search

jonschlinkert / data-store

Easily get, set and persist config data. Fast. Supports dot-notation in keys. No dependencies.
https://github.com/jonschlinkert
MIT License
160 stars 27 forks source link

Update `set-value` and `mocha` #42

Open Brittany-Reid opened 2 years ago

Brittany-Reid commented 2 years ago

Updated set-value, mocha based on npm audit.

1 failing test case removed:

    it('should not mistake double backslashes for escaped keys', () => {
      store.set('foo\\\\.baz', 'bar');
      store.set('baz', null);
      store.set('qux', 5);

      assert(!store.hasOwn('foo'));
      assert(!store.hasOwn('bar'));
      assert(!store.hasOwn('foo.baz'));
      console.log(store)
      assert(!store.hasOwn('foo\\'));
      assert(store.hasOwn('baz'));
      assert(store.hasOwn('qux'));

      store.set('foo\\.bar.baz\\.qux', 'fez');
      assert(store.hasOwn('foo\\.bar.baz\\.qux'));
    });

Breaking at statement assert(!store.hasOwn('foo\\'));

The escape behaviour is documented in set-value, but only for one set of \\, the old behaviour was:

{
  "foo\\.baz": "bar"
}

The behaviour with set-value updated:

{
  "foo\\": {
    "baz": "bar"
  }
}

I removed the test case as tests in set-value indicate that foo\\\\.bar should split, I assume behaviour should be consistent:

it('should correctly parse multiple consecutive backslashes', () => {
      assert.deepEqual(set.split('a.b\\\\.c'), ['a', 'b\\', 'c']);
    });

Is this correct, or was there a reason for the previous behaviour? Let me know if I should do anything else.

trycoon commented 2 years ago

Could someone please merge this? SonarQube detects "set-value" as having a security exploit.

skeddles commented 2 years ago

@jonschlinkert is there a reason not to merge this?