Merge pull request #60 from deleonio/fix/vulnerability-prototype-pollution

Fix Vulnerability - Ready

Author: keithamus

.gitignore

@@ -16,6 +16,7 @@ components
 node_modules
 npm-debug.log
 
+.nyc_output/
 coverage/
 
 pathval.js

.travis.yml

@@ -10,10 +10,10 @@ cache:
     - node_modules
 
 node_js:
-   - 0.10 # to be removed 2016-10-01
-   - 0.12 # to be removed 2016-12-31
-   - 4 # to be removed 2018-04-01
-   - 6 # to be removed 2019-04-01
+  #  - 0.10 # to be removed 2016-10-01
+  #  - 0.12 # to be removed 2016-12-31
+  #  - 4 # to be removed 2018-04-01
+  #  - 6 # to be removed 2019-04-01
    - lts/* # safety net; don't remove
    - node # safety net; don't remove
 

index.js

@@ -76,13 +76,20 @@ function parsePath(path) {
   var str = path.replace(/([^\\])\[/g, '$1.[');
   var parts = str.match(/(\\\.|[^.]+?)+/g);
   return parts.map(function mapMatches(value) {
+    if (
+      value === 'constructor' ||
+      value === '__proto__' ||
+      value === 'prototype'
+    ) {
+      return {};
+    }
     var regexp = /^\[(\d+)\]$/;
     var mArr = regexp.exec(value);
     var parsed = null;
     if (mArr) {
       parsed = { i: parseFloat(mArr[1]) };
     } else {
-      parsed = { p: value.replace(/\\([.\[\]])/g, '$1') };
+      parsed = { p: value.replace(/\\([.[\]])/g, '$1') };
     }
 
     return parsed;
@@ -107,7 +114,7 @@ function parsePath(path) {
 function internalGetPathValue(obj, parsed, pathDepth) {
   var temporaryValue = obj;
   var res = null;
-  pathDepth = (typeof pathDepth === 'undefined' ? parsed.length : pathDepth);
+  pathDepth = typeof pathDepth === 'undefined' ? parsed.length : pathDepth;
 
   for (var i = 0; i < pathDepth; i++) {
     var part = parsed[i];
@@ -118,7 +125,7 @@ function internalGetPathValue(obj, parsed, pathDepth) {
         temporaryValue = temporaryValue[part.p];
       }
 
-      if (i === (pathDepth - 1)) {
+      if (i === pathDepth - 1) {
         res = temporaryValue;
       }
     }
@@ -152,7 +159,7 @@ function internalSetPathValue(obj, val, parsed) {
     part = parsed[i];
 
     // If it's the last part of the path, we set the 'propName' value with the property name
-    if (i === (pathDepth - 1)) {
+    if (i === pathDepth - 1) {
       propName = typeof part.p === 'undefined' ? part.i : part.p;
       // Now we set the property with the name held by 'propName' on object with the desired val
       tempObj[propName] = val;
@@ -199,7 +206,10 @@ function getPathInfo(obj, path) {
   var parsed = parsePath(path);
   var last = parsed[parsed.length - 1];
   var info = {
-    parent: parsed.length > 1 ? internalGetPathValue(obj, parsed, parsed.length - 1) : obj,
+    parent:
+      parsed.length > 1 ?
+        internalGetPathValue(obj, parsed, parsed.length - 1) :
+        obj,
     name: last.p || last.i,
     value: internalGetPathValue(obj, parsed),
   };

karma.conf.js

@@ -1,11 +1,12 @@
+/* eslint no-process-env: "off" */
+
 'use strict';
+
 var packageJson = require('./package.json');
 var defaultTimeout = 120000;
 var browserifyIstanbul = require('browserify-istanbul');
 module.exports = function configureKarma(config) {
-  var localBrowsers = [
-    'PhantomJS',
-  ];
+  var localBrowsers = [ 'PhantomJS' ];
   var sauceLabsBrowsers = {
     SauceChromeLatest: {
       base: 'SauceLabs',
@@ -41,7 +42,9 @@ module.exports = function configureKarma(config) {
   config.set({
     basePath: '',
     browsers: localBrowsers,
-    logLevel: process.env.npm_config_debug ? config.LOG_DEBUG : config.LOG_INFO,
+    logLevel: process.env.npm_config_debug ?
+      config.LOG_DEBUG :
+      config.LOG_INFO,
     frameworks: [ 'browserify', 'mocha' ],
     files: [ 'test/*.js' ],
     exclude: [],
@@ -51,9 +54,7 @@ module.exports = function configureKarma(config) {
     browserify: {
       debug: true,
       bare: true,
-      transform: [
-        browserifyIstanbul({ ignore: [ '**/node_modules/**', '**/test/**' ] }),
-      ],
+      transform: [ browserifyIstanbul({ ignore: [ '**/node_modules/**', '**/test/**' ] }) ],
     },
     reporters: [ 'progress', 'coverage' ],
     coverageReporter: {
@@ -82,14 +83,11 @@ module.exports = function configureKarma(config) {
       browsers: localBrowsers.concat(Object.keys(sauceLabsBrowsers)),
       sauceLabs: {
         testName: packageJson.name,
-        tunnelIdentifier: process.env.TRAVIS_JOB_NUMBER || new Date().getTime(),
+        tunnelIdentifier:
+          process.env.TRAVIS_JOB_NUMBER || new Date().getTime(),
         recordVideo: true,
-        startConnect: ('TRAVIS' in process.env) === false,
-        tags: [
-          'pathval_' + packageJson.version,
-          process.env.SAUCE_USERNAME + '@' + branch,
-          build,
-        ],
+        startConnect: 'TRAVIS' in process.env === false,
+        tags: [ 'pathval_' + packageJson.version, process.env.SAUCE_USERNAME + '@' + branch, build ],
       },
     });
   }