From 35e1325eb498d62175e7d2a57bda30f215af7611 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Wed, 24 Apr 2024 13:09:14 -0700 Subject: [PATCH] Release v1.2.1 (#72) - guard against prototype pollution --- .prettierignore | 1 + .release | 2 +- CHANGELOG.md | 9 +++++++++ CONTRIBUTORS.md | 2 +- README.md | 1 + config.js | 1 + lib/watch.js | 38 +++++++++++++++++--------------------- package.json | 2 +- 8 files changed, 32 insertions(+), 24 deletions(-) create mode 100644 .prettierignore diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..db98bb1 --- /dev/null +++ b/.prettierignore @@ -0,0 +1 @@ +test/config/bad.yaml diff --git a/.release b/.release index 36bb27a..0fa4e69 160000 --- a/.release +++ b/.release @@ -1 +1 @@ -Subproject commit 36bb27a93862517943e04f24fd67b0df2da6cbbe +Subproject commit 0fa4e690ffabb0157e46d56f18e4f7cfe49ce291 diff --git a/CHANGELOG.md b/CHANGELOG.md index 77a0ece..500da4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ +# Changelog + +The format is based on [Keep a Changelog](https://keepachangelog.com/). + ### Unreleased +### [1.2.1] - 2024-04-24 + +- config: guard against prototype pollution + ### [1.2.0] - 2024-04-14 - feat: getDir can parse different types of files in a dir @@ -121,3 +129,4 @@ [1.1.0]: https://github.com/haraka/haraka-config/releases/tag/1.1.0 [1.2.0]: https://github.com/haraka/haraka-config/releases/tag/v1.2.0 +[1.2.1]: https://github.com/haraka/haraka-config/releases/tag/v1.2.1 diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index a7ac9c8..1f02864 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -2,7 +2,7 @@ This handcrafted artisinal software is brought to you by: -|
msimerson (52) |
PSSGCSim (7) |
baudehlo (1) |
Wesitos (1) |
oreoluwa (1) | +|
msimerson (53) |
PSSGCSim (7) |
baudehlo (1) |
Wesitos (1) |
oreoluwa (1) | | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | :-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | this file is maintained by [.release](https://github.com/msimerson/.release) diff --git a/README.md b/README.md index 7c6b61b..014514e 100644 --- a/README.md +++ b/README.md @@ -228,6 +228,7 @@ hosts[] = third_host which produces this javascript array: + ```js ['first_host', 'second_host', 'third_host'] ``` diff --git a/config.js b/config.js index bc18492..f1e1fc8 100644 --- a/config.js +++ b/config.js @@ -139,6 +139,7 @@ function merge_config(defaults, overrides, type) { function merge_struct(defaults, overrides) { for (const k in overrides) { + if (['__proto__', 'constructor'].includes(k)) continue if (k in defaults) { if (typeof overrides[k] === 'object' && typeof defaults[k] === 'object') { defaults[k] = merge_struct(defaults[k], overrides[k]) diff --git a/lib/watch.js b/lib/watch.js index 1277764..3029dd6 100644 --- a/lib/watch.js +++ b/lib/watch.js @@ -60,26 +60,22 @@ module.exports.dir = (reader) => { if (watchers[cp]) return try { - watchers[cp] = fs.watch( - cp, - { persistent: false }, - (fse, filename) => { - if (!filename) return - const full_path = path.join(cp, filename) - const args = reader._read_args[full_path] - if (!args) return - if (args.options?.no_watch) return - if (sedation_timers[filename]) { - clearTimeout(sedation_timers[filename]) - } - sedation_timers[filename] = setTimeout(() => { - console.log(`Reloading file: ${full_path}`) - reader.load_config(full_path, args.type, args.options) - delete sedation_timers[filename] - if (typeof args.cb === 'function') args.cb() - }, 5 * 1000) - }, - ) + watchers[cp] = fs.watch(cp, { persistent: false }, (fse, filename) => { + if (!filename) return + const full_path = path.join(cp, filename) + const args = reader._read_args[full_path] + if (!args) return + if (args.options?.no_watch) return + if (sedation_timers[filename]) { + clearTimeout(sedation_timers[filename]) + } + sedation_timers[filename] = setTimeout(() => { + console.log(`Reloading file: ${full_path}`) + reader.load_config(full_path, args.type, args.options) + delete sedation_timers[filename] + if (typeof args.cb === 'function') args.cb() + }, 5 * 1000) + }) } catch (e) { console.error(`Error watching directory ${cp}(${e})`) } @@ -141,4 +137,4 @@ module.exports.onEvent = (reader, name, args) => { } } } -} \ No newline at end of file +} diff --git a/package.json b/package.json index a957203..24e64f8 100644 --- a/package.json +++ b/package.json @@ -3,7 +3,7 @@ "name": "haraka-config", "license": "MIT", "description": "Haraka's config file loader", - "version": "1.2.0", + "version": "1.2.1", "homepage": "http://haraka.github.io", "repository": { "type": "git",