packages/nodejs-getobject
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-28282

Browse Source
This commit is contained in:
starlet-dx 2022-02-22 16:24:09 +08:00
parent 33cbc8175e
commit 376ea0df4f
2 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
CVE-2020-28282.patch Normal file
View File

@ -0,0 +1,55 @@
From 84071748fa407caa8f824e0d0b9c1cde9ec56633 Mon Sep 17 00:00:00 2001
From: Vlad Filippov <vlad.filippov@gmail.com>
Date: Wed, 10 Mar 2021 23:07:02 -0500
Subject: [PATCH] Do not allow setting of __proto__
---
lib/getobject.js | 4 ++++
package.json | 2 +-
test/namespace_test.js | 8 ++++++++
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/lib/getobject.js b/lib/getobject.js
index e4006fe..7d6aa12 100644
--- a/lib/getobject.js
+++ b/lib/getobject.js
@@ -41,6 +41,10 @@ getobject.get = function(obj, parts, create) {
// as we go.
getobject.set = function(obj, parts, value) {
parts = getParts(parts);
+ if (parts.includes('__proto__')) {
+ // do not allow setting of __proto__. See CVE-2020-28282.
+ return;
+ }
var prop = parts.pop();
obj = getobject.get(obj, parts, true);
diff --git a/package.json b/package.json
index 2562e1d..07a7000 100644
--- a/package.json
+++ b/package.json
@@ -29,7 +29,7 @@
},
"devDependencies": {
"grunt-contrib-jshint": "~0.1.1",
- "grunt-contrib-nodeunit": "~0.1.2",
+ "grunt-contrib-nodeunit": "~2.1.0",
"grunt-contrib-watch": "~0.2.0",
"grunt": "~0.4.1"
},
diff --git a/test/namespace_test.js b/test/namespace_test.js
index 2e1c2ae..a776b8e 100644
--- a/test/namespace_test.js
+++ b/test/namespace_test.js
@@ -49,3 +49,11 @@ exports.exists = function(test) {
test.equal(getobject.exists(obj, 'a.b.x'), false, 'nonexistent property should not exist.');
test.done();
};
+
+exports.proto = function(test) {
+ var obj = {};
+ test.equal(getobject.exists(obj, 'isAdmin'), false);
+ getobject.set(obj, '__proto__.isAdmin', true);
+ test.equal(getobject.exists(obj, 'isAdmin'), false);
+ test.done();
+};

7
nodejs-getobject.spec
View File

@ -2,11 +2,12 @@
%global enable_tests 0 %global enable_tests 0
Name: nodejs-getobject Name: nodejs-getobject
Version: 0.1.0 Version: 0.1.0
Release: 1 Release: 2
Summary: Get and set deep objects easily Summary: Get and set deep objects easily
License: MIT License: MIT
URL: https://github.com/cowboy/node-getobject URL: https://github.com/cowboy/node-getobject
Source0: http://registry.npmjs.org/getobject/-/getobject-%{version}.tgz Source0: http://registry.npmjs.org/getobject/-/getobject-%{version}.tgz
Patch0: CVE-2020-28282.patch
BuildArch: noarch BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch ExclusiveArch: %{nodejs_arches} noarch
ExclusiveArch: %{ix86} x86_64 %{arm} noarch ExclusiveArch: %{ix86} x86_64 %{arm} noarch
@ -19,6 +20,7 @@ BuildRequires: npm(grunt-cli) npm(grunt-contrib-nodeunit) npm(grunt-contri
%prep %prep
%setup -q -n package %setup -q -n package
%patch0 -p1
%build %build
@ -39,5 +41,8 @@ cp -pr package.json lib/ \
%{nodejs_sitelib}/getobject %{nodejs_sitelib}/getobject
%changelog %changelog
* Tue Feb 22 2022 yaoxin <yaoxin30@huawei.com> - 0.1.0-2
- Fix CVE-2020-28282
* Thu Aug 20 2020 Anan Fu <fuanan3@huawei.com> - 0.1.0-1 * Thu Aug 20 2020 Anan Fu <fuanan3@huawei.com> - 0.1.0-1
- package init - package init