From 6aaa4f232f872ffbb60b8a2e2282748e22a9891f Mon Sep 17 00:00:00 2001

From: Marco Carini <cmdcarini@gmail.com>

Date: Mon, 3 Aug 2020 17:16:07 -0500

Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116

Signed-off-by: rpm-build <rpm-build>

---

 deps/npm/node_modules/dot-prop/index.js     | 18 ++++++++++++++++++

 deps/npm/node_modules/dot-prop/package.json |  6 +++---

 deps/npm/node_modules/dot-prop/readme.md    |  2 ++

 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js

index 15282bb..189831c 100644

--- a/deps/npm/node_modules/dot-prop/index.js

+++ b/deps/npm/node_modules/dot-prop/index.js

@@ -1,6 +1,14 @@

 'use strict';

 const isObj = require('is-obj');

+const disallowedKeys = [

+	'__proto__',

+	'prototype',

+	'constructor'

+];

+

+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));

+

 function getPathSegments(path) {

 	const pathArr = path.split('.');

 	const parts = [];

@@ -16,6 +24,10 @@ function getPathSegments(path) {

 		parts.push(p);

 	}

+	if (!isValidPath(parts)) {

+		return [];

+	}

+

 	return parts;

 }

@@ -26,6 +38,9 @@ module.exports = {

 		}

 		const pathArr = getPathSegments(path);

+		if (pathArr.length === 0) {

+			return;

+		}

 		for (let i = 0; i < pathArr.length; i++) {

 			if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {

@@ -58,6 +73,9 @@ module.exports = {

 		const root = obj;

 		const pathArr = getPathSegments(path);

+		if (pathArr.length === 0) {

+			return;

+		}

 		for (let i = 0; i < pathArr.length; i++) {

 			const p = pathArr[i];

diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json

index 40fefa3..93daf7d 100644

--- a/deps/npm/node_modules/dot-prop/package.json

+++ b/deps/npm/node_modules/dot-prop/package.json

@@ -37,9 +37,9 @@

   "deprecated": false,

   "description": "Get, set, or delete a property from a nested object using a dot path",

   "devDependencies": {

-    "ava": "*",

+    "ava": "1.4.1",

     "matcha": "^0.7.0",

-    "xo": "*"

+    "xo": "0.24.0"

   },

   "engines": {

     "node": ">=4"

@@ -73,7 +73,7 @@

     "bench": "matcha bench.js",

     "test": "xo && ava"

   },

-  "version": "4.2.0",

+  "version": "4.2.1",

   "xo": {

     "esnext": true

   }

diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md

index fab3b7a..0e18f78 100644

--- a/deps/npm/node_modules/dot-prop/readme.md

+++ b/deps/npm/node_modules/dot-prop/readme.md

@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.

 Use `\\.` if you have a `.` in the key.

+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.

+

 #### value

 Type: `any`

-- 

2.26.2