ueberdb2 2.1.0 → 2.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/lib/CacheAndBufferLayer.js +3 -0
- package/package.json +1 -1
- package/test/test_setSub.js +14 -0
package/CHANGELOG.md
CHANGED
|
@@ -419,6 +419,9 @@ exports.Database = class {
|
|
|
419
419
|
// Emulate a pointer to the property that should be set to `value`.
|
|
420
420
|
const ptr = {obj: base, prop: 'fullValue'};
|
|
421
421
|
for (let i = 0; i < sub.length; i++) {
|
|
422
|
+
if (sub[i] === '__proto__') {
|
|
423
|
+
throw new Error('Modifying object prototype is not supported for security reasons');
|
|
424
|
+
}
|
|
422
425
|
let o = ptr.obj[ptr.prop];
|
|
423
426
|
if (o == null) ptr.obj[ptr.prop] = o = {};
|
|
424
427
|
// If o is a primitive (string, number, etc.), then setting `o.foo` has no effect because
|
package/package.json
CHANGED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const assert = require('assert').strict;
|
|
4
|
+
const ueberdb = require('../index');
|
|
5
|
+
const util = require('util');
|
|
6
|
+
|
|
7
|
+
describe(__filename, function () {
|
|
8
|
+
it('setSub rejects __proto__', async function () {
|
|
9
|
+
const db = new ueberdb.Database('memory', {}, {});
|
|
10
|
+
await util.promisify(db.init).call(db);
|
|
11
|
+
await util.promisify(db.set).call(db, 'k', {});
|
|
12
|
+
await assert.rejects(util.promisify(db.setSub).call(db, 'k', ['__proto__'], 'v'));
|
|
13
|
+
});
|
|
14
|
+
});
|