Blob Blame History Raw
From 6aaa4f232f872ffbb60b8a2e2282748e22a9891f Mon Sep 17 00:00:00 2001
From: Marco Carini <cmdcarini@gmail.com>
Date: Mon, 3 Aug 2020 17:16:07 -0500
Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116

Signed-off-by: rpm-build <rpm-build>
---
 deps/npm/node_modules/dot-prop/index.js     | 18 ++++++++++++++++++
 deps/npm/node_modules/dot-prop/package.json |  6 +++---
 deps/npm/node_modules/dot-prop/readme.md    |  2 ++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
index 15282bb..189831c 100644
--- a/deps/npm/node_modules/dot-prop/index.js
+++ b/deps/npm/node_modules/dot-prop/index.js
@@ -1,6 +1,14 @@
 'use strict';
 const isObj = require('is-obj');
 
+const disallowedKeys = [
+	'__proto__',
+	'prototype',
+	'constructor'
+];
+
+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
+
 function getPathSegments(path) {
 	const pathArr = path.split('.');
 	const parts = [];
@@ -16,6 +24,10 @@ function getPathSegments(path) {
 		parts.push(p);
 	}
 
+	if (!isValidPath(parts)) {
+		return [];
+	}
+
 	return parts;
 }
 
@@ -26,6 +38,9 @@ module.exports = {
 		}
 
 		const pathArr = getPathSegments(path);
+		if (pathArr.length === 0) {
+			return;
+		}
 
 		for (let i = 0; i < pathArr.length; i++) {
 			if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
@@ -58,6 +73,9 @@ module.exports = {
 
 		const root = obj;
 		const pathArr = getPathSegments(path);
+		if (pathArr.length === 0) {
+			return;
+		}
 
 		for (let i = 0; i < pathArr.length; i++) {
 			const p = pathArr[i];
diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
index 40fefa3..93daf7d 100644
--- a/deps/npm/node_modules/dot-prop/package.json
+++ b/deps/npm/node_modules/dot-prop/package.json
@@ -37,9 +37,9 @@
   "deprecated": false,
   "description": "Get, set, or delete a property from a nested object using a dot path",
   "devDependencies": {
-    "ava": "*",
+    "ava": "1.4.1",
     "matcha": "^0.7.0",
-    "xo": "*"
+    "xo": "0.24.0"
   },
   "engines": {
     "node": ">=4"
@@ -73,7 +73,7 @@
     "bench": "matcha bench.js",
     "test": "xo && ava"
   },
-  "version": "4.2.0",
+  "version": "4.2.1",
   "xo": {
     "esnext": true
   }
diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
index fab3b7a..0e18f78 100644
--- a/deps/npm/node_modules/dot-prop/readme.md
+++ b/deps/npm/node_modules/dot-prop/readme.md
@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
 
 Use `\\.` if you have a `.` in the key.
 
+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
+
 #### value
 
 Type: `any`
-- 
2.26.2