From 56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 Mon Sep 17 00:00:00 2001 From: isaacs Date: Tue, 8 Dec 2020 14:21:50 -0800 Subject: [PATCH] do not allow invalid hazardous string as section name --- ini.js | 8 ++++++++ test/proto.js | 45 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 test/proto.js diff --git a/ini.js b/ini.js index 590195d..0401258 100644 --- a/ini.js +++ b/ini.js @@ -80,6 +80,12 @@ function decode (str) { if (!match) return if (match[1] !== undefined) { section = unsafe(match[1]) + if (section === '__proto__') { + // not allowed + // keep parsing the section, but don't attach it. + p = {} + return + } p = out[section] = out[section] || {} return } @@ -94,6 +100,7 @@ function decode (str) { // Convert keys with '[]' suffix to an array if (key.length > 2 && key.slice(-2) === '[]') { key = key.substring(0, key.length - 2) + if (key === '__proto__') return if (!p[key]) { p[key] = [] } else if (!Array.isArray(p[key])) { @@ -125,6 +132,7 @@ function decode (str) { var l = parts.pop() var nl = l.replace(/\\\./g, '.') parts.forEach(function (part, _, __) { + if (part === '__proto__') return if (!p[part] || typeof p[part] !== 'object') p[part] = {} p = p[part] }) diff --git a/test/proto.js b/test/proto.js new file mode 100644 index 0000000..ab35533 --- /dev/null +++ b/test/proto.js @@ -0,0 +1,45 @@ +var ini = require('../') +var t = require('tap') + +var data = ` +__proto__ = quux +foo = baz +[__proto__] +foo = bar +[other] +foo = asdf +[kid.__proto__.foo] +foo = kid +[arrproto] +hello = snyk +__proto__[] = you did a good job +__proto__[] = so you deserve arrays +thanks = true +` +var res = ini.parse(data) +t.deepEqual(res, { + foo: 'baz', + other: { + foo: 'asdf', + }, + kid: { + foo: { + foo: 'kid', + }, + }, + arrproto: { + hello: 'snyk', + thanks: true, + }, +}) +t.equal(res.__proto__, Object.prototype) +t.equal(res.kid.__proto__, Object.prototype) +t.equal(res.kid.foo.__proto__, Object.prototype) +t.equal(res.arrproto.__proto__, Object.prototype) +t.equal(Object.prototype.foo, undefined) +t.equal(Object.prototype[0], undefined) +t.equal(Object.prototype['0'], undefined) +t.equal(Object.prototype[1], undefined) +t.equal(Object.prototype['1'], undefined) +t.equal(Array.prototype[0], undefined) +t.equal(Array.prototype[1], undefined)