From d30fce96a8cdc7824d8b21543de1727b6779fa2b Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Wed, 25 Nov 2020 20:55:55 +0100 Subject: [PATCH] Fix __proto__ breakage in context validation --- .../create/validators/forbid-special-properties.js | 12 +++++++++++- src/packages/reserved-properties/index.js | 1 - 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/packages/create/validators/forbid-special-properties.js b/src/packages/create/validators/forbid-special-properties.js index 80a421f..f8d5e63 100644 --- a/src/packages/create/validators/forbid-special-properties.js +++ b/src/packages/create/validators/forbid-special-properties.js @@ -6,12 +6,13 @@ const syncpipe = require("syncpipe"); const wrapError = require("@validatem/wrap-error"); const forbidden = require("@validatem/forbidden"); const allowExtraProperties = require("@validatem/allow-extra-properties"); +const ValidationError = require("@validatem/error"); const reservedProperties = require("../../reserved-properties"); let forbidSpecialProperty = wrapError("Reserved property name cannot be used", forbidden); -module.exports = syncpipe(reservedProperties, [ +let baseChecks = syncpipe(reservedProperties, [ (_) => _.filter((property) => property !== "constructor"), (_) => _.map((property) => { // NOTE: It is very important that `forbidSpecialProperty` below is wrapped in an array. Otherwise, for the `__proto__` property, it will actually treat the entire rules object as a validatem-special object due to its __proto__ being set directly to an object with the validatem-special marker... We're hacking around this by wrapping it in an array instead, which will not register as such. It's really a hack, though. @@ -20,3 +21,12 @@ module.exports = syncpipe(reservedProperties, [ (_) => fromEntries(_), (_) => allowExtraProperties(_) ]); + +module.exports = [ + baseChecks, + (value) => { + if (value.__proto__ != null) { + return new ValidationError("Reserved property name __proto__ cannot be used"); + } + } +]; diff --git a/src/packages/reserved-properties/index.js b/src/packages/reserved-properties/index.js index 813c0b0..adb9358 100644 --- a/src/packages/reserved-properties/index.js +++ b/src/packages/reserved-properties/index.js @@ -7,6 +7,5 @@ module.exports = [ "message", "stack", "cause", - "__proto__", "constructor" ];