Skip to content
This repository was archived by the owner on Apr 5, 2026. It is now read-only.

Commit b1f1d52

Browse files
76embiid2176embiid21
authored
Add files via upload
1 parent a404246 commit b1f1d52

File tree

2 files changed

+136
-0
lines changed

2 files changed

+136
-0
lines changed

test/set.proto-bypass.test.js

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
// test/set.proto-bypass.test.js
2+
// Tests for prototype pollution bypass fix (CVE-2023-26132 bypass)
3+
4+
var assert = require('assert');
5+
var dottie = require('../dottie');
6+
7+
describe('dottie.set - prototype pollution bypass prevention', function () {
8+
9+
// === __proto__ at non-first positions ===
10+
11+
it('should block __proto__ at second position', function () {
12+
var obj = {};
13+
dottie.set(obj, 'a.__proto__.polluted', true);
14+
15+
// The property should NOT be reachable via prototype chain
16+
assert.strictEqual(obj.a === undefined || obj.a.polluted === undefined, true,
17+
'__proto__ at position 1 should be blocked');
18+
19+
// Global Object.prototype must remain clean
20+
assert.strictEqual(({}).polluted, undefined,
21+
'Object.prototype must not be polluted');
22+
});
23+
24+
it('should block __proto__ at third position', function () {
25+
var obj = {};
26+
dottie.set(obj, 'a.b.__proto__.polluted', true);
27+
assert.strictEqual(({}).polluted, undefined,
28+
'Object.prototype must not be polluted');
29+
});
30+
31+
it('should still block __proto__ at first position (original CVE-2023-26132 fix)', function () {
32+
var obj = {};
33+
dottie.set(obj, '__proto__.polluted', true);
34+
assert.strictEqual(({}).polluted, undefined,
35+
'Object.prototype must not be polluted');
36+
});
37+
38+
// === constructor and prototype keys ===
39+
40+
it('should block constructor at any position', function () {
41+
var obj = {};
42+
dottie.set(obj, 'a.constructor.prototype.polluted', true);
43+
assert.strictEqual(({}).polluted, undefined,
44+
'constructor-based pollution must be blocked');
45+
});
46+
47+
it('should block prototype at any position', function () {
48+
var obj = {};
49+
dottie.set(obj, 'a.prototype.polluted', true);
50+
assert.strictEqual(({}).polluted, undefined,
51+
'prototype-based pollution must be blocked');
52+
});
53+
54+
// === Legitimate paths should still work ===
55+
56+
it('should allow normal nested paths', function () {
57+
var obj = {};
58+
dottie.set(obj, 'a.b.c', 'hello');
59+
assert.strictEqual(obj.a.b.c, 'hello');
60+
});
61+
62+
it('should allow paths with similar-looking but safe key names', function () {
63+
var obj = {};
64+
dottie.set(obj, 'user.proto.value', 42);
65+
assert.strictEqual(obj.user.proto.value, 42);
66+
});
67+
});

test/transform.proto-bypass.test.js

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
// test/transform.proto-bypass.test.js
2+
// Tests for prototype pollution bypass fix in transform() (CVE-2023-26132 bypass)
3+
4+
var assert = require('assert');
5+
var dottie = require('../dottie');
6+
7+
describe('dottie.transform - prototype pollution bypass prevention', function () {
8+
9+
// === __proto__ at non-first positions ===
10+
11+
it('should block __proto__ at second position in keys', function () {
12+
var flat = { 'user.__proto__.isAdmin': true, 'user.name': 'guest' };
13+
var result = dottie.transform(flat);
14+
15+
// The isAdmin property should NOT be reachable via prototype chain
16+
assert.strictEqual(
17+
result.user === undefined || result.user.isAdmin === undefined, true,
18+
'__proto__ bypass in transform keys should be blocked'
19+
);
20+
21+
// Global Object.prototype must remain clean
22+
assert.strictEqual(({}).isAdmin, undefined,
23+
'Object.prototype must not be polluted');
24+
});
25+
26+
it('should block __proto__ at third position in keys', function () {
27+
var flat = { 'a.b.__proto__.polluted': true };
28+
var result = dottie.transform(flat);
29+
assert.strictEqual(({}).polluted, undefined,
30+
'Object.prototype must not be polluted');
31+
});
32+
33+
it('should still block __proto__ at first position (original fix)', function () {
34+
var flat = { '__proto__.polluted': true };
35+
var result = dottie.transform(flat);
36+
assert.strictEqual(({}).polluted, undefined,
37+
'Object.prototype must not be polluted');
38+
});
39+
40+
// === constructor and prototype keys ===
41+
42+
it('should block constructor-based pollution in transform keys', function () {
43+
var flat = { 'a.constructor.prototype.polluted': true };
44+
var result = dottie.transform(flat);
45+
assert.strictEqual(({}).polluted, undefined,
46+
'constructor-based pollution must be blocked');
47+
});
48+
49+
it('should block prototype key in transform keys', function () {
50+
var flat = { 'a.prototype.polluted': true };
51+
var result = dottie.transform(flat);
52+
assert.strictEqual(({}).polluted, undefined,
53+
'prototype-based pollution must be blocked');
54+
});
55+
56+
// === Legitimate transforms should still work ===
57+
58+
it('should transform normal dotted keys correctly', function () {
59+
var flat = {
60+
'user.name': 'Alice',
61+
'user.email': 'alice@example.com',
62+
'user.settings.theme': 'dark'
63+
};
64+
var result = dottie.transform(flat);
65+
assert.strictEqual(result.user.name, 'Alice');
66+
assert.strictEqual(result.user.email, 'alice@example.com');
67+
assert.strictEqual(result.user.settings.theme, 'dark');
68+
});
69+
});

0 commit comments

Comments
 (0)