0eeaafa722
* chore(NA): update gitignore to include first changes from moving into a single package.json * chore(NA): update gitignore * chore(NA): move all the dependencies into the single package.json and apply changes to bootstrap * chore(NA): fix types problems after the single package json * chore(NA): include code to find the dependencies used across the code * chore(NA): introduce pure lockfile for install dependencies on build * chore(NA): update clean task to not delete anything from xpack node_modules * chore(NA): update gitignore to remove development temporary rules * chore(NA): update notice file * chore(NA): update jest snapshots * chore(NA): fix whitelisted licenses to include a new specify form of an already included one * chore(NA): remove check lockfile symlinks from child projects * chore(NA): fix eslint and add missing declared deps on single pkg json * chore(NA): correctly update notice * chore(NA): fix failing jest test for storyshots.test.tsx * chore(NA): fix cypress multi reporter path * chore(NA): fix Project tests check * chore(NA): fix problem with logic to detect used dependes on oss build * chore(NA): include correct x-pack plugins dep discovery * chore(NA): discover entries under dynamic requires on vis_type_timelion * chore(NA): remove canvas * test(NA): fix jest unit tests * chore(NA): remove double react declaration from storyshot test file * chore(NA): try removing isOSS check * chore(NA): support for plugin development * chore(NA): update logic to fix unit tests and typechecking * chore(NA): support to run npm scripts in child kbn projects across all envs * chore(NA): support github checks reporter on x-pack and remove cpy types as the package correctly provides them * chore(NA): update cpy version * chore(NA): include last kbn pm changes * chore(NA): update style on build_production_projects.ts * chore(NA): remove any cast fom telemetry opt in stats * chore(NA): remove del and re-use rm -rf again Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> |
||
---|---|---|
.. | ||
fp | ||
lodash | ||
scripts | ||
test | ||
.gitignore | ||
.npmignore | ||
index.d.ts | ||
index.js | ||
LICENSE | ||
package.json | ||
README.md | ||
set.d.ts | ||
set.js | ||
setWith.d.ts | ||
setWith.js | ||
tsconfig.json |
@elastic/safer-lodash-set
This module adds protection against prototype pollution to the set
and setWith
functions from Lodash and are API compatible with
Lodash v4.x.
Example Usage
const { set } = require('@elastic/safer-loadsh-set');
const object = { a: [{ b: { c: 3 } }] };
set(object, 'a[0].b.c', 4);
console.log(object.a[0].b.c); // => 4
set(object, ['x', '0', 'y', 'z'], 5);
console.log(object.x[0].y.z); // => 5
API
The main module exposes two functions, set
and setWith
:
const { set, setWith } = require('@elastic/safer-lodash-set');
Besides the main module, it's also possible to require each function individually:
const set = require('@elastic/safer-lodash-set/set');
const setWith = require('@elastic/safer-lodash-set/setWith');
The APIs of these functions are identical to the equivalent Lodash
set
and setWith
functions. Please refer to the Lodash
documentation for the respective functions for details.
Functional Programming support (fp)
This module also supports the lodash/fp
api and hence exposes the
following fp compatible functions:
const { set, setWith } = require('@elastic/safer-lodash-set/fp');
Besides the main fp module, it's also possible to require each function individually:
const set = require('@elastic/safer-lodash-set/fp/set');
const setWith = require('@elastic/safer-lodash-set/fp/setWith');
Limitations
The safety improvements in this module is achieved by adding the
following limitations to the algorithm used to walk the path
given as
the 2nd argument to the set
and setWith
functions:
Only own properties are followed when walking the path
const parent = { foo: 1 };
const child = { bar: 2 };
Object.setPrototypeOf(child, parent);
// Now `child` can access `foo` through prototype inheritance
console.log(child.foo); // 1
set(child, 'foo', 3);
// A different `foo` property has now been added directly to the `child`
// object and the `parent` object has not been modified:
console.log(child.foo); // 3
console.log(parent.foo); // 1
console.log(Object.prototype.hasOwnProperty.call(child, 'foo')); // true
The path
must not access function prototypes
const object = {
fn1: function () {},
fn2: () => {},
};
// Attempting to access any function prototype will result in an
// exception being thrown:
assert.throws(() => {
// Throws: Illegal access of function prototype
set(object, 'fn1.prototype.toString', 'bang!');
});
// This also goes for arrow functions even though they don't have a
// prototype property. This is just to keep things consistent:
assert.throws(() => {
// Throws: Illegal access of function prototype
set(object, 'fn2.prototype.toString', 'bang!');
});