104 lines
2.8 KiB
Diff
104 lines
2.8 KiB
Diff
From 6aaa4f232f872ffbb60b8a2e2282748e22a9891f Mon Sep 17 00:00:00 2001
|
|
From: Marco Carini <cmdcarini@gmail.com>
|
|
Date: Mon, 3 Aug 2020 17:16:07 -0500
|
|
Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116
|
|
|
|
Signed-off-by: rpm-build <rpm-build>
|
|
---
|
|
deps/npm/node_modules/dot-prop/index.js | 18 ++++++++++++++++++
|
|
deps/npm/node_modules/dot-prop/package.json | 6 +++---
|
|
deps/npm/node_modules/dot-prop/readme.md | 2 ++
|
|
3 files changed, 23 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
|
|
index 15282bb..189831c 100644
|
|
--- a/deps/npm/node_modules/dot-prop/index.js
|
|
+++ b/deps/npm/node_modules/dot-prop/index.js
|
|
@@ -1,6 +1,14 @@
|
|
'use strict';
|
|
const isObj = require('is-obj');
|
|
|
|
+const disallowedKeys = [
|
|
+ '__proto__',
|
|
+ 'prototype',
|
|
+ 'constructor'
|
|
+];
|
|
+
|
|
+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
|
|
+
|
|
function getPathSegments(path) {
|
|
const pathArr = path.split('.');
|
|
const parts = [];
|
|
@@ -16,6 +24,10 @@ function getPathSegments(path) {
|
|
parts.push(p);
|
|
}
|
|
|
|
+ if (!isValidPath(parts)) {
|
|
+ return [];
|
|
+ }
|
|
+
|
|
return parts;
|
|
}
|
|
|
|
@@ -26,6 +38,9 @@ module.exports = {
|
|
}
|
|
|
|
const pathArr = getPathSegments(path);
|
|
+ if (pathArr.length === 0) {
|
|
+ return;
|
|
+ }
|
|
|
|
for (let i = 0; i < pathArr.length; i++) {
|
|
if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
|
|
@@ -58,6 +73,9 @@ module.exports = {
|
|
|
|
const root = obj;
|
|
const pathArr = getPathSegments(path);
|
|
+ if (pathArr.length === 0) {
|
|
+ return;
|
|
+ }
|
|
|
|
for (let i = 0; i < pathArr.length; i++) {
|
|
const p = pathArr[i];
|
|
diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
|
|
index 40fefa3..93daf7d 100644
|
|
--- a/deps/npm/node_modules/dot-prop/package.json
|
|
+++ b/deps/npm/node_modules/dot-prop/package.json
|
|
@@ -37,9 +37,9 @@
|
|
"deprecated": false,
|
|
"description": "Get, set, or delete a property from a nested object using a dot path",
|
|
"devDependencies": {
|
|
- "ava": "*",
|
|
+ "ava": "1.4.1",
|
|
"matcha": "^0.7.0",
|
|
- "xo": "*"
|
|
+ "xo": "0.24.0"
|
|
},
|
|
"engines": {
|
|
"node": ">=4"
|
|
@@ -73,7 +73,7 @@
|
|
"bench": "matcha bench.js",
|
|
"test": "xo && ava"
|
|
},
|
|
- "version": "4.2.0",
|
|
+ "version": "4.2.1",
|
|
"xo": {
|
|
"esnext": true
|
|
}
|
|
diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
|
|
index fab3b7a..0e18f78 100644
|
|
--- a/deps/npm/node_modules/dot-prop/readme.md
|
|
+++ b/deps/npm/node_modules/dot-prop/readme.md
|
|
@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
|
|
|
|
Use `\\.` if you have a `.` in the key.
|
|
|
|
+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
|
|
+
|
|
#### value
|
|
|
|
Type: `any`
|
|
--
|
|
2.26.2
|
|
|