--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
node-object-path is vulnerable to prototye pollution (CVE-2021-23434 and
CVE-2021-3805
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed with these patches, including new checks
[ Risks ]
Low risk, package is not really different than the one pushed to
unstable (only doc differs).
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better checks
[ Other info ]
Note that we could upload a 0.11.8-1~deb11u1: there is no differences
except a documentation update. If you agree, I prefer this way.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index f1e6929..ce9339e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-object-path (0.11.5-3+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2021-23434)
+ * Fix prototype pollution (Closes: CVE-2021-3805)
+
+ -- Yadd <y...@debian.org> Fri, 17 Sep 2021 18:38:10 +0200
+
node-object-path (0.11.5-3) unstable; urgency=medium
* Team upload
diff --git a/debian/gbp.conf b/debian/gbp.conf
index b713356..e11bcb5 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,6 @@
[DEFAULT]
pristine-tar = True
+debian-branch = bullseye
[import-orig]
filter = [ '.gitignore', '.travis.yml', '.git*' ]
diff --git a/debian/patches/CVE-2021-23434.patch
b/debian/patches/CVE-2021-23434.patch
new file mode 100644
index 0000000..8d08d2e
--- /dev/null
+++ b/debian/patches/CVE-2021-23434.patch
@@ -0,0 +1,67 @@
+Description: Fix prototype pollution when path components are not strings
+Author: Mario Casciaro <mariocasci...@gmail.com
+Origin: upstream, https://github.com/mariocasciaro/object-path/commit/7bdf4abef
+Bug: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2021-09-17
+
+--- a/index.js
++++ b/index.js
+@@ -111,6 +111,9 @@
+ return set(obj, path.split('.').map(getKey), value, doNotReplace);
+ }
+ var currentPath = path[0];
++ if (typeof currentPath !== 'string' && typeof currentPath !== 'number')
{
++ currentPath = String(currentPath)
++ }
+ var currentValue = getShallowProperty(obj, currentPath);
+ if (options.includeInheritedProps && (currentPath === '__proto__' ||
+ (currentPath === 'constructor' && typeof currentValue ===
'function'))) {
+--- a/test.js
++++ b/test.js
+@@ -241,12 +241,18 @@
+ objectPath.set({}, '__proto__.injected', 'this is bad')
+ expect(Object.prototype.injected).to.be.undefined
+
++ objectPath.set({}, [['__proto__'], 'injected'], 'this is bad')
++ expect(Object.prototype.injected).to.be.undefined
++
+ function Clazz() {}
+ Clazz.prototype.test = 'original'
+
+ objectPath.set(new Clazz(), '__proto__.test', 'this is bad')
+ expect(Clazz.prototype.test).to.be.equal('original')
+
++ objectPath.set(new Clazz(), [['__proto__'], 'test'], 'this is bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++
+ objectPath.set(new Clazz(), 'constructor.prototype.test', 'this is bad')
+ expect(Clazz.prototype.test).to.be.equal('original')
+ })
+@@ -256,6 +262,11 @@
+ .to.throw('For security reasons')
+ expect(Object.prototype.injected).to.be.undefined
+
++ expect(function() {
++ objectPath.withInheritedProps.set({}, [['__proto__'], 'injected'],
'this is bad')
++ expect(Object.prototype.injected).to.be.undefined
++ }).to.throw('For security reasons')
++
+ function Clazz() {}
+ Clazz.prototype.test = 'original'
+
+@@ -267,8 +278,11 @@
+ .to.throw('For security reasons')
+ expect(Clazz.prototype.test).to.be.equal('original')
+
+- const obj = {}
+- expect(function() {objectPath.withInheritedProps.set(obj,
'constructor.prototype.injected', 'this is OK')})
++ expect(function() {objectPath.withInheritedProps.set({},
'constructor.prototype.injected', 'this is OK')})
++ .to.throw('For security reasons')
++ expect(Object.prototype.injected).to.be.undefined
++
++ expect(function() {objectPath.withInheritedProps.set({},
[['constructor'], 'prototype', 'injected'], 'this is bad')})
+ .to.throw('For security reasons')
+ expect(Object.prototype.injected).to.be.undefined
+ })
diff --git a/debian/patches/CVE-2021-3805.patch
b/debian/patches/CVE-2021-3805.patch
new file mode 100644
index 0000000..daa56ff
--- /dev/null
+++ b/debian/patches/CVE-2021-3805.patch
@@ -0,0 +1,837 @@
+Description: Fix prototype pollution vulnerability
+Author: Mario Casciaro <mariocasci...@gmail.com>
+Origin: upstream, https://github.com/mariocasciaro/object-path/commit/4f0903fd7
+Bug: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2021-09-17
+
+--- a/README.md
++++ b/README.md
+@@ -172,6 +172,8 @@
+ objectPath.set(obj, 'notOwn.prop', 'b');
+ ```
+
++**NOTE**: For security reasons `object-path` will throw an exception when
trying to access an object's magic properties (e.g. `__proto__`, `constructor`)
when in "inherited props" mode.
++
+ ### Immutability
+
+ If you are looking for an *immutable* alternative of this library, you can
take a look at:
[object-path-immutable](https://github.com/mariocasciaro/object-path-immutable)
+--- a/index.js
++++ b/index.js
+@@ -1,87 +1,88 @@
+-(function (root, factory){
+- 'use strict';
++(function (root, factory) {
++ 'use strict'
+
+ /*istanbul ignore next:cant test*/
+ if (typeof module === 'object' && typeof module.exports === 'object') {
+- module.exports = factory();
++ module.exports = factory()
+ } else if (typeof define === 'function' && define.amd) {
+ // AMD. Register as an anonymous module.
+- define([], factory);
++ define([], factory)
+ } else {
+ // Browser globals
+- root.objectPath = factory();
++ root.objectPath = factory()
+ }
+-})(this, function(){
+- 'use strict';
++})(this, function () {
++ 'use strict'
+
+- var toStr = Object.prototype.toString;
+- function hasOwnProperty(obj, prop) {
+- if(obj == null) {
++ var toStr = Object.prototype.toString
++
++ function hasOwnProperty (obj, prop) {
++ if (obj == null) {
+ return false
+ }
+ //to handle objects with null prototypes (too edge case?)
+ return Object.prototype.hasOwnProperty.call(obj, prop)
+ }
+
+- function isEmpty(value){
++ function isEmpty (value) {
+ if (!value) {
+- return true;
++ return true
+ }
+ if (isArray(value) && value.length === 0) {
+- return true;
++ return true
+ } else if (typeof value !== 'string') {
+- for (var i in value) {
+- if (hasOwnProperty(value, i)) {
+- return false;
+- }
++ for (var i in value) {
++ if (hasOwnProperty(value, i)) {
++ return false
+ }
+- return true;
++ }
++ return true
+ }
+- return false;
++ return false
+ }
+
+- function toString(type){
+- return toStr.call(type);
++ function toString (type) {
++ return toStr.call(type)
+ }
+
+- function isObject(obj){
+- return typeof obj === 'object' && toString(obj) === "[object Object]";
++ function isObject (obj) {
++ return typeof obj === 'object' && toString(obj) === '[object Object]'
+ }
+
+- var isArray = Array.isArray || function(obj){
++ var isArray = Array.isArray || function (obj) {
+ /*istanbul ignore next:cant test*/
+- return toStr.call(obj) === '[object Array]';
++ return toStr.call(obj) === '[object Array]'
+ }
+
+- function isBoolean(obj){
+- return typeof obj === 'boolean' || toString(obj) === '[object Boolean]';
++ function isBoolean (obj) {
++ return typeof obj === 'boolean' || toString(obj) === '[object Boolean]'
+ }
+
+- function getKey(key){
+- var intKey = parseInt(key);
++ function getKey (key) {
++ var intKey = parseInt(key)
+ if (intKey.toString() === key) {
+- return intKey;
++ return intKey
+ }
+- return key;
++ return key
+ }
+
+- function factory(options) {
++ function factory (options) {
+ options = options || {}
+
+- var objectPath = function(obj) {
+- return Object.keys(objectPath).reduce(function(proxy, prop) {
+- if(prop === 'create') {
+- return proxy;
++ var objectPath = function (obj) {
++ return Object.keys(objectPath).reduce(function (proxy, prop) {
++ if (prop === 'create') {
++ return proxy
+ }
+
+ /*istanbul ignore else*/
+ if (typeof objectPath[prop] === 'function') {
+- proxy[prop] = objectPath[prop].bind(objectPath, obj);
++ proxy[prop] = objectPath[prop].bind(objectPath, obj)
+ }
+
+- return proxy;
+- }, {});
+- };
++ return proxy
++ }, {})
++ }
+
+ var hasShallowProperty
+ if (options.includeInheritedProps) {
+@@ -94,213 +95,226 @@
+ }
+ }
+
+- function getShallowProperty(obj, prop) {
++ function getShallowProperty (obj, prop) {
+ if (hasShallowProperty(obj, prop)) {
+- return obj[prop];
++ return obj[prop]
++ }
++ }
++
++ var getShallowPropertySafely
++ if (options.includeInheritedProps) {
++ getShallowPropertySafely = function (obj, currentPath) {
++ if (typeof currentPath !== 'string' && typeof currentPath !==
'number') {
++ currentPath = String(currentPath)
++ }
++ var currentValue = getShallowProperty(obj, currentPath)
++ if (currentPath === '__proto__' || currentPath === 'prototype' ||
++ (currentPath === 'constructor' && typeof currentValue ===
'function')) {
++ throw new Error('For security reasons, object\'s magic properties
cannot be set')
++ }
++ return currentValue
++ }
++ } else {
++ getShallowPropertySafely = function (obj, currentPath) {
++ return getShallowProperty(obj, currentPath)
+ }
+ }
+
+- function set(obj, path, value, doNotReplace){
++ function set (obj, path, value, doNotReplace) {
+ if (typeof path === 'number') {
+- path = [path];
++ path = [path]
+ }
+ if (!path || path.length === 0) {
+- return obj;
++ return obj
+ }
+ if (typeof path === 'string') {
+- return set(obj, path.split('.').map(getKey), value, doNotReplace);
+- }
+- var currentPath = path[0];
+- if (typeof currentPath !== 'string' && typeof currentPath !== 'number')
{
+- currentPath = String(currentPath)
+- }
+- var currentValue = getShallowProperty(obj, currentPath);
+- if (options.includeInheritedProps && (currentPath === '__proto__' ||
+- (currentPath === 'constructor' && typeof currentValue ===
'function'))) {
+- throw new Error('For security reasons, object\'s magic properties
cannot be set')
++ return set(obj, path.split('.').map(getKey), value, doNotReplace)
+ }
++ var currentPath = path[0]
++ var currentValue = getShallowPropertySafely(obj, currentPath)
+ if (path.length === 1) {
+ if (currentValue === void 0 || !doNotReplace) {
+- obj[currentPath] = value;
++ obj[currentPath] = value
+ }
+- return currentValue;
++ return currentValue
+ }
+
+ if (currentValue === void 0) {
+ //check if we assume an array
+- if(typeof path[1] === 'number') {
+- obj[currentPath] = [];
++ if (typeof path[1] === 'number') {
++ obj[currentPath] = []
+ } else {
+- obj[currentPath] = {};
++ obj[currentPath] = {}
+ }
+ }
+
+- return set(obj[currentPath], path.slice(1), value, doNotReplace);
++ return set(obj[currentPath], path.slice(1), value, doNotReplace)
+ }
+
+ objectPath.has = function (obj, path) {
+ if (typeof path === 'number') {
+- path = [path];
++ path = [path]
+ } else if (typeof path === 'string') {
+- path = path.split('.');
++ path = path.split('.')
+ }
+
+ if (!path || path.length === 0) {
+- return !!obj;
++ return !!obj
+ }
+
+ for (var i = 0; i < path.length; i++) {
+- var j = getKey(path[i]);
++ var j = getKey(path[i])
+
+- if((typeof j === 'number' && isArray(obj) && j < obj.length) ||
++ if ((typeof j === 'number' && isArray(obj) && j < obj.length) ||
+ (options.includeInheritedProps ? (j in Object(obj)) :
hasOwnProperty(obj, j))) {
+- obj = obj[j];
++ obj = obj[j]
+ } else {
+- return false;
++ return false
+ }
+ }
+
+- return true;
+- };
++ return true
++ }
+
+- objectPath.ensureExists = function (obj, path, value){
+- return set(obj, path, value, true);
+- };
++ objectPath.ensureExists = function (obj, path, value) {
++ return set(obj, path, value, true)
++ }
+
+- objectPath.set = function (obj, path, value, doNotReplace){
+- return set(obj, path, value, doNotReplace);
+- };
++ objectPath.set = function (obj, path, value, doNotReplace) {
++ return set(obj, path, value, doNotReplace)
++ }
+
+- objectPath.insert = function (obj, path, value, at){
+- var arr = objectPath.get(obj, path);
+- at = ~~at;
++ objectPath.insert = function (obj, path, value, at) {
++ var arr = objectPath.get(obj, path)
++ at = ~~at
+ if (!isArray(arr)) {
+- arr = [];
+- objectPath.set(obj, path, arr);
++ arr = []
++ objectPath.set(obj, path, arr)
+ }
+- arr.splice(at, 0, value);
+- };
++ arr.splice(at, 0, value)
++ }
+
+- objectPath.empty = function(obj, path) {
++ objectPath.empty = function (obj, path) {
+ if (isEmpty(path)) {
+- return void 0;
++ return void 0
+ }
+ if (obj == null) {
+- return void 0;
++ return void 0
+ }
+
+- var value, i;
++ var value, i
+ if (!(value = objectPath.get(obj, path))) {
+- return void 0;
++ return void 0
+ }
+
+ if (typeof value === 'string') {
+- return objectPath.set(obj, path, '');
++ return objectPath.set(obj, path, '')
+ } else if (isBoolean(value)) {
+- return objectPath.set(obj, path, false);
++ return objectPath.set(obj, path, false)
+ } else if (typeof value === 'number') {
+- return objectPath.set(obj, path, 0);
++ return objectPath.set(obj, path, 0)
+ } else if (isArray(value)) {
+- value.length = 0;
++ value.length = 0
+ } else if (isObject(value)) {
+ for (i in value) {
+ if (hasShallowProperty(value, i)) {
+- delete value[i];
++ delete value[i]
+ }
+ }
+ } else {
+- return objectPath.set(obj, path, null);
++ return objectPath.set(obj, path, null)
+ }
+- };
++ }
+
+- objectPath.push = function (obj, path /*, values */){
+- var arr = objectPath.get(obj, path);
++ objectPath.push = function (obj, path /*, values */) {
++ var arr = objectPath.get(obj, path)
+ if (!isArray(arr)) {
+- arr = [];
+- objectPath.set(obj, path, arr);
++ arr = []
++ objectPath.set(obj, path, arr)
+ }
+
+- arr.push.apply(arr, Array.prototype.slice.call(arguments, 2));
+- };
++ arr.push.apply(arr, Array.prototype.slice.call(arguments, 2))
++ }
+
+ objectPath.coalesce = function (obj, paths, defaultValue) {
+- var value;
++ var value
+
+ for (var i = 0, len = paths.length; i < len; i++) {
+ if ((value = objectPath.get(obj, paths[i])) !== void 0) {
+- return value;
++ return value
+ }
+ }
+
+- return defaultValue;
+- };
++ return defaultValue
++ }
+
+- objectPath.get = function (obj, path, defaultValue){
++ objectPath.get = function (obj, path, defaultValue) {
+ if (typeof path === 'number') {
+- path = [path];
++ path = [path]
+ }
+ if (!path || path.length === 0) {
+- return obj;
++ return obj
+ }
+ if (obj == null) {
+- return defaultValue;
++ return defaultValue
+ }
+ if (typeof path === 'string') {
+- return objectPath.get(obj, path.split('.'), defaultValue);
++ return objectPath.get(obj, path.split('.'), defaultValue)
+ }
+
+- var currentPath = getKey(path[0]);
+- var nextObj = getShallowProperty(obj, currentPath)
++ var currentPath = getKey(path[0])
++ var nextObj = getShallowPropertySafely(obj, currentPath)
+ if (nextObj === void 0) {
+- return defaultValue;
++ return defaultValue
+ }
+
+ if (path.length === 1) {
+- return nextObj;
++ return nextObj
+ }
+
+- return objectPath.get(obj[currentPath], path.slice(1), defaultValue);
+- };
++ return objectPath.get(obj[currentPath], path.slice(1), defaultValue)
++ }
+
+- objectPath.del = function del(obj, path) {
++ objectPath.del = function del (obj, path) {
+ if (typeof path === 'number') {
+- path = [path];
++ path = [path]
+ }
+
+ if (obj == null) {
+- return obj;
++ return obj
+ }
+
+ if (isEmpty(path)) {
+- return obj;
++ return obj
+ }
+- if(typeof path === 'string') {
+- return objectPath.del(obj, path.split('.'));
++ if (typeof path === 'string') {
++ return objectPath.del(obj, path.split('.'))
+ }
+
+- var currentPath = getKey(path[0]);
++ var currentPath = getKey(path[0])
++ getShallowPropertySafely(obj, currentPath)
+ if (!hasShallowProperty(obj, currentPath)) {
+- return obj;
++ return obj
+ }
+
+- if(path.length === 1) {
++ if (path.length === 1) {
+ if (isArray(obj)) {
+- obj.splice(currentPath, 1);
++ obj.splice(currentPath, 1)
+ } else {
+- delete obj[currentPath];
++ delete obj[currentPath]
+ }
+ } else {
+- return objectPath.del(obj[currentPath], path.slice(1));
++ return objectPath.del(obj[currentPath], path.slice(1))
+ }
+
+- return obj;
++ return obj
+ }
+
+- return objectPath;
++ return objectPath
+ }
+
+- var mod = factory();
+- mod.create = factory;
++ var mod = factory()
++ mod.create = factory
+ mod.withInheritedProps = factory({includeInheritedProps: true})
+- return mod;
+-});
++ return mod
++})
+--- a/test.js
++++ b/test.js
+@@ -133,6 +133,43 @@
+ expect(objectPath.get(extended, 'enabled')).to.be.equal(true)
+ expect(objectPath.get(extended, 'one')).to.be.equal(undefined)
+ })
++
++ it('[security] should not get magic properties in default mode', function
() {
++ expect(objectPath.get({}, '__proto__')).to.be.undefined
++ expect(objectPath.get({}, [['__proto__']])).to.be.undefined
++
++ function Clazz() {}
++ Clazz.prototype.test = []
++
++ expect(objectPath.get(new Clazz(), '__proto__')).to.be.undefined
++ expect(objectPath.get(new Clazz(), [['__proto__']])).to.be.undefined
++ expect(objectPath.get(new Clazz(), ['constructor',
'prototype'])).to.be.undefined
++ })
++
++ it('[security] should not get magic properties in inheritedProps mode',
function () {
++ expect(function() {
++ objectPath.withInheritedProps.get({}, '__proto__')
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.get({}, [['__proto__']])
++ }).to.throw('For security reasons')
++
++ function Clazz() {}
++ Clazz.prototype.test = 'original'
++
++ expect(function() {
++ objectPath.withInheritedProps.get(new Clazz(), '__proto__')
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.get(new Clazz(), [['__proto__']])
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.get(new Clazz(), ['constructor',
'prototype'])
++ }).to.throw('For security reasons')
++ })
+ })
+
+
+@@ -244,9 +281,15 @@
+ objectPath.set({}, [['__proto__'], 'injected'], 'this is bad')
+ expect(Object.prototype.injected).to.be.undefined
+
++ objectPath.set({}, ['__proto__'], {})
++ expect(Object.prototype.toString).to.be.a('function')
++
+ function Clazz() {}
+ Clazz.prototype.test = 'original'
+
++ objectPath.set({}, ['__proto__'], {test: 'this is bad'})
++ expect(Clazz.prototype.test).to.be.equal('original')
++
+ objectPath.set(new Clazz(), '__proto__.test', 'this is bad')
+ expect(Clazz.prototype.test).to.be.equal('original')
+
+@@ -258,9 +301,10 @@
+ })
+
+ it('[security] should throw an exception if trying to set magic properties
in inheritedProps mode', function () {
+- expect(function() {objectPath.withInheritedProps.set({},
'__proto__.injected', 'this is bad')})
+- .to.throw('For security reasons')
+- expect(Object.prototype.injected).to.be.undefined
++ expect(function() {
++ objectPath.withInheritedProps.set({}, '__proto__.injected', 'this is
bad')
++ expect(Object.prototype.injected).to.be.undefined
++ }).to.throw('For security reasons')
+
+ expect(function() {
+ objectPath.withInheritedProps.set({}, [['__proto__'], 'injected'],
'this is bad')
+@@ -270,21 +314,25 @@
+ function Clazz() {}
+ Clazz.prototype.test = 'original'
+
+- expect(function() {objectPath.withInheritedProps.set(new Clazz(),
'__proto__.test', 'this is bad')})
+- .to.throw('For security reasons')
+- expect(Clazz.prototype.test).to.be.equal('original')
++ expect(function() {
++ objectPath.withInheritedProps.set(new Clazz(), '__proto__.test', 'this
is bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
+
+- expect(function() {objectPath.withInheritedProps.set(new Clazz(),
'constructor.prototype.test', 'this is bad')})
+- .to.throw('For security reasons')
+- expect(Clazz.prototype.test).to.be.equal('original')
++ expect(function() {
++ objectPath.withInheritedProps.set(new Clazz(),
'constructor.prototype.test', 'this is bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
+
+- expect(function() {objectPath.withInheritedProps.set({},
'constructor.prototype.injected', 'this is OK')})
+- .to.throw('For security reasons')
+- expect(Object.prototype.injected).to.be.undefined
++ expect(function() {
++ objectPath.withInheritedProps.set({}, 'constructor.prototype.injected',
'this is OK')
++ expect(Object.prototype.injected).to.be.undefined
++ }).to.throw('For security reasons')
+
+- expect(function() {objectPath.withInheritedProps.set({},
[['constructor'], 'prototype', 'injected'], 'this is bad')})
+- .to.throw('For security reasons')
+- expect(Object.prototype.injected).to.be.undefined
++ expect(function() {
++ objectPath.withInheritedProps.set({}, [['constructor'], 'prototype',
'injected'], 'this is bad')
++ expect(Object.prototype.injected).to.be.undefined
++ }).to.throw('For security reasons')
+ })
+ })
+
+@@ -328,6 +376,39 @@
+ expect(obj).to.have.nested.property('b.e.0.0', 'l')
+ })
+
++ it('[security] should not push within prototype properties in default
mode', function () {
++ function Clazz() {}
++ Clazz.prototype.test = []
++
++ objectPath.push(new Clazz(), '__proto__.test', 'pushed')
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++
++ objectPath.push(new Clazz(), [['__proto__'], 'test'], 'pushed')
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++
++ objectPath.push(new Clazz(), 'constructor.prototype.test', 'pushed')
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ })
++
++ it('[security] should not push within prototype properties in
inheritedProps mode', function () {
++ function Clazz() {}
++ Clazz.prototype.test = []
++
++ expect(function() {
++ objectPath.withInheritedProps.push(new Clazz(), '__proto__.test',
'pushed')
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.push(new Clazz(), [['__proto__'],
'test'], 'pushed')
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.push(new Clazz(),
'constructor.prototype.test', 'pushed')
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ }).to.throw('For security reasons')
++ })
+ })
+
+
+@@ -361,6 +442,67 @@
+ expect(any[1]).to.be.an('object')
+ expect(any[1][1]).to.be.an('object')
+ })
++
++ it('[security] should not set magic properties in default mode', function
() {
++ objectPath.ensureExists({}, '__proto__.injected', 'this is bad')
++ expect(Object.prototype.injected).to.be.undefined
++
++ objectPath.ensureExists({}, [['__proto__'], 'injected'], 'this is bad')
++ expect(Object.prototype.injected).to.be.undefined
++
++ objectPath.ensureExists({}, ['__proto__'], {})
++ expect(Object.prototype.toString).to.be.a('function')
++
++ function Clazz() {}
++ Clazz.prototype.test = 'original'
++
++ objectPath.ensureExists({}, ['__proto__'], {test: 'this is bad'})
++ expect(Clazz.prototype.test).to.be.equal('original')
++
++ objectPath.ensureExists(new Clazz(), '__proto__.test', 'this is bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++
++ objectPath.ensureExists(new Clazz(), [['__proto__'], 'test'], 'this is
bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++
++ objectPath.ensureExists(new Clazz(), 'constructor.prototype.test', 'this
is bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ })
++
++ it('[security] should throw an exception if trying to set magic properties
in inheritedProps mode', function () {
++ expect(function() {objectPath.withInheritedProps.ensureExists({},
'__proto__.injected', 'this is bad')})
++ .to.throw('For security reasons')
++ expect(Object.prototype.injected).to.be.undefined
++
++ expect(function() {
++ objectPath.withInheritedProps.ensureExists({}, [['__proto__'],
'injected'], 'this is bad')
++ expect(Object.prototype.injected).to.be.undefined
++ }).to.throw('For security reasons')
++
++ function Clazz() {}
++ Clazz.prototype.test = 'original'
++
++ expect(function() {
++ objectPath.withInheritedProps.ensureExists(new Clazz(),
'__proto__.test', 'this is bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
++
++
++ expect(function() {
++ objectPath.withInheritedProps.ensureExists(new Clazz(),
'constructor.prototype.test', 'this is bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.ensureExists({},
'constructor.prototype.injected', 'this is OK')
++ expect(Object.prototype.injected).to.be.undefined
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.ensureExists({}, [['constructor'],
'prototype', 'injected'], 'this is bad')
++ expect(Object.prototype.injected).to.be.undefined
++ }).to.throw('For security reasons')
++ })
+ })
+
+ describe('coalesce', function () {
+@@ -512,6 +654,40 @@
+ expect(obj.instance.arr).to.be.an('array')
+ expect(obj['function']).to.equal(null)
+ })
++
++ it('[security] should not empty prototype properties in default mode',
function () {
++ function Clazz() {}
++ Clazz.prototype.test = 'original'
++
++ objectPath.empty(new Clazz(), '__proto__')
++ expect(Clazz.prototype.test).to.be.equal('original')
++
++ objectPath.empty(new Clazz(), [['__proto__']])
++ expect(Clazz.prototype.test).to.be.equal('original')
++
++ objectPath.empty(new Clazz(), 'constructor.prototype')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ })
++
++ it('[security] should throw an exception if trying to delete prototype
properties in inheritedProps mode', function () {
++ function Clazz() {}
++ Clazz.prototype.test = 'original'
++
++ expect(function() {
++ objectPath.withInheritedProps.empty(new Clazz(), '__proto__')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.empty(new Clazz(),
'constructor.prototype')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.empty({}, [['constructor'], 'prototype'])
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
++ })
+ })
+
+ describe('del', function () {
+@@ -588,6 +764,56 @@
+ expect(obj.b.d).to.have.length(0)
+ expect(obj.b.d).to.be.deep.equal([])
+ })
++
++ it('[security] should not delete prototype properties in default mode',
function () {
++ objectPath.del({}, '__proto__.valueOf')
++ expect(Object.prototype.valueOf).to.be.a('function')
++
++ objectPath.del({}, [['__proto__'], 'valueOf'])
++ expect(Object.prototype.valueOf).to.be.a('function')
++
++ function Clazz() {}
++ Clazz.prototype.test = 'original'
++
++ objectPath.del(new Clazz(), '__proto__.test')
++ expect(Clazz.prototype.test).to.be.equal('original')
++
++ objectPath.del(new Clazz(), [['__proto__'], 'test'])
++ expect(Clazz.prototype.test).to.be.equal('original')
++
++ objectPath.del(new Clazz(), 'constructor.prototype.test')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ })
++
++ it('[security] should throw an exception if trying to delete prototype
properties in inheritedProps mode', function () {
++ expect(function() {
++ objectPath.withInheritedProps.del({}, '__proto__.valueOf')
++ expect(Object.prototype.valueOf).to.be.a('function')
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.del({}, [['__proto__'], 'valueOf'])
++ expect(Object.prototype.valueOf).to.be.a('function')
++ }).to.throw('For security reasons')
++
++ function Clazz() {}
++ Clazz.prototype.test = 'original'
++
++ expect(function() {
++ objectPath.withInheritedProps.del(new Clazz(), '__proto__.test')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.del(new Clazz(),
'constructor.prototype.test', 'this is bad')
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.del({}, [['constructor'], 'prototype',
'test'])
++ expect(Clazz.prototype.test).to.be.equal('original')
++ }).to.throw('For security reasons')
++ })
+ })
+
+ describe('insert', function () {
+@@ -630,6 +856,45 @@
+ 'asdf'
+ ])
+ })
++
++ it('[security] should not insert within prototype properties in default
mode', function () {
++ function Clazz() {}
++ Clazz.prototype.test = []
++
++ objectPath.insert(new Clazz(), '__proto__.test', 'inserted', 0)
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++
++ objectPath.insert(new Clazz(), [['__proto__'], 'test'], 'inserted', 0)
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++
++ objectPath.insert(new Clazz(), 'constructor.prototype.test', 'inserted',
0)
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ })
++
++ it('[security] should not insert within prototype properties in
inheritedProps mode', function () {
++ function Clazz() {}
++ Clazz.prototype.test = []
++
++ expect(function() {
++ objectPath.withInheritedProps.insert(new Clazz(), '__proto__.test',
'inserted', 0)
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.insert(new Clazz(), [['__proto__'],
'test'], 'inserted', 0)
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.insert(new Clazz(),
'constructor.prototype.test', 'inserted', 0)
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ }).to.throw('For security reasons')
++
++ expect(function() {
++ objectPath.withInheritedProps.insert(new Clazz().constructor,
'prototype.test', 'inserted', 0)
++ expect(Clazz.prototype.test).to.be.deep.equal([])
++ }).to.throw('For security reasons')
++ })
+ })
+
+ describe('has', function () {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7b1f359
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2021-23434.patch
+CVE-2021-3805.patch
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 33c3a64..6fd902a 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,4 +1,7 @@
---
+variables:
+ RELEASE: 'bullseye'
+
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
--- End Message ---
