npm - @percy/config - Versions diffs - 1.31.0-alpha.3 → 1.31.0 - Mend

@percy/config 1.31.0-alpha.3 → 1.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/defaults.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { merge } from './utils/index.js';
+import { merge, sanitizeObject } from './utils/index.js';
 import { getSchema } from './validate.js';
 const {
   isArray
@@ -30,7 +30,11 @@ function getDefaultsFromSchema(schema) {
   }
 }
 export function getDefaults(overrides = {}) {
-  return merge([getDefaultsFromSchema(), overrides], (path, prev, next) => {
+  // We are sanitizing the overrides object to prevent prototype pollution.
+  // This ensures protection against attacks where a payload having Object.prototype setters
+  // to add or modify properties on the global prototype chain, which could lead to issues like denial of service (DoS) at a minimum.
+  const sanitizedOverrides = sanitizeObject(overrides);
+  return merge([getDefaultsFromSchema(), sanitizedOverrides], (path, prev, next) => {
     // override default array instead of merging
     return isArray(next) && [path, next];
   });

package/dist/utils/normalize.js CHANGED Viewed

@@ -1,5 +1,8 @@
 import merge from './merge.js';
 import { getSchema } from '../validate.js';
+const {
+  isArray
+} = Array;
 // Edge case camelizations
 const CAMELCASE_MAP = new Map([['css', 'CSS'], ['javascript', 'JavaScript'], ['dom', 'DOM']]);
@@ -7,6 +10,9 @@ const CAMELCASE_MAP = new Map([['css', 'CSS'], ['javascript', 'JavaScript'], ['d
 // Regular expression that matches words from boundaries or consecutive casing
 const WORD_REG = /[a-z]{2,}|[A-Z]{2,}|[0-9]{2,}|[^-_\s]+?(?=[A-Z0-9-_\s]|$)/g;
+// Unsafe keys list
+const UNSAFE_KEYS = ['__proto__', 'constructor', 'prototype', 'toString', 'valueOf', '__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__'];
 // Converts kebab-cased and snake_cased strings to camelCase.
 export function camelcase(str) {
   if (typeof str !== 'string') return str;
@@ -53,4 +59,24 @@ export function normalize(object, options) {
     return [mapped];
   });
 }
+// Utility function to prevent prototype pollution
+export function isSafeKey(key) {
+  return !UNSAFE_KEYS.includes(key);
+}
+export function sanitizeObject(obj) {
+  if (!obj || typeof obj !== 'object' || isArray(obj)) {
+    return obj;
+  }
+  if (obj instanceof RegExp) {
+    return obj;
+  }
+  const sanitized = {};
+  for (const key in obj) {
+    if (isSafeKey(key)) {
+      sanitized[key] = sanitizeObject(obj[key]);
+    }
+  }
+  return sanitized;
+}
 export default normalize;

package/dist/validate.js CHANGED Viewed

@@ -65,6 +65,20 @@ const ajv = new AJV({
         });
       }
     }
+  }, {
+    keyword: 'onlyWeb',
+    error: {
+      message: 'property only valid with Web integration.'
+    },
+    code: cxt => {
+      const tokenPrefix = (process.env.PERCY_TOKEN || '').split('_')[0];
+      const isNotWebProjectToken = tokenPrefix === 'auto' || tokenPrefix === 'app';
+      // we do validation only when token is passed
+      if (!!process.env.PERCY_TOKEN && isNotWebProjectToken) {
+        cxt.error();
+      }
+    }
   }]
 });
@@ -184,8 +198,8 @@ function shouldHideError(key, path, error) {
 // Validates data according to the associated schema and returns a list of errors, if any.
 export function validate(data, key = '/config') {
+  let errors = new Map();
   if (!ajv.validate(key, data)) {
-    let errors = new Map();
     for (let error of ajv.errors) {
       var _parentSchema$errors2;
       let {
@@ -242,12 +256,72 @@ export function validate(data, key = '/config') {
         message
       });
     }
     // filter empty values as a result of scrubbing
     filterEmpty(data);
-    // return an array of errors
-    return Array.from(errors.values());
   }
+  if (data.regions && Array.isArray(data.regions)) {
+    data.regions.forEach((region, index) => {
+      /* istanbul ignore next */
+      if (region.elementSelector) {
+        const selectorKeys = ['elementCSS', 'elementXpath', 'boundingBox'];
+        const providedKeys = selectorKeys.filter(key => region.elementSelector[key] !== undefined);
+        if (providedKeys.length !== 1) {
+          const pathStr = `regions[${index}].elementSelector`;
+          errors.set(pathStr, {
+            path: pathStr,
+            message: "Exactly one of 'elementCSS', 'elementXpath', or 'boundingBox' must be provided."
+          });
+          delete data.regions[index];
+        }
+      } else {
+        if (region.algorithm === 'ignore') {
+          const pathStr = `regions[${index}].elementSelector`;
+          errors.set(pathStr, {
+            path: pathStr,
+            message: "'elementSelector' is required when algorithm is 'ignore'."
+          });
+          delete data.regions[index];
+        }
+      }
+      const algorithmType = region.algorithm;
+      const hasConfiguration = region.configuration !== undefined;
+      if (algorithmType === 'layout' || algorithmType === 'ignore') {
+        if (hasConfiguration) {
+          const pathStr = `regions[${index}].configuration`;
+          errors.set(pathStr, {
+            path: pathStr,
+            message: `Configuration is not applicable for '${algorithmType}' algorithm`
+          });
+          delete data.regions[index];
+        }
+      }
+      if ((algorithmType === 'standard' || algorithmType === 'intelliignore') && !hasConfiguration) {
+        const pathStr = `regions[${index}]`;
+        errors.set(pathStr, {
+          path: pathStr,
+          message: `Configuration is recommended for '${algorithmType}' algorithm`
+        });
+      }
+    });
+  }
+  if (data.algorithmConfiguration) {
+    const pathStr = 'algorithmConfiguration';
+    const algorithmType = data.algorithm;
+    if (!algorithmType) {
+      errors.set(pathStr, {
+        path: pathStr,
+        message: 'algorithmConfiguration needs algorigthm to be passed'
+      });
+    }
+    const nonAlgoConfigTypes = ['layout'];
+    if (nonAlgoConfigTypes.includes(algorithmType)) {
+      errors.set(pathStr, {
+        path: pathStr,
+        message: `algorithmConfiguration is not applicable for '${algorithmType}' algorithm`
+      });
+    }
+  }
+  const errorArray = Array.from(errors.values());
+  return errorArray.length > 0 ? errorArray : undefined;
 }
 export default validate;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@percy/config",
-  "version": "1.31.0-alpha.3",
+  "version": "1.31.0",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -9,7 +9,7 @@
   },
   "publishConfig": {
     "access": "public",
-    "tag": "alpha"
+    "tag": "latest"
   },
   "engines": {
     "node": ">=14"
@@ -38,7 +38,7 @@
     "test:types": "tsd"
   },
   "dependencies": {
-    "@percy/logger": "1.31.0-alpha.3",
+    "@percy/logger": "1.31.0",
     "ajv": "^8.6.2",
     "cosmiconfig": "^8.0.0",
     "yaml": "^2.0.0"
@@ -46,5 +46,5 @@
   "devDependencies": {
     "json-schema-typed": "^7.0.3"
   },
-  "gitHead": "14ae0b4319c1c2ae28729d56cba3b159e80386a8"
+  "gitHead": "49895470c0dfa7242881db43e293317d1fb8f8b6"
 }