Cleanup

node_modules/mquery/History.md

@@ -1,3 +1,15 @@
+3.2.5 / 2021-03-29
+==================
+ * fix(utils): make `mergeClone()` skip special properties like `__proto__` #121 [zpbrent](https://github.com/zpbrent)
+
+3.2.4 / 2021-02-12
+==================
+ * fix(utils): make clone() only copy own properties Automattic/mongoose#9876
+
+3.2.3 / 2020-12-10
+==================
+ * fix(utils): avoid copying special properties like `__proto__` when merging and cloning. Fix CVE-2020-35149
+
 3.2.2 / 2019-09-22
 ==================
  * fix: dont re-call setOptions() when pulling base class options Automattic/mongoose#8159

node_modules/mquery/lib/utils.js

@@ -7,6 +7,8 @@
 var Buffer = require('safe-buffer').Buffer;
 var RegExpClone = require('regexp-clone');
 
+var specialProperties = ['__proto__', 'constructor', 'prototype'];
+
 /**
  * Clones objects
  *
@@ -66,9 +68,14 @@ exports.cloneObject = function cloneObject(obj, options) {
   var ret = {};
   var hasKeys;
   var val;
-  var k;
 
-  for (k in obj) {
+  for (const k of Object.keys(obj)) {
+    // Not technically prototype pollution because this wouldn't merge properties
+    // onto `Object.prototype`, but avoid properties like __proto__ as a precaution.
+    if (specialProperties.indexOf(k) !== -1) {
+      continue;
+    }
+
     val = clone(obj[k], options);
 
     if (!minimize || ('undefined' !== typeof val)) {
@@ -133,6 +140,9 @@ exports.merge = function merge(to, from) {
 
   while (i--) {
     key = keys[i];
+    if (specialProperties.indexOf(key) !== -1) {
+      continue;
+    }
     if ('undefined' === typeof to[key]) {
       to[key] = from[key];
     } else {
@@ -160,6 +170,9 @@ exports.mergeClone = function mergeClone(to, from) {
 
   while (i--) {
     key = keys[i];
+    if (specialProperties.indexOf(key) !== -1) {
+      continue;
+    }
     if ('undefined' === typeof to[key]) {
       to[key] = clone(from[key]);
     } else {
@@ -284,13 +297,7 @@ exports.isArray = function(arg) {
  * Object.keys helper
  */
 
-exports.keys = Object.keys || function(obj) {
-  var keys = [];
-  for (var k in obj) if (obj.hasOwnProperty(k)) {
-    keys.push(k);
-  }
-  return keys;
-};
+exports.keys = Object.keys;
 
 /**
  * Basic Object.create polyfill.

node_modules/mquery/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mquery",
-  "version": "3.2.2",
+  "version": "3.2.5",
   "description": "Expressive query building for MongoDB",
   "main": "lib/mquery.js",
   "scripts": {
@@ -25,7 +25,7 @@
   "devDependencies": {
     "eslint": "5.x",
     "mocha": "4.1.0",
-    "mongodb": "3.1.1"
+    "mongodb": "3.6.1"
   },
   "bugs": {
     "url": "https://github.com/aheckmann/mquery/issues/new"
@@ -81,8 +81,4 @@
       "space-unary-ops": "error"
     }
   }
-
-,"_resolved": "https://registry.npmjs.org/mquery/-/mquery-3.2.2.tgz"
-,"_integrity": "sha512-XB52992COp0KP230I3qloVUbkLUxJIu328HBP2t2EsxSFtf4W1HPSOBWOXf1bqxK4Xbb66lfMJ+Bpfd9/yZE1Q=="
-,"_from": "mquery@3.2.2"
-}
+}

node_modules/mquery/test/utils.test.js

@@ -140,5 +140,23 @@ describe('lib/utils', function() {
 
       done();
     });
+
+    it('skips __proto__', function() {
+      var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}');
+      var res = utils.clone(payload);
+
+      assert.strictEqual({}.polluted, void 0);
+      assert.strictEqual(res.__proto__, Object.prototype);
+    });
+  });
+
+  describe('merge', function() {
+    it('avoids prototype pollution', function() {
+      var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}');
+      var obj = {};
+      utils.merge(obj, payload);
+
+      assert.strictEqual({}.polluted, void 0);
+    });
   });
 });