Merge branch 'main' into all-contributors/add-kidqueb

flightcontrolhq · Oct 23, 2023 · 67186d6 · 67186d6
2 parents b88af0c + 734a829
commit 67186d6
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 1 deletion.
diff --git a/.all-contributorsrc b/.all-contributorsrc
@@ -274,6 +274,15 @@
       "name": "Nick Quebbeman",
       "avatar_url": "https://avatars.githubusercontent.com/u/884128?v=4",
       "profile": "https://github.com/kidqueb",
+      "contributions": [
+        "doc"
+      ]
+    },
+    {
+      "login": "tmcw",
+      "name": "Tom MacWright",
+      "avatar_url": "https://avatars.githubusercontent.com/u/32314?v=4",
+      "profile": "https://macwright.com/",
       "contributions": [
         "bug",
         "code"

diff --git a/README.md b/README.md
@@ -75,7 +75,9 @@ const jsonString = superjson.stringify({ date: new Date(0) });
 And parse your JSON like so:
 
 ```js
-const object = superjson.parse < { date: Date } > jsonString;
+const object = superjson.parse<
+{ date: Date }
+>(jsonString);
 
 // object === { date: new Date(0) }
 ```
@@ -324,6 +326,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     </tr>
     <tr>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/kidqueb"><img src="https://avatars.githubusercontent.com/u/884128?v=4?s=100" width="100px;" alt="Nick Quebbeman"/><br /><sub><b>Nick Quebbeman</b></sub></a><br /><a href="https://github.com/blitz-js/superjson/issues?q=author%3Akidqueb" title="Bug reports">🐛</a> <a href="https://github.com/blitz-js/superjson/commits?author=kidqueb" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://macwright.com/"><img src="https://avatars.githubusercontent.com/u/32314?v=4?s=100" width="100px;" alt="Tom MacWright"/><br /><sub><b>Tom MacWright</b></sub></a><br /><a href="https://github.com/blitz-js/superjson/issues?q=author%3Atmcw" title="Bug reports">🐛</a> <a href="https://github.com/blitz-js/superjson/commits?author=tmcw" title="Code">💻</a></td>
     </tr>
   </tbody>
 </table>

diff --git a/package.json b/package.json
@@ -3,6 +3,7 @@
   "license": "MIT",
   "type": "module",
   "typings": "dist/index.d.ts",
+  "main": "./dist/index.js",
   "exports": {
     ".": "./dist/index.js"
   },

diff --git a/src/index.test.ts b/src/index.test.ts
@@ -1054,6 +1054,17 @@ test('regression: `Object.create(null)` / object without prototype', () => {
   expect(parsed.date).toBeInstanceOf(Date);
 });
 
+test.each(['__proto__', 'prototype', 'constructor'])(
+  'serialize prototype pollution: %s',
+  forbidden => {
+    expect(() => {
+      SuperJSON.serialize({
+        [forbidden]: 1,
+      });
+    }).toThrowError(/This is a prototype pollution risk/);
+  }
+);
+
 test('prototype pollution - __proto__', () => {
   expect(() => {
     SuperJSON.parse(

diff --git a/src/plainer.ts b/src/plainer.ts
@@ -216,6 +216,16 @@ export const walker = (
   const innerAnnotations: Record<string, Tree<TypeAnnotation>> = {};
 
   forEach(transformed, (value, index) => {
+    if (
+      index === '__proto__' ||
+      index === 'constructor' ||
+      index === 'prototype'
+    ) {
+      throw new Error(
+        `Detected property ${index}. This is a prototype pollution risk, please remove it from your object.`
+      );
+    }
+
     const recursiveResult = walker(
       value,
       identities,