Comments (5)
@epoberezkin yeah with a CLI-based program it's probably a lot harder to exploit, but why take the risk when it's easily patched?
This backport isn't needed if you're happy to go with ajv-validator/ajv-cli#227 instead which upgrades to v3.
from json-patch.
@Starcounter-Jack I've prepared a patch that applies #262 to v2.2.1 cleanly - I'm happy to open a PR if you want to create a v2 branch off v2.2.1:
diff --git a/src/core.ts b/src/core.ts
index 35f2c21..16302d5 100644
--- a/src/core.ts
+++ b/src/core.ts
@@ -256,7 +256,10 @@ export function applyOperation<T>(document: T, operation: Operation, validateOpe
while (true) {
key = keys[t];
- if(banPrototypeModifications && key == '__proto__') {
+ if(banPrototypeModifications &&
+ (key == '__proto__' ||
+ (key == 'prototype' && t>0 && keys[t-1] == 'constructor'))
+ ) {
throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
}
from json-patch.
I think prototype pollution is not a real risk for CLI, where you control all inputs? There may be some complex attack scenario I am missing. Anyway, needs to be updated of course.
from json-patch.
@Starcounter-Jack @epoberezkin friendly pings
from json-patch.
@Starcounter-Jack @epoberezkin friendly pings
from json-patch.
Related Issues (20)
- rrrr HOT 1
- Add performance comparison with jsondiffpatch
- Array patching, over empty elements.. HOT 2
- Any plans for a new release? HOT 1
- Maybe it's already discussed, but anyone think of how to patch array member in a more flexible approach?
- Release 3.1.1 request based on PR merged of #262 HOT 2
- Inaccurate documentation HOT 1
- Error index always 0? HOT 1
- Optional observe callback not called HOT 1
- applyPatch() validator index is not incrementing
- package.json should use `conditional exports`, else esm won't work inexplicitly HOT 1
- Node12+ import documentation incorrect
- Documentation for `generate` mentions wrong signature
- auto add tests to "add/remove" operations like for "replace"
- Mixing default exports and named exports breaks parcel HOT 2
- Attempting to use if mirror has a toJSON and object does not breaks HOT 2
- applying a replace patch is inconsistent with path="" and path="/"
- Is the project dead ? HOT 1
- 3.1.1 commonjs delivery corrupted on npm HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from json-patch.