From 67e5545d1164d2d3063f95dafc606995d0d63aea Mon Sep 17 00:00:00 2001 From: Mike Marcacci Date: Tue, 10 Oct 2023 16:51:35 -0700 Subject: [PATCH 1/2] Use null prototype for map values This fixes alerts for prototype pollution vunerabillities. In my assessment the risk here is near-zero, as the keys are trusted configured values and hashes. However, this is still better practice. --- packages/http-proxy-client/src/index.ts | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/packages/http-proxy-client/src/index.ts b/packages/http-proxy-client/src/index.ts index 224d948c..14c7ded1 100644 --- a/packages/http-proxy-client/src/index.ts +++ b/packages/http-proxy-client/src/index.ts @@ -195,7 +195,7 @@ export default class AuthXClientProxy extends EventEmitter { [refreshToken: string]: { [hash: string]: string; }; - } = {}; + } = Object.create(null); /** * A request fetches fresh access tokens from AuthX. @@ -208,7 +208,7 @@ export default class AuthXClientProxy extends EventEmitter { timeout: ReturnType; }; }; - } = {}; + } = Object.create(null); /** * A refresh timeout is responsible for initiating a request to AuthX that @@ -218,7 +218,7 @@ export default class AuthXClientProxy extends EventEmitter { [refreshToken: string]: { [hash: string]: ReturnType; }; - } = {}; + } = Object.create(null); /** * An eviction timeout is responsible for preventing tokens from being @@ -230,7 +230,7 @@ export default class AuthXClientProxy extends EventEmitter { [refreshToken: string]: { [hash: string]: ReturnType; }; - } = {}; + } = Object.create(null); /** * An expiration timeout is responsible for removing expired tokens from the @@ -241,7 +241,7 @@ export default class AuthXClientProxy extends EventEmitter { [refreshToken: string]: { [hash: string]: ReturnType; }; - } = {}; + } = Object.create(null); public readonly server: Server; @@ -458,7 +458,7 @@ export default class AuthXClientProxy extends EventEmitter { // Create a new eviction timeout. this._evictionTimeouts[refreshToken] = - this._evictionTimeouts[refreshToken] || {}; + this._evictionTimeouts[refreshToken] || Object.create(null); this._evictionTimeouts[refreshToken][hash] = setTimeout( () => this._evict(refreshToken, hash), (this._config.evictDormantCachedTokensThreshold || 600) * 1000 @@ -584,7 +584,7 @@ export default class AuthXClientProxy extends EventEmitter { // Set an expiration timeout. this._expirationTimeouts[refreshToken] = - this._expirationTimeouts[refreshToken] || {}; + this._expirationTimeouts[refreshToken] || Object.create(null); if (this._expirationTimeouts[refreshToken][hash]) { clearTimeout(this._expirationTimeouts[refreshToken][hash]); } @@ -599,7 +599,7 @@ export default class AuthXClientProxy extends EventEmitter { // Set a refresh timeout. this._refreshTimeouts[refreshToken] = - this._refreshTimeouts[refreshToken] || {}; + this._refreshTimeouts[refreshToken] || Object.create(null); if (this._refreshTimeouts[refreshToken][hash]) { clearTimeout(this._refreshTimeouts[refreshToken][hash]); } @@ -611,7 +611,7 @@ export default class AuthXClientProxy extends EventEmitter { // Cache the access token. this._accessTokens[refreshToken] = - this._accessTokens[refreshToken] || {}; + this._accessTokens[refreshToken] || Object.create(null); this._accessTokens[refreshToken][hash] = accessToken; return accessToken; @@ -632,7 +632,7 @@ export default class AuthXClientProxy extends EventEmitter { // using incorrect credentials), and don't retry those. if (retry) { this._refreshTimeouts[refreshToken] = - this._refreshTimeouts[refreshToken] || {}; + this._refreshTimeouts[refreshToken] || Object.create(null); if (this._refreshTimeouts[refreshToken][hash]) { clearTimeout(this._refreshTimeouts[refreshToken][hash]); } @@ -664,7 +664,7 @@ export default class AuthXClientProxy extends EventEmitter { }; // Store the request. - this._requests[refreshToken] = this._requests[refreshToken] || {}; + this._requests[refreshToken] = this._requests[refreshToken] || Object.create(null); this._requests[refreshToken][hash] = request; return request.promise; } From bc106c012bf763e6bdbb9395728283146a723d8d Mon Sep 17 00:00:00 2001 From: Mike Marcacci Date: Fri, 5 Jan 2024 15:15:42 -0800 Subject: [PATCH 2/2] fix formatting, lerna config --- lerna.json | 2 +- packages/http-proxy-client/src/index.ts | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lerna.json b/lerna.json index 413c347e..5fd53c04 100644 --- a/lerna.json +++ b/lerna.json @@ -1,5 +1,5 @@ { - "packages": ["packages/*"], + "useWorkspaces": true, "version": "3.1.0-alpha.52", "npmClient": "npm" } diff --git a/packages/http-proxy-client/src/index.ts b/packages/http-proxy-client/src/index.ts index 14c7ded1..bee25282 100644 --- a/packages/http-proxy-client/src/index.ts +++ b/packages/http-proxy-client/src/index.ts @@ -664,7 +664,8 @@ export default class AuthXClientProxy extends EventEmitter { }; // Store the request. - this._requests[refreshToken] = this._requests[refreshToken] || Object.create(null); + this._requests[refreshToken] = + this._requests[refreshToken] || Object.create(null); this._requests[refreshToken][hash] = request; return request.promise; }