Merge pull request #63 from steveukx/fix/prototype-pollution-root-proto

Fix prototype pollution root proto
steveukx · Aug 22, 2023 · 216a9a2 · 216a9a2
2 parents a79ef3b + c2f09ad
commit 216a9a2
Show file tree

Hide file tree

Showing 13 changed files with 1,592 additions and 44 deletions.
diff --git a/.changeset/README.md b/.changeset/README.md
@@ -0,0 +1,8 @@
+# Changesets
+
+Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
+with multi-package repos, or single-package repos to help you version and publish your code. You can
+find the full documentation for it [in our repository](https://github.com/changesets/changesets)
+
+We have a quick list of common questions to get you started engaging with this project in
+[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)
diff --git a/.changeset/brave-chefs-enjoy.md b/.changeset/brave-chefs-enjoy.md
@@ -0,0 +1,5 @@
+---
+"properties-reader": minor
+---
+
+Fix prototype pollution when using `__proto__` as a top-level property name.
diff --git a/.changeset/config.json b/.changeset/config.json
@@ -0,0 +1,11 @@
+{
+  "$schema": "https://unpkg.com/@changesets/[email protected]/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "public",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": []
+}
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [steveukx]
diff --git a/.github/no-response.yml b/.github/no-response.yml
diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml
@@ -0,0 +1,29 @@
+name: release-changesets
+
+on:
+   push:
+      branches:
+         - main
+
+jobs:
+   release:
+      runs-on: ubuntu-latest
+      steps:
+         - name: Checkout Repo
+           uses: actions/checkout@v3
+           with:
+              fetch-depth: 0
+
+         - uses: actions/setup-node@v3
+           with:
+              node-version: 18
+
+         - run: yarn --frozen-lockfile
+         - run: yarn build
+
+         - uses: changesets/action@v1
+           with:
+              publish: yarn changeset publish
+           env:
+              GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              NPM_TOKEN: ${{secrets.NPM_AUTH_TOKEN}}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,26 @@
+name: CI
+
+on:
+   push:
+      branches: [main]
+   pull_request:
+      branches: [main]
+
+permissions:
+   contents: read
+
+jobs:
+   build:
+      runs-on: ubuntu-latest
+      strategy:
+         matrix:
+            node-version: [12, 14, 16, 18, 20]
+      steps:
+         - uses: actions/checkout@v3
+         - name: Use Node.js ${{ matrix.node-version }}
+           uses: actions/setup-node@v3
+           with:
+              node-version: ${{ matrix.node-version }}
+              cache: yarn
+         - run: yarn install --frozen-lockfile
+         - run: yarn test
diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml
@@ -0,0 +1,22 @@
+name: No Response
+
+# When a comment is created and every day at 08:10
+on:
+   issue_comment:
+      types: [created]
+   schedule:
+      - cron: '10 8 * * *'
+
+jobs:
+   noResponse:
+      runs-on: ubuntu-latest
+      steps:
+         - uses: lee-dohm/[email protected]
+           with:
+              token: ${{ github.token }}
+              daysUntilClose: 21
+              responseRequiredLabel: more-info-needed
+              closeComment: >
+                 This issue has been automatically closed due to a lack of response.
+                 If your problem persists please open a new issue including any additional detail
+                 requested from this issue.
diff --git a/.travis.yml b/.travis.yml
diff --git a/package.json b/package.json
@@ -20,6 +20,8 @@
     "mkdirp": "^1.0.4"
   },
   "devDependencies": {
+    "@changesets/changelog-github": "^0.4.8",
+    "@changesets/cli": "^2.26.2",
     "jest": "^26.6.3"
   },
   "keywords": [
@@ -40,8 +42,12 @@
     "postversion": "npm publish && git push && git push --tags",
     "test": "jest --coverage"
   },
+  "funding": {
+    "type": "github",
+    "url": "https://github.com/steveukx/properties?sponsor=1"
+  },
   "engines": {
-    "node": ">=10"
+    "node": ">=12"
   },
   "license": "MIT",
   "jest": {

diff --git a/src/properties-reader.js b/src/properties-reader.js
@@ -223,7 +223,10 @@ PropertiesReader.prototype.set = function (key, value) {
       source = source[step]
    }
 
-   if (typeof parsedValue === 'string' && typeof  source[expanded[0]] === 'object') {
+   if (expanded[0] === '__proto__') {
+      Object.defineProperty(source, expanded[0], { value: parsedValue });
+   }
+   else if (typeof parsedValue === 'string' && typeof  source[expanded[0]] === 'object') {
       source[expanded[0]][''] = parsedValue;
    }
    else {

diff --git a/test/fix-prototype-pollution.spec.js b/test/fix-prototype-pollution.spec.js
@@ -25,4 +25,14 @@ describe('prototype-pollution', () => {
       expect(props.get('__proto__.parsed')).toBe(true);
    });
 
+   it('does not pollute global Object.prototype with assignment to proto', async () => {
+      const file = `
+         __proto__ = 10
+      `;
+      const props = propertiesReader(await context.file('props-x.ini', file));
+
+      expect({}['']).toBeUndefined();
+      expect(props.path().__proto__).toBe('10');
+   });
+
 });