Use defineProperty if user data happens to have __proto__

fix nodeca#164
sashashura · Dec 11, 2020 · a003121 · a003121
1 parent adfee17
commit a003121
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -33,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - "duplicate mapping key" exception now points at the correct column, #452.
 - Extra commas in flow collections (e.g. `[foo,,bar]`) now throw an exception
   instead of producing null, #321.
+- `__proto__` key no longer overrides object prototype, #164.
 - Removed `bower.json`.
 
 

diff --git a/lib/loader.js b/lib/loader.js
@@ -339,7 +339,18 @@ function storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valu
       state.position = startPos || state.position;
       throwError(state, 'duplicated mapping key');
     }
-    _result[keyNode] = valueNode;
+
+    // used for this specific key only because Object.defineProperty is slow
+    if (keyNode === '__proto__') {
+      Object.defineProperty(_result, keyNode, {
+        configurable: true,
+        enumerable: true,
+        writable: true,
+        value: valueNode
+      });
+    } else {
+      _result[keyNode] = valueNode;
+    }
     delete overridableKeys[keyNode];
   }
 
@@ -683,7 +694,7 @@ function readFlowCollection(state, nodeIndent) {
       isPair,
       isExplicitPair,
       isMapping,
-      overridableKeys = {},
+      overridableKeys = Object.create(null),
       keyNode,
       keyTag,
       valueNode,
@@ -997,7 +1008,7 @@ function readBlockMapping(state, nodeIndent, flowIndent) {
       _tag          = state.tag,
       _anchor       = state.anchor,
       _result       = {},
-      overridableKeys = {},
+      overridableKeys = Object.create(null),
       keyTag        = null,
       keyNode       = null,
       valueNode     = null,
@@ -1476,8 +1487,8 @@ function readDocument(state) {
 
   state.version = null;
   state.checkLineBreaks = state.legacy;
-  state.tagMap = {};
-  state.anchorMap = {};
+  state.tagMap = Object.create(null);
+  state.anchorMap = Object.create(null);
 
   while ((ch = state.input.charCodeAt(state.position)) !== 0) {
     skipSeparationSpace(state, true, -1);

diff --git a/test/issues/0164.js b/test/issues/0164.js
@@ -0,0 +1,14 @@
+'use strict';
+
+
+const assert = require('assert');
+const yaml = require('../../');
+
+
+it('should define __proto__ as a value (not invoke setter)', function () {
+  let object = yaml.load('{ __proto__: {foo: bar} }');
+
+  assert.strictEqual(({}).hasOwnProperty.call(yaml.load('{}'), '__proto__'), false);
+  assert.strictEqual(({}).hasOwnProperty.call(object, '__proto__'), true);
+  assert(!object.foo);
+});