@mikro-orm/core 7.0.0-dev.128 → 7.0.0-dev.129
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/errors.d.ts +1 -0
- package/errors.js +3 -0
- package/metadata/MetadataValidator.d.ts +9 -0
- package/metadata/MetadataValidator.js +28 -0
- package/package.json +1 -1
- package/utils/Utils.js +1 -1
package/errors.d.ts
CHANGED
|
@@ -62,6 +62,7 @@ export declare class MetadataError<T extends AnyEntity = AnyEntity> extends Vali
|
|
|
62
62
|
static nonPersistentCompositeProp(meta: EntityMetadata, prop: EntityProperty): MetadataError<Partial<any>>;
|
|
63
63
|
static propertyTargetsEntityType(meta: EntityMetadata, prop: EntityProperty, target: EntityMetadata): MetadataError<Partial<any>>;
|
|
64
64
|
static fromMissingOption(meta: EntityMetadata, prop: EntityProperty, option: string): MetadataError<Partial<any>>;
|
|
65
|
+
static dangerousPropertyName(meta: EntityMetadata, prop: EntityProperty): MetadataError<Partial<any>>;
|
|
65
66
|
private static fromMessage;
|
|
66
67
|
}
|
|
67
68
|
export declare class NotFoundError<T extends AnyEntity = AnyEntity> extends ValidationError<T> {
|
package/errors.js
CHANGED
|
@@ -213,6 +213,9 @@ export class MetadataError extends ValidationError {
|
|
|
213
213
|
static fromMissingOption(meta, prop, option) {
|
|
214
214
|
return this.fromMessage(meta, prop, `is missing '${option}' option`);
|
|
215
215
|
}
|
|
216
|
+
static dangerousPropertyName(meta, prop) {
|
|
217
|
+
return this.fromMessage(meta, prop, `uses a dangerous property name '${prop.name}' which could lead to prototype pollution. Please use a different property name.`);
|
|
218
|
+
}
|
|
216
219
|
static fromMessage(meta, prop, message) {
|
|
217
220
|
return new MetadataError(`${meta.className}.${prop.name} ${message}`);
|
|
218
221
|
}
|
|
@@ -14,4 +14,13 @@ export declare class MetadataValidator {
|
|
|
14
14
|
private validateIndexes;
|
|
15
15
|
private validateDuplicateFieldNames;
|
|
16
16
|
private validateVersionField;
|
|
17
|
+
/**
|
|
18
|
+
* Validates that entity properties do not use dangerous names that could lead to
|
|
19
|
+
* prototype pollution vulnerabilities. This validation ensures that property names
|
|
20
|
+
* cannot be exploited to modify object prototypes when values are assigned during
|
|
21
|
+
* entity hydration or persistence operations.
|
|
22
|
+
*
|
|
23
|
+
* @internal
|
|
24
|
+
*/
|
|
25
|
+
private validatePropertyNames;
|
|
17
26
|
}
|
|
@@ -1,6 +1,18 @@
|
|
|
1
1
|
import { Utils } from '../utils/Utils.js';
|
|
2
2
|
import { MetadataError } from '../errors.js';
|
|
3
3
|
import { ReferenceKind } from '../enums.js';
|
|
4
|
+
/**
|
|
5
|
+
* List of property names that could lead to prototype pollution vulnerabilities.
|
|
6
|
+
* These names should never be used as entity property names because they could
|
|
7
|
+
* allow malicious code to modify object prototypes when property values are assigned.
|
|
8
|
+
*
|
|
9
|
+
* - `__proto__`: Could modify the prototype chain
|
|
10
|
+
* - `constructor`: Could modify the constructor property
|
|
11
|
+
* - `prototype`: Could modify the prototype object
|
|
12
|
+
*
|
|
13
|
+
* @internal
|
|
14
|
+
*/
|
|
15
|
+
const DANGEROUS_PROPERTY_NAMES = ['__proto__', 'constructor', 'prototype'];
|
|
4
16
|
/**
|
|
5
17
|
* @internal
|
|
6
18
|
*/
|
|
@@ -26,6 +38,7 @@ export class MetadataValidator {
|
|
|
26
38
|
this.validateDuplicateFieldNames(meta, options);
|
|
27
39
|
this.validateIndexes(meta, meta.indexes ?? [], 'index');
|
|
28
40
|
this.validateIndexes(meta, meta.uniques ?? [], 'unique');
|
|
41
|
+
this.validatePropertyNames(meta);
|
|
29
42
|
for (const prop of Utils.values(meta.properties)) {
|
|
30
43
|
if (prop.kind !== ReferenceKind.SCALAR) {
|
|
31
44
|
this.validateReference(meta, prop, options);
|
|
@@ -193,4 +206,19 @@ export class MetadataValidator {
|
|
|
193
206
|
throw MetadataError.invalidVersionFieldType(meta);
|
|
194
207
|
}
|
|
195
208
|
}
|
|
209
|
+
/**
|
|
210
|
+
* Validates that entity properties do not use dangerous names that could lead to
|
|
211
|
+
* prototype pollution vulnerabilities. This validation ensures that property names
|
|
212
|
+
* cannot be exploited to modify object prototypes when values are assigned during
|
|
213
|
+
* entity hydration or persistence operations.
|
|
214
|
+
*
|
|
215
|
+
* @internal
|
|
216
|
+
*/
|
|
217
|
+
validatePropertyNames(meta) {
|
|
218
|
+
for (const prop of Utils.values(meta.properties)) {
|
|
219
|
+
if (DANGEROUS_PROPERTY_NAMES.includes(prop.name)) {
|
|
220
|
+
throw MetadataError.dangerousPropertyName(meta, prop);
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
}
|
|
196
224
|
}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mikro-orm/core",
|
|
3
3
|
"type": "module",
|
|
4
|
-
"version": "7.0.0-dev.
|
|
4
|
+
"version": "7.0.0-dev.129",
|
|
5
5
|
"description": "TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript.",
|
|
6
6
|
"exports": {
|
|
7
7
|
"./package.json": "./package.json",
|
package/utils/Utils.js
CHANGED
|
@@ -123,7 +123,7 @@ export function parseJsonSafe(value) {
|
|
|
123
123
|
}
|
|
124
124
|
export class Utils {
|
|
125
125
|
static PK_SEPARATOR = '~~~';
|
|
126
|
-
static #ORM_VERSION = '7.0.0-dev.
|
|
126
|
+
static #ORM_VERSION = '7.0.0-dev.129';
|
|
127
127
|
/**
|
|
128
128
|
* Checks if the argument is instance of `Object`. Returns false for arrays.
|
|
129
129
|
*/
|