From 6aaa4f232f872ffbb60b8a2e2282748e22a9891f Mon Sep 17 00:00:00 2001 From: Marco Carini Date: Mon, 3 Aug 2020 17:16:07 -0500 Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116 Signed-off-by: rpm-build --- deps/npm/node_modules/dot-prop/index.js | 18 ++++++++++++++++++ deps/npm/node_modules/dot-prop/package.json | 6 +++--- deps/npm/node_modules/dot-prop/readme.md | 2 ++ 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js index 15282bb..189831c 100644 --- a/deps/npm/node_modules/dot-prop/index.js +++ b/deps/npm/node_modules/dot-prop/index.js @@ -1,6 +1,14 @@ 'use strict'; const isObj = require('is-obj'); +const disallowedKeys = [ + '__proto__', + 'prototype', + 'constructor' +]; + +const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment)); + function getPathSegments(path) { const pathArr = path.split('.'); const parts = []; @@ -16,6 +24,10 @@ function getPathSegments(path) { parts.push(p); } + if (!isValidPath(parts)) { + return []; + } + return parts; } @@ -26,6 +38,9 @@ module.exports = { } const pathArr = getPathSegments(path); + if (pathArr.length === 0) { + return; + } for (let i = 0; i < pathArr.length; i++) { if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) { @@ -58,6 +73,9 @@ module.exports = { const root = obj; const pathArr = getPathSegments(path); + if (pathArr.length === 0) { + return; + } for (let i = 0; i < pathArr.length; i++) { const p = pathArr[i]; diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json index 40fefa3..93daf7d 100644 --- a/deps/npm/node_modules/dot-prop/package.json +++ b/deps/npm/node_modules/dot-prop/package.json @@ -37,9 +37,9 @@ "deprecated": false, "description": "Get, set, or delete a property from a nested object using a dot path", "devDependencies": { - "ava": "*", + "ava": "1.4.1", "matcha": "^0.7.0", - "xo": "*" + "xo": "0.24.0" }, "engines": { "node": ">=4" @@ -73,7 +73,7 @@ "bench": "matcha bench.js", "test": "xo && ava" }, - "version": "4.2.0", + "version": "4.2.1", "xo": { "esnext": true } diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md index fab3b7a..0e18f78 100644 --- a/deps/npm/node_modules/dot-prop/readme.md +++ b/deps/npm/node_modules/dot-prop/readme.md @@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key. Use `\\.` if you have a `.` in the key. +The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`. + #### value Type: `any` -- 2.26.2