use Object.create(null) to create all parsed objects

Leonidas-from-XIV / node-xml2js

XML to JavaScript object converter.

MIT License

4.88k stars 604 forks source link

use Object.create(null) to create all parsed objects #603

Closed autopulated closed 1 year ago

autopulated commented 3 years ago

Prevent parsing of documents containing tags or attributes named __proto__ from overwriting the prototype on returned objects (See #593)

This is a breaking change, and will break any users of this library which use, for example .hasOwnProperty on the returned objects. (The tests here have been updated to avoid this).

coveralls commented 3 years ago

Coverage remained the same at 97.74% when pulling 581b19a62d88f8a3c068b5a45f4542c2d6a495a5 on autopulated:master into 1832e0b6b2de30a5e326d1cf21708cd32305a538 on Leonidas-from-XIV:master.

OIRNOIR commented 1 year ago

This PR is even more important to merge because it Closes #663.

OIRNOIR commented 1 year ago

@Leonidas-from-XIV What do you think? This PR will fix the exploit reported against the latest version.

Leonidas-from-XIV commented 1 year ago

I am sort of wondering if this needs to be a breaking change? I could imagine just checking for __proto__ would be enough.

Leonidas-from-XIV commented 1 year ago

Actually, scratch that, you can inject shenanigans like hasOwnProperty as well I guess, so this would be an utter mess to try to capture.