Skip to content

Commit

Permalink
Use a little more robust method of checking instances
Browse files Browse the repository at this point in the history
  • Loading branch information
@kriszyp
kriszyp committed Nov 2, 2021
1 parent ef60987 commit f6f6a3b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/validate.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O

for(var i in objTypeDef){
if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){
var value = instance[i];
var value = instance.hasOwnProperty(i) ? instance[i] : undefined;
// skip _not_ specified properties
if (value === undefined && options.existingOnly) continue;
var propDef = objTypeDef[i];
Expand Down

5 comments on commit f6f6a3b

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kriszyp - just to confirm, does this fix the report submitted by the researcher here?

@kriszyp
Copy link
Owner Author

@kriszyp kriszyp commented on f6f6a3b Nov 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this fix the report submitted by the researcher here?

Yes, along with 22f1461, that is intended to fix that security issue.

@JamieSlome
Copy link

@JamieSlome JamieSlome commented on f6f6a3b Nov 2, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kriszyp - thanks for the heads up! Are you able to confirm this on the report, and we can go ahead and publish a CVE / make the report public?

(cc @yoshino-s)

@kriszyp
Copy link
Owner Author

@kriszyp kriszyp commented on f6f6a3b Nov 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I have published the updated version with the fix.

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kriszyp - could you update this on the report: https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9/

You can also decide if you would like to keep the bounty for yourself or return it to the prize pot 👌

Please sign in to comment.