@percy/config 1.30.8-beta.1 → 1.30.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/defaults.js +6 -2
  2. package/dist/utils/normalize.js +26 -0
  3. package/package.json +4 -4
package/dist/defaults.js CHANGED
@@ -1,4 +1,4 @@
1
- import { merge } from './utils/index.js';
1
+ import { merge, sanitizeObject } from './utils/index.js';
2
2
  import { getSchema } from './validate.js';
3
3
  const {
4
4
  isArray
@@ -30,7 +30,11 @@ function getDefaultsFromSchema(schema) {
30
30
  }
31
31
  }
32
32
  export function getDefaults(overrides = {}) {
33
- return merge([getDefaultsFromSchema(), overrides], (path, prev, next) => {
33
+ // We are sanitizing the overrides object to prevent prototype pollution.
34
+ // This ensures protection against attacks where a payload having Object.prototype setters
35
+ // to add or modify properties on the global prototype chain, which could lead to issues like denial of service (DoS) at a minimum.
36
+ const sanitizedOverrides = sanitizeObject(overrides);
37
+ return merge([getDefaultsFromSchema(), sanitizedOverrides], (path, prev, next) => {
34
38
  // override default array instead of merging
35
39
  return isArray(next) && [path, next];
36
40
  });
package/dist/utils/normalize.js CHANGED
@@ -1,5 +1,8 @@
1
1
  import merge from './merge.js';
2
2
  import { getSchema } from '../validate.js';
3
+ const {
4
+ isArray
5
+ } = Array;
3
6
 
4
7
  // Edge case camelizations
5
8
  const CAMELCASE_MAP = new Map([['css', 'CSS'], ['javascript', 'JavaScript'], ['dom', 'DOM']]);
@@ -7,6 +10,9 @@ const CAMELCASE_MAP = new Map([['css', 'CSS'], ['javascript', 'JavaScript'], ['d
7
10
  // Regular expression that matches words from boundaries or consecutive casing
8
11
  const WORD_REG = /[a-z]{2,}|[A-Z]{2,}|[0-9]{2,}|[^-_\s]+?(?=[A-Z0-9-_\s]|$)/g;
9
12
 
13
+ // Unsafe keys list
14
+ const UNSAFE_KEYS = ['__proto__', 'constructor', 'prototype', 'toString', 'valueOf', '__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__'];
15
+
10
16
  // Converts kebab-cased and snake_cased strings to camelCase.
11
17
  export function camelcase(str) {
12
18
  if (typeof str !== 'string') return str;
@@ -53,4 +59,24 @@ export function normalize(object, options) {
53
59
  return [mapped];
54
60
  });
55
61
  }
62
+
63
+ // Utility function to prevent prototype pollution
64
+ export function isSafeKey(key) {
65
+ return !UNSAFE_KEYS.includes(key);
66
+ }
67
+ export function sanitizeObject(obj) {
68
+ if (!obj || typeof obj !== 'object' || isArray(obj)) {
69
+ return obj;
70
+ }
71
+ if (obj instanceof RegExp) {
72
+ return obj;
73
+ }
74
+ const sanitized = {};
75
+ for (const key in obj) {
76
+ if (isSafeKey(key)) {
77
+ sanitized[key] = sanitizeObject(obj[key]);
78
+ }
79
+ }
80
+ return sanitized;
81
+ }
56
82
  export default normalize;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@percy/config",
3
- "version": "1.30.8-beta.1",
3
+ "version": "1.30.8",
4
4
  "license": "MIT",
5
5
  "repository": {
6
6
  "type": "git",
@@ -9,7 +9,7 @@
9
9
  },
10
10
  "publishConfig": {
11
11
  "access": "public",
12
- "tag": "beta"
12
+ "tag": "latest"
13
13
  },
14
14
  "engines": {
15
15
  "node": ">=14"
@@ -38,7 +38,7 @@
38
38
  "test:types": "tsd"
39
39
  },
40
40
  "dependencies": {
41
- "@percy/logger": "1.30.8-beta.1",
41
+ "@percy/logger": "1.30.8",
42
42
  "ajv": "^8.6.2",
43
43
  "cosmiconfig": "^8.0.0",
44
44
  "yaml": "^2.0.0"
@@ -46,5 +46,5 @@
46
46
  "devDependencies": {
47
47
  "json-schema-typed": "^7.0.3"
48
48
  },
49
- "gitHead": "db04f87e6074b48cc3940ccffbefe59407016cf6"
49
+ "gitHead": "daa3c96d70488a49671e48427c9b363c68876935"
50
50
  }