VSinerva/freesewing
1
0
Fork 0
Code Activity

test the security fix

Browse source
This commit is contained in:
Enoch Riese 2022-12-08 20:06:22 -06:00
parent 08f1dcdaba
commit 4f42f4038c
2 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
packages/core/src/pattern.mjs
View file

@ -122,7 +122,7 @@ Pattern.prototype.draft = function () {
Pattern.prototype.createPartForSet = function (partName, set = 0) { Pattern.prototype.createPartForSet = function (partName, set = 0) {
// gotta protect against attacks // gotta protect against attacks
if (typeof set === '__proto__') { if (set === '__proto__') {
throw new Error('malicious attempt at altering Object.prototype. Stopping action') throw new Error('malicious attempt at altering Object.prototype. Stopping action')
} }
// Create parts // Create parts

12
packages/core/tests/pattern-draft.test.mjs
View file

@ -33,6 +33,18 @@ describe('Pattern', () => {
expect(count).to.equal(2) expect(count).to.equal(2)
}) })
}) })
describe('Pattern.createPartForSet()', () => {
it('Should not allow malicious assignment to Object.prototype', () => {
const objProto = Object.prototype
const Pattern = new Design()
const pattern = new Pattern()
expect(() => pattern.createPartForSet('part', '__proto__')).to.throw(
'malicious attempt at altering Object.prototype. Stopping action'
)
expect(objProto).to.equal(Object.prototype)
})
})
it('Should check whether a part is needed', () => { it('Should check whether a part is needed', () => {
const partA = { const partA = {
name: 'test.partA', name: 'test.partA',