Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix prototype pollution in utilities.js #301

Merged
merged 2 commits into from
Feb 2, 2022
Merged

Fix prototype pollution in utilities.js #301

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c951dad
Fix prototype pollution in utilities.js
zwade Feb 1, 2022
5e83249
Refactor prototype pollution check to be more comprehensive
zwade Feb 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions lib/utilities.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,13 @@ const buildOptions = function() {
const buildFields = (instance, field, value) => {
// Do nothing if value is not set.
if (value === null || value === undefined) return instance;
instance = instance || {};
instance = instance || Object.create(null);
// Non-array fields
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add an isSafeFromPollution(instance, field) check right here. And move https://github.com/richardgirges/express-fileupload/blob/master/lib/processNested.js#L24-L27 into a function exported by utilities.

if (!instance[field]) {
instance[field] = value;
return instance;
}
// Array fields
// Array fields
if (instance[field] instanceof Array) {
instance[field].push(value);
} else {
Expand All @@ -108,7 +108,7 @@ const checkAndMakeDir = (fileUploadOptions, filePath) => {
if (!filePath) return false;
const parentPath = path.dirname(filePath);
// Create folder if it doesn't exist.
if (!fs.existsSync(parentPath)) fs.mkdirSync(parentPath, { recursive: true });
if (!fs.existsSync(parentPath)) fs.mkdirSync(parentPath, { recursive: true });
// Checks folder again and return a results.
return fs.existsSync(parentPath);
};
Expand Down Expand Up @@ -209,7 +209,7 @@ const parseFileNameExtension = (preserveExtension, fileName) => {

const nameParts = fileName.split('.');
if (nameParts.length < 2) return result;

let extension = nameParts.pop();
if (
extension.length > maxExtLength &&
Expand Down
46 changes: 37 additions & 9 deletions test/utilities.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ describe('Test of the utilities functions', function() {
const result = parseFileName({}, name);
assert.equal(result.length, 255);
});

it(
'Strips away all non-alphanumeric characters (excluding hyphens/underscores) when enabled.',
() => {
Expand Down Expand Up @@ -202,12 +202,12 @@ describe('Test of the utilities functions', function() {
it('buildOptions adds value to the result from the several source argumets', () => {
let result = buildOptions(source, sourceAddon);
assert.deepStrictEqual(result, expectedAddon);
});
});

});
//buildFields tests
describe('Test buildOptions function', () => {

it('buildFields does nothing if null value has been passed', () => {
let fields = null;
fields = buildFields(fields, 'test', null);
Expand Down Expand Up @@ -287,7 +287,7 @@ describe('Test of the utilities functions', function() {

it('Failed if nonexistent file passed', function(done){
let filePath = path.join(uploadDir, getTempFilename());

deleteFile(filePath, function(err){
if (err) {
return done();
Expand Down Expand Up @@ -324,11 +324,11 @@ describe('Test of the utilities functions', function() {
});
});
});
});
});
});

});

describe('Test copyFile function', function(){
beforeEach(function() {
server.clearUploadsDir();
Expand All @@ -337,7 +337,7 @@ describe('Test of the utilities functions', function() {
it('Copy a file and check a hash', function(done) {
let srcPath = path.join(fileDir, mockFile);
let dstPath = path.join(uploadDir, mockFile);

copyFile(srcPath, dstPath, function(err){
if (err) {
return done(err);
Expand All @@ -357,7 +357,7 @@ describe('Test of the utilities functions', function() {
it('Failed if wrong source file path passed', function(done){
let srcPath = path.join(fileDir, 'unknown');
let dstPath = path.join(uploadDir, mockFile);

copyFile(srcPath, dstPath, function(err){
if (err) {
return done();
Expand All @@ -368,7 +368,7 @@ describe('Test of the utilities functions', function() {
it('Failed if wrong destination file path passed', function(done){
let srcPath = path.join(fileDir, 'unknown');
let dstPath = path.join('unknown', 'unknown');

copyFile(srcPath, dstPath, function(err){
if (err) {
return done();
Expand Down Expand Up @@ -400,4 +400,32 @@ describe('Test of the utilities functions', function() {
});
});
});

describe('Test for no prototype pollution in buildFields', function() {
const prototypeFields = [
{ name: '__proto__', data: {} },
{ name: 'constructor', data: {} },
{ name: 'toString', data: {} }
];

let fieldObject = undefined;
prototypeFields.forEach((field) => {
fieldObject = buildFields(fieldObject, field.name, field.data);
});

it(`Has ${prototypeFields.length} keys`, () => {
assert.equal(Object.keys(fieldObject).length, prototypeFields.length);
});

it(`Has null as its prototype`, () => {
assert.equal(Object.getPrototypeOf(fieldObject), null);
});

prototypeFields.forEach((field) => {
it(`${field.name} property is not an array`, () => {
// Note, Array.isArray is an insufficient test due to it returning false for Objects with an array prototype.
assert.equal(fieldObject[field.name] instanceof Array, false);
});
});
})
});