|
1 | | -/*! js-yaml 3.14.1 https://github.com/nodeca/js-yaml */(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.jsyaml = f()}})(function(){var define,module,exports;return (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof require&&require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u="function"==typeof require&&require,i=0;i<t.length;i++)o(t[i]);return o}return r})()({1:[function(require,module,exports){ |
| 1 | +/*! js-yaml 3.14.2 https://github.com/nodeca/js-yaml */(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.jsyaml = f()}})(function(){var define,module,exports;return (function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof require&&require;if(!f&&c)return c(i,!0);if(u)return u(i,!0);var a=new Error("Cannot find module '"+i+"'");throw a.code="MODULE_NOT_FOUND",a}var p=n[i]={exports:{}};e[i][0].call(p.exports,function(r){var n=e[i][1][r];return o(n||r)},p,p.exports,r,e,n,t)}return n[i].exports}for(var u="function"==typeof require&&require,i=0;i<t.length;i++)o(t[i]);return o}return r})()({1:[function(require,module,exports){ |
2 | 2 | 'use strict'; |
3 | 3 |
|
4 | 4 |
|
@@ -1121,6 +1121,22 @@ function charFromCodepoint(c) { |
1121 | 1121 | ); |
1122 | 1122 | } |
1123 | 1123 |
|
| 1124 | +// set a property of a literal object, while protecting against prototype pollution, |
| 1125 | +// see https://github.com/nodeca/js-yaml/issues/164 for more details |
| 1126 | +function setProperty(object, key, value) { |
| 1127 | + // used for this specific key only because Object.defineProperty is slow |
| 1128 | + if (key === '__proto__') { |
| 1129 | + Object.defineProperty(object, key, { |
| 1130 | + configurable: true, |
| 1131 | + enumerable: true, |
| 1132 | + writable: true, |
| 1133 | + value: value |
| 1134 | + }); |
| 1135 | + } else { |
| 1136 | + object[key] = value; |
| 1137 | + } |
| 1138 | +} |
| 1139 | + |
1124 | 1140 | var simpleEscapeCheck = new Array(256); // integer, for fast access |
1125 | 1141 | var simpleEscapeMap = new Array(256); |
1126 | 1142 | for (var i = 0; i < 256; i++) { |
@@ -1278,7 +1294,7 @@ function mergeMappings(state, destination, source, overridableKeys) { |
1278 | 1294 | key = sourceKeys[index]; |
1279 | 1295 |
|
1280 | 1296 | if (!_hasOwnProperty.call(destination, key)) { |
1281 | | - destination[key] = source[key]; |
| 1297 | + setProperty(destination, key, source[key]); |
1282 | 1298 | overridableKeys[key] = true; |
1283 | 1299 | } |
1284 | 1300 | } |
@@ -1334,7 +1350,7 @@ function storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valu |
1334 | 1350 | state.position = startPos || state.position; |
1335 | 1351 | throwError(state, 'duplicated mapping key'); |
1336 | 1352 | } |
1337 | | - _result[keyNode] = valueNode; |
| 1353 | + setProperty(_result, keyNode, valueNode); |
1338 | 1354 | delete overridableKeys[keyNode]; |
1339 | 1355 | } |
1340 | 1356 |
|
|
0 commit comments