Página inicial Explorar Ajuda
Entrar
mirrors
/
wekan
mirror de https://github.com/wekan/wekan.git
2
0
Fork 0
Arquivos Issues 0 Wiki
Ver código fonte

Tried to fix possible prototype pollution reported by Deepcode.ai.

Thanks to Deepcode.ai and xet7 !
Lauri Ojansivu 4 anos atrás
pai
0373da44b3
commit
8f553497e4
1 arquivos alterados com 33 adições e 31 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 33 31
      client/components/main/globalSearch.js

+ 33 - 31
client/components/main/globalSearch.js
Ver arquivo 

@@ -247,44 +247,46 @@ BlazeComponent.extendComponent({
 
         } else {
 
           op = m.groups.abbrev;
 
         }
 
-        if (op in operatorMap) {
 
-          let value = m.groups.value;
 
-          if (operatorMap[op] === 'labels') {
 
-            if (value in this.colorMap) {
 
-              value = this.colorMap[value];
 
-            }
 
-          } else if (
 
-            ['dueAt', 'createdAt', 'modifiedAt'].includes(operatorMap[op])
 
-          ) {
 
-            const days = parseInt(value, 10);
 
-            if (isNaN(days)) {
 
-              if (['day', 'week', 'month', 'quarter', 'year'].includes(value)) {
 
+        if (op !== "__proto__") {
 
+          if (op in operatorMap) {
 
+            let value = m.groups.value;
 
+            if (operatorMap[op] === 'labels') {
 
+              if (value in this.colorMap) {
 
+                value = this.colorMap[value];
 
+              }
 
+            } else if (
 
+              ['dueAt', 'createdAt', 'modifiedAt'].includes(operatorMap[op])
 
+            ) {
 
+              const days = parseInt(value, 10);
 
+              if (isNaN(days)) {
 
+                if (['day', 'week', 'month', 'quarter', 'year'].includes(value)) {
 
+                  value = moment()
 
+                    .subtract(1, value)
 
+                    .format();
 
+                } else {
 
+                  this.parsingErrors.push({
 
+                    tag: 'operator-number-expected',
 
+                    value: { operator: op, value },
 
+                  });
 
+                  value = null;
 
+                }
 
+              } else {
 
                 value = moment()
 
-                  .subtract(1, value)
 
+                  .subtract(days, 'days')
 
                   .format();
 
-              } else {
 
-                this.parsingErrors.push({
 
-                  tag: 'operator-number-expected',
 
-                  value: { operator: op, value },
 
-                });
 
-                value = null;
 
               }
 
+            }
 
+            if (Array.isArray(params[operatorMap[op]])) {
 
+              params[operatorMap[op]].push(value);
 
             } else {
 
-              value = moment()
 
-                .subtract(days, 'days')
 
-                .format();
 
+              params[operatorMap[op]] = value;
 
             }
 
-          }
 
-          if (Array.isArray(params[operatorMap[op]])) {
 
-            params[operatorMap[op]].push(value);
 
           } else {
 
-            params[operatorMap[op]] = value;
 
+            this.parsingErrors.push({
 
+              tag: 'operator-unknown-error',
 
+              value: op,
 
+            });
 
           }
 
-        } else {
 
-          this.parsingErrors.push({
 
-            tag: 'operator-unknown-error',
 
-            value: op,
 
-          });
 
         }
 
         continue;
 
       }