Release v1.2.1 (#72)

- guard against prototype pollution
haraka · Apr 24, 2024 · 35e1325 · 35e1325
1 parent aad4576
commit 35e1325
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 24 deletions.
diff --git a/.prettierignore b/.prettierignore
@@ -0,0 +1 @@
+test/config/bad.yaml
diff --git a/.release b/.release
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
+# Changelog
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/).
+
 ### Unreleased
 
+### [1.2.1] - 2024-04-24
+
+- config: guard against prototype pollution
+
 ### [1.2.0] - 2024-04-14
 
 - feat: getDir can parse different types of files in a dir
@@ -121,3 +129,4 @@
 
 [1.1.0]: https://github.com/haraka/haraka-config/releases/tag/1.1.0
 [1.2.0]: https://github.com/haraka/haraka-config/releases/tag/v1.2.0
+[1.2.1]: https://github.com/haraka/haraka-config/releases/tag/v1.2.1
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -2,7 +2,7 @@
 
 This handcrafted artisinal software is brought to you by:
 
-| <img height="80" src="https://avatars.githubusercontent.com/u/261635?v=4"><br><a href="https://github.com/msimerson">msimerson</a> (<a href="https://github.com/haraka/haraka-config/commits?author=msimerson">52</a>) | <img height="80" src="https://avatars.githubusercontent.com/u/42121756?v=4"><br><a href="https://github.com/PSSGCSim">PSSGCSim</a> (<a href="https://github.com/haraka/haraka-config/commits?author=PSSGCSim">7</a>) | <img height="80" src="https://avatars.githubusercontent.com/u/662371?v=4"><br><a href="https://github.com/baudehlo">baudehlo</a> (<a href="https://github.com/haraka/haraka-config/commits?author=baudehlo">1</a>) | <img height="80" src="https://avatars.githubusercontent.com/u/651048?v=4"><br><a href="https://github.com/Wesitos">Wesitos</a> (<a href="https://github.com/haraka/haraka-config/commits?author=Wesitos">1</a>) | <img height="80" src="https://avatars.githubusercontent.com/u/2270015?v=4"><br><a href="https://github.com/oreoluwa">oreoluwa</a> (<a href="https://github.com/haraka/haraka-config/commits?author=oreoluwa">1</a>) |
+| <img height="80" src="https://avatars.githubusercontent.com/u/261635?v=4"><br><a href="https://github.com/msimerson">msimerson</a> (<a href="https://github.com/haraka/haraka-config/commits?author=msimerson">53</a>) | <img height="80" src="https://avatars.githubusercontent.com/u/42121756?v=4"><br><a href="https://github.com/PSSGCSim">PSSGCSim</a> (<a href="https://github.com/haraka/haraka-config/commits?author=PSSGCSim">7</a>) | <img height="80" src="https://avatars.githubusercontent.com/u/662371?v=4"><br><a href="https://github.com/baudehlo">baudehlo</a> (<a href="https://github.com/haraka/haraka-config/commits?author=baudehlo">1</a>) | <img height="80" src="https://avatars.githubusercontent.com/u/651048?v=4"><br><a href="https://github.com/Wesitos">Wesitos</a> (<a href="https://github.com/haraka/haraka-config/commits?author=Wesitos">1</a>) | <img height="80" src="https://avatars.githubusercontent.com/u/2270015?v=4"><br><a href="https://github.com/oreoluwa">oreoluwa</a> (<a href="https://github.com/haraka/haraka-config/commits?author=oreoluwa">1</a>) |
 | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
 
 <sub>this file is maintained by [.release](https://github.com/msimerson/.release)</sub>
diff --git a/README.md b/README.md
@@ -228,6 +228,7 @@ hosts[] = third_host
 
 which produces this javascript array:
 
+<!-- prettier-ignore -->
 ```js
 ['first_host', 'second_host', 'third_host']
 ```

diff --git a/config.js b/config.js
@@ -139,6 +139,7 @@ function merge_config(defaults, overrides, type) {
 
 function merge_struct(defaults, overrides) {
   for (const k in overrides) {
+    if (['__proto__', 'constructor'].includes(k)) continue
     if (k in defaults) {
       if (typeof overrides[k] === 'object' && typeof defaults[k] === 'object') {
         defaults[k] = merge_struct(defaults[k], overrides[k])

diff --git a/lib/watch.js b/lib/watch.js
@@ -60,26 +60,22 @@ module.exports.dir = (reader) => {
   if (watchers[cp]) return
 
   try {
-    watchers[cp] = fs.watch(
-      cp,
-      { persistent: false },
-      (fse, filename) => {
-        if (!filename) return
-        const full_path = path.join(cp, filename)
-        const args = reader._read_args[full_path]
-        if (!args) return
-        if (args.options?.no_watch) return
-        if (sedation_timers[filename]) {
-          clearTimeout(sedation_timers[filename])
-        }
-        sedation_timers[filename] = setTimeout(() => {
-          console.log(`Reloading file: ${full_path}`)
-          reader.load_config(full_path, args.type, args.options)
-          delete sedation_timers[filename]
-          if (typeof args.cb === 'function') args.cb()
-        }, 5 * 1000)
-      },
-    )
+    watchers[cp] = fs.watch(cp, { persistent: false }, (fse, filename) => {
+      if (!filename) return
+      const full_path = path.join(cp, filename)
+      const args = reader._read_args[full_path]
+      if (!args) return
+      if (args.options?.no_watch) return
+      if (sedation_timers[filename]) {
+        clearTimeout(sedation_timers[filename])
+      }
+      sedation_timers[filename] = setTimeout(() => {
+        console.log(`Reloading file: ${full_path}`)
+        reader.load_config(full_path, args.type, args.options)
+        delete sedation_timers[filename]
+        if (typeof args.cb === 'function') args.cb()
+      }, 5 * 1000)
+    })
   } catch (e) {
     console.error(`Error watching directory ${cp}(${e})`)
   }
@@ -141,4 +137,4 @@ module.exports.onEvent = (reader, name, args) => {
       }
     }
   }
-}
+}
diff --git a/package.json b/package.json
@@ -3,7 +3,7 @@
   "name": "haraka-config",
   "license": "MIT",
   "description": "Haraka's config file loader",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "homepage": "http://haraka.github.io",
   "repository": {
     "type": "git",