 lines
2.8 KiB
Diff
74 lines
2.8 KiB
Diff
|
From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001
|
||
|
From: rpm-build <rpm-build>
|
||
|
Date: Thu, 9 Dec 2021 13:01:08 +0100
|
||
|
Subject: [PATCH] deps(json-schema): protect against prototype pollution
|
||
|
|
||
|
Amalgamation of the following upstream patches:
|
||
|
https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
|
||
|
https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
|
||
|
https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
|
||
|
|
||
|
Fixes: CVE-2021-3918
|
||
|
Signed-off-by: rpm-build <rpm-build>
|
||
|
---
|
||
|
.../node_modules/json-schema/lib/validate.js | 4 +--
|
||
|
.../node_modules/json-schema/test/tests.js | 28 ++++++++++++++++++-
|
||
|
2 files changed, 29 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js
|
||
|
index 4b61088..d05ee86 100644
|
||
|
--- a/deps/npm/node_modules/json-schema/lib/validate.js
|
||
|
+++ b/deps/npm/node_modules/json-schema/lib/validate.js
|
||
|
@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O
|
||
|
}
|
||
|
|
||
|
for(var i in objTypeDef){
|
||
|
- if(objTypeDef.hasOwnProperty(i)){
|
||
|
- var value = instance[i];
|
||
|
+ if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){
|
||
|
+ var value = instance.hasOwnProperty(i) ? instance[i] : undefined;
|
||
|
// skip _not_ specified properties
|
||
|
if (value === undefined && options.existingOnly) continue;
|
||
|
var propDef = objTypeDef[i];
|
||
|
diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js
|
||
|
index 40eeda5..70f515a 100644
|
||
|
--- a/deps/npm/node_modules/json-schema/test/tests.js
|
||
|
+++ b/deps/npm/node_modules/json-schema/test/tests.js
|
||
|
@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({
|
||
|
|
||
|
'Json-Ref self-validates': assertSelfValidates('json-ref'),
|
||
|
'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
|
||
|
- 'Json-Ref/Core': assertValidates('json-ref', 'schema')
|
||
|
+ 'Json-Ref/Core': assertValidates('json-ref', 'schema'),
|
||
|
+ prototypePollution: function() {
|
||
|
+ console.log('testing')
|
||
|
+ const instance = JSON.parse(`
|
||
|
+ {
|
||
|
+ "$schema":{
|
||
|
+ "type": "object",
|
||
|
+ "properties":{
|
||
|
+ "__proto__": {
|
||
|
+ "type": "object",
|
||
|
+
|
||
|
+ "properties":{
|
||
|
+ "polluted": {
|
||
|
+ "type": "string",
|
||
|
+ "default": "polluted"
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
+ },
|
||
|
+ "__proto__": {}
|
||
|
+ }
|
||
|
+ }`);
|
||
|
+
|
||
|
+ const a = {};
|
||
|
+ validate(instance);
|
||
|
+ assert.equal(a.polluted, undefined);
|
||
|
+ }
|
||
|
}).export(module);
|
||
|
--
|
||
|
2.33.1
|
||
|
|
||
|
|