From 6aaa4f232f872ffbb60b8a2e2282748e22a9891f Mon Sep 17 00:00:00 2001
From: Marco Carini <cmdcarini@gmail.com>
Date: Mon, 3 Aug 2020 17:16:07 -0500
Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/dot-prop/index.js | 18 ++++++++++++++++++
deps/npm/node_modules/dot-prop/package.json | 6 +++---
deps/npm/node_modules/dot-prop/readme.md | 2 ++
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
index 15282bb..189831c 100644
--- a/deps/npm/node_modules/dot-prop/index.js
+++ b/deps/npm/node_modules/dot-prop/index.js
@@ -1,6 +1,14 @@
'use strict';
const isObj = require('is-obj');
+const disallowedKeys = [
+ '__proto__',
+ 'prototype',
+ 'constructor'
+];
+
+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
+
function getPathSegments(path) {
const pathArr = path.split('.');
const parts = [];
@@ -16,6 +24,10 @@ function getPathSegments(path) {
parts.push(p);
}
+ if (!isValidPath(parts)) {
+ return [];
+ }
+
return parts;
}
@@ -26,6 +38,9 @@ module.exports = {
}
const pathArr = getPathSegments(path);
+ if (pathArr.length === 0) {
+ return;
+ }
for (let i = 0; i < pathArr.length; i++) {
if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
@@ -58,6 +73,9 @@ module.exports = {
const root = obj;
const pathArr = getPathSegments(path);
+ if (pathArr.length === 0) {
+ return;
+ }
for (let i = 0; i < pathArr.length; i++) {
const p = pathArr[i];
diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
index 40fefa3..93daf7d 100644
--- a/deps/npm/node_modules/dot-prop/package.json
+++ b/deps/npm/node_modules/dot-prop/package.json
@@ -37,9 +37,9 @@
"deprecated": false,
"description": "Get, set, or delete a property from a nested object using a dot path",
"devDependencies": {
- "ava": "*",
+ "ava": "1.4.1",
"matcha": "^0.7.0",
- "xo": "*"
+ "xo": "0.24.0"
},
"engines": {
"node": ">=4"
@@ -73,7 +73,7 @@
"bench": "matcha bench.js",
"test": "xo && ava"
},
- "version": "4.2.0",
+ "version": "4.2.1",
"xo": {
"esnext": true
}
diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
index fab3b7a..0e18f78 100644
--- a/deps/npm/node_modules/dot-prop/readme.md
+++ b/deps/npm/node_modules/dot-prop/readme.md
@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
Use `\\.` if you have a `.` in the key.
+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
+
#### value
Type: `any`
--
2.26.2