ueberdb2 3.0.1 → 3.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +18 -0
- package/lib/CacheAndBufferLayer.js +12 -18
- package/package.json +1 -1
- package/test/test_getSub.js +31 -0
- package/test/test_setSub.js +12 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Notable Changes
|
|
2
2
|
|
|
3
|
+
## v3.0.2
|
|
4
|
+
|
|
5
|
+
Security fix:
|
|
6
|
+
|
|
7
|
+
* `getSub()` now returns `null` when it encounters a non-"own" property
|
|
8
|
+
(including `__proto__`) or any non-object while walking the given property
|
|
9
|
+
path. This should make it easier to avoid accidental prototype pollution
|
|
10
|
+
vulnerabilities.
|
|
11
|
+
|
|
3
12
|
## v3.0.1
|
|
4
13
|
|
|
5
14
|
Bug fixes:
|
|
@@ -33,6 +42,15 @@ Updated database dependencies:
|
|
|
33
42
|
* `postgres`: Updated `pg` to 8.7.3.
|
|
34
43
|
* `sqlite`: Updated `sqlite3` to 5.0.6.
|
|
35
44
|
|
|
45
|
+
## v2.2.4
|
|
46
|
+
|
|
47
|
+
Security fix:
|
|
48
|
+
|
|
49
|
+
* `getSub()` now returns `null` when it encounters a non-"own" property
|
|
50
|
+
(including `__proto__`) or any non-object while walking the given property
|
|
51
|
+
path. This should make it easier to avoid accidental prototype pollution
|
|
52
|
+
vulnerabilities.
|
|
53
|
+
|
|
36
54
|
## v2.2.0
|
|
37
55
|
|
|
38
56
|
Compatibility changes:
|
|
@@ -508,33 +508,27 @@ exports.Database = class {
|
|
|
508
508
|
* "bla"]
|
|
509
509
|
*/
|
|
510
510
|
async getSub(key, sub) {
|
|
511
|
-
let subvalue;
|
|
512
511
|
await this._lock(key);
|
|
513
512
|
try {
|
|
514
|
-
|
|
515
|
-
const
|
|
516
|
-
|
|
517
|
-
|
|
518
|
-
|
|
519
|
-
|
|
520
|
-
|
|
521
|
-
|
|
522
|
-
if (subvalue != null && subvalue[sub[i]] !== undefined) {
|
|
523
|
-
subvalue = subvalue[sub[i]];
|
|
524
|
-
} else {
|
|
525
|
-
// the subvalue doesn't exist, break the loop and return null
|
|
526
|
-
subvalue = null;
|
|
527
|
-
break;
|
|
513
|
+
let v = await this._getLocked(key);
|
|
514
|
+
for (const k of sub) {
|
|
515
|
+
if (typeof v !== 'object' || (v != null && !Object.prototype.hasOwnProperty.call(v, k)) ||
|
|
516
|
+
// __proto__ is not an "own" property but we check for it explicitly for added safety,
|
|
517
|
+
// to improve readability, and to help static code analysis tools rule out prototype
|
|
518
|
+
// pollution vulnerabilities.
|
|
519
|
+
k === '__proto__') {
|
|
520
|
+
v = null;
|
|
528
521
|
}
|
|
522
|
+
if (v == null) break;
|
|
523
|
+
v = v[k];
|
|
529
524
|
}
|
|
530
|
-
|
|
531
525
|
if (this.logger.isDebugEnabled()) {
|
|
532
|
-
this.logger.debug(`GETSUB - ${key}${JSON.stringify(sub)} - ${JSON.stringify(
|
|
526
|
+
this.logger.debug(`GETSUB - ${key}${JSON.stringify(sub)} - ${JSON.stringify(v)}`);
|
|
533
527
|
}
|
|
528
|
+
return clone(v);
|
|
534
529
|
} finally {
|
|
535
530
|
this._unlock(key);
|
|
536
531
|
}
|
|
537
|
-
return clone(subvalue);
|
|
538
532
|
}
|
|
539
533
|
|
|
540
534
|
/**
|
package/package.json
CHANGED
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const assert = require('assert').strict;
|
|
4
|
+
const ueberdb = require('../index');
|
|
5
|
+
|
|
6
|
+
describe(__filename, function () {
|
|
7
|
+
let db;
|
|
8
|
+
|
|
9
|
+
beforeEach(async function () {
|
|
10
|
+
db = new ueberdb.Database('memory', {}, {});
|
|
11
|
+
await db.init();
|
|
12
|
+
await db.set('k', {s: 'v'});
|
|
13
|
+
});
|
|
14
|
+
|
|
15
|
+
afterEach(async function () {
|
|
16
|
+
if (db != null) await db.close();
|
|
17
|
+
db = null;
|
|
18
|
+
});
|
|
19
|
+
|
|
20
|
+
it('getSub stops at non-objects', async function () {
|
|
21
|
+
assert(await db.getSub('k', ['s', 'length']) == null);
|
|
22
|
+
});
|
|
23
|
+
|
|
24
|
+
it('getSub ignores non-own properties', async function () {
|
|
25
|
+
assert(await db.getSub('k', ['toString']) == null);
|
|
26
|
+
});
|
|
27
|
+
|
|
28
|
+
it('getSub ignores __proto__', async function () {
|
|
29
|
+
assert(await db.getSub('k', ['__proto__']) == null);
|
|
30
|
+
});
|
|
31
|
+
});
|
package/test/test_setSub.js
CHANGED
|
@@ -4,9 +4,19 @@ const assert = require('assert').strict;
|
|
|
4
4
|
const ueberdb = require('../index');
|
|
5
5
|
|
|
6
6
|
describe(__filename, function () {
|
|
7
|
-
|
|
8
|
-
|
|
7
|
+
let db;
|
|
8
|
+
|
|
9
|
+
beforeEach(async function () {
|
|
10
|
+
db = new ueberdb.Database('memory', {}, {});
|
|
9
11
|
await db.init();
|
|
12
|
+
});
|
|
13
|
+
|
|
14
|
+
afterEach(async function () {
|
|
15
|
+
if (db != null) await db.close();
|
|
16
|
+
db = null;
|
|
17
|
+
});
|
|
18
|
+
|
|
19
|
+
it('setSub rejects __proto__', async function () {
|
|
10
20
|
await db.set('k', {});
|
|
11
21
|
await assert.rejects(db.setSub('k', ['__proto__'], 'v'));
|
|
12
22
|
});
|