typebox 1.1.36 → 1.1.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/build/guard/guard.d.mts +3 -1
  2. package/build/guard/guard.mjs +6 -3
  3. package/build/schema/pointer/pointer.mjs +11 -1
  4. package/build/value/clone/clone.mjs +4 -3
  5. package/build/value/delta/diff.mjs +6 -0
  6. package/build/value/mutate/from_object.mjs +13 -0
  7. package/package.json +1 -1
package/build/guard/guard.d.mts CHANGED
@@ -49,6 +49,8 @@ export declare function Every<T>(value: T[], offset: number, callback: (value: T
49
49
  export declare function EveryAll<T>(value: T[], offset: number, callback: (value: T, index: number) => boolean): boolean;
50
50
  /** Takes the left-most element from an array and dispatches to the true arm, or the false arm if empty */
51
51
  export declare function TakeLeft<T, True extends (left: T, right: T[]) => unknown, False extends () => unknown>(array: T[], true_: True, false_: False): ReturnType<True> | ReturnType<False>;
52
+ /** Returns true if the PropertyKey is Unsafe (ref: prototype-pollution). */
53
+ export declare function IsUnsafePropertyKey(key: PropertyKey): boolean;
52
54
  /** Returns true if this value has this property key */
53
55
  export declare function HasPropertyKey<Key extends PropertyKey>(value: object, key: Key): value is {
54
56
  [_ in Key]: unknown;
@@ -57,7 +59,7 @@ export declare function HasPropertyKey<Key extends PropertyKey>(value: object, k
57
59
  export declare function EntriesRegExp<Value extends unknown = unknown>(value: Record<PropertyKey, Value>): [RegExp, Value][];
58
60
  /** Returns object entries as `[string, Value][]` */
59
61
  export declare function Entries<Value extends unknown = unknown>(value: Record<PropertyKey, Value>): [string, Value][];
60
- /** Returns the property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
62
+ /** Returns property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
61
63
  export declare function Keys(value: Record<PropertyKey, unknown>): string[];
62
64
  /** Returns the property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
63
65
  export declare function Symbols(value: Record<PropertyKey, unknown>): symbol[];
package/build/guard/guard.mjs CHANGED
@@ -169,10 +169,13 @@ export function TakeLeft(array, true_, false_) {
169
169
  // --------------------------------------------------------------------------
170
170
  // Object
171
171
  // --------------------------------------------------------------------------
172
+ /** Returns true if the PropertyKey is Unsafe (ref: prototype-pollution). */
173
+ export function IsUnsafePropertyKey(key) {
174
+ return IsEqual(key, '__proto__') || IsEqual(key, 'constructor') || IsEqual(key, 'prototype');
175
+ }
172
176
  /** Returns true if this value has this property key */
173
177
  export function HasPropertyKey(value, key) {
174
- const isProtoField = IsEqual(key, '__proto__') || IsEqual(key, 'constructor');
175
- return isProtoField ? Object.prototype.hasOwnProperty.call(value, key) : key in value;
178
+ return IsUnsafePropertyKey(key) ? Object.prototype.hasOwnProperty.call(value, key) : key in value;
176
179
  }
177
180
  /** Returns object entries as `[RegExp, Value][]` */
178
181
  export function EntriesRegExp(value) {
@@ -182,7 +185,7 @@ export function EntriesRegExp(value) {
182
185
  export function Entries(value) {
183
186
  return Object.entries(value);
184
187
  }
185
- /** Returns the property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
188
+ /** Returns property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
186
189
  export function Keys(value) {
187
190
  return Object.getOwnPropertyNames(value);
188
191
  }
package/build/schema/pointer/pointer.mjs CHANGED
@@ -11,6 +11,14 @@ function AssertCanSet(value) {
11
11
  if (!Guard.IsObject(value))
12
12
  throw Error('Cannot set value');
13
13
  }
14
+ function AssertIndex(index) {
15
+ if (Guard.IsUnsafePropertyKey(index))
16
+ throw Error('Pointer contains unsafe property key');
17
+ }
18
+ function AssertIndices(indices) {
19
+ for (const index of indices)
20
+ AssertIndex(index);
21
+ }
14
22
  // ------------------------------------------------------------------
15
23
  // Indices
16
24
  // ------------------------------------------------------------------
@@ -27,7 +35,7 @@ function HasIndex(index, value) {
27
35
  return Guard.IsObject(value) && Guard.HasPropertyKey(value, index);
28
36
  }
29
37
  function GetIndex(index, value) {
30
- return Guard.IsObject(value) ? value[index] : undefined;
38
+ return Guard.IsObject(value) && !Guard.IsUnsafePropertyKey(index) ? value[index] : undefined;
31
39
  }
32
40
  function GetIndices(indices, value) {
33
41
  return indices.reduce((value, index) => GetIndex(index, value), value);
@@ -70,6 +78,7 @@ export function Get(value, pointer) {
70
78
  export function Set(value, pointer, next) {
71
79
  const indices = Indices(pointer);
72
80
  AssertNotRoot(indices);
81
+ AssertIndices(indices);
73
82
  const [head, index] = TakeIndexRight(indices);
74
83
  const parent = GetIndices(head, value);
75
84
  AssertCanSet(parent);
@@ -83,6 +92,7 @@ export function Set(value, pointer, next) {
83
92
  export function Delete(value, pointer) {
84
93
  const indices = Indices(pointer);
85
94
  AssertNotRoot(indices);
95
+ AssertIndices(indices);
86
96
  const [head, index] = TakeIndexRight(indices);
87
97
  const parent = GetIndices(head, value);
88
98
  AssertCanSet(parent);
package/build/value/clone/clone.mjs CHANGED
@@ -18,15 +18,16 @@ function FromClassInstance(value) {
18
18
  // ------------------------------------------------------------------
19
19
  function FromObjectInstance(value) {
20
20
  const result = {};
21
- for (const key of Object.getOwnPropertyNames(value)) {
21
+ for (const key of Guard.Keys(value)) {
22
+ if (Guard.IsUnsafePropertyKey(key))
23
+ continue; // (ignore: prototype-pollution)
22
24
  result[key] = Clone(value[key]);
23
25
  }
24
- for (const key of Object.getOwnPropertySymbols(value)) {
26
+ for (const key of Guard.Symbols(value)) {
25
27
  result[key] = Clone(value[key]);
26
28
  }
27
29
  return result;
28
30
  }
29
- Object.create({});
30
31
  // ------------------------------------------------------------------
31
32
  // Object
32
33
  // ------------------------------------------------------------------
package/build/value/delta/diff.mjs CHANGED
@@ -37,6 +37,8 @@ function* FromObject(path, left, right) {
37
37
  for (const key of rightKeys) {
38
38
  if (Guard.HasPropertyKey(left, key))
39
39
  continue;
40
+ if (Guard.IsUnsafePropertyKey(key))
41
+ continue;
40
42
  yield CreateInsert(`${path}/${key}`, right[key]);
41
43
  }
42
44
  // ----------------------------------------------------------------
@@ -45,6 +47,8 @@ function* FromObject(path, left, right) {
45
47
  for (const key of leftKeys) {
46
48
  if (!Guard.HasPropertyKey(right, key))
47
49
  continue;
50
+ if (Guard.IsUnsafePropertyKey(key))
51
+ continue;
48
52
  if (Equal(left, right))
49
53
  continue;
50
54
  yield* FromValue(`${path}/${key}`, left[key], right[key]);
@@ -55,6 +59,8 @@ function* FromObject(path, left, right) {
55
59
  for (const key of leftKeys) {
56
60
  if (Guard.HasPropertyKey(right, key))
57
61
  continue;
62
+ if (Guard.IsUnsafePropertyKey(key))
63
+ continue;
58
64
  yield CreateDelete(`${path}/${key}`);
59
65
  }
60
66
  }
package/build/value/mutate/from_object.mjs CHANGED
@@ -3,6 +3,16 @@ import { Guard } from '../../guard/index.mjs';
3
3
  import { Pointer } from '../pointer/index.mjs';
4
4
  import { Clone } from '../clone/index.mjs';
5
5
  import { FromValue } from './from_value.mjs';
6
+ // ------------------------------------------------------------------
7
+ // AssertKey
8
+ // ------------------------------------------------------------------
9
+ function AssertKey(key) {
10
+ if (Guard.IsUnsafePropertyKey(key))
11
+ throw Error('Attempted to Mutate with unsafe property key');
12
+ }
13
+ // ------------------------------------------------------------------
14
+ // AssertKey
15
+ // ------------------------------------------------------------------
6
16
  export function FromObject(root, path, current, next) {
7
17
  if (!Guard.IsObjectNotArray(current)) {
8
18
  Pointer.Set(root, path, Clone(next));
@@ -11,16 +21,19 @@ export function FromObject(root, path, current, next) {
11
21
  const currentKeys = Guard.Keys(current);
12
22
  const nextKeys = Guard.Keys(next);
13
23
  for (const currentKey of currentKeys) {
24
+ AssertKey(currentKey);
14
25
  if (!nextKeys.includes(currentKey)) {
15
26
  delete current[currentKey];
16
27
  }
17
28
  }
18
29
  for (const nextKey of nextKeys) {
30
+ AssertKey(nextKey);
19
31
  if (!currentKeys.includes(nextKey)) {
20
32
  current[nextKey] = next[nextKey];
21
33
  }
22
34
  }
23
35
  for (const nextKey of nextKeys) {
36
+ AssertKey(nextKey);
24
37
  FromValue(root, `${path}/${nextKey}`, current[nextKey], next[nextKey]);
25
38
  }
26
39
  }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "typebox",
3
3
  "description": "Json Schema Type Builder with Static Type Resolution for TypeScript",
4
- "version": "1.1.36",
4
+ "version": "1.1.37",
5
5
  "keywords": [
6
6
  "typescript",
7
7
  "jsonschema"