mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 01:38:56 -04:00
302bd423f3
* chore(NA): eslint rule for disallowing naked eslint-disable * chore(NA): export new rule and update docs * chore(NA): creation of rule in ts * chore(NA): new corrected rule in ts * refact(NA): remove old logic from older plugin * docs(NA): update documentation * docs(NA): update documentation * docs(NA): update documentation * refact(NA): include edge cases for better locating errors * chore(NA): changed regex name * docs(NA): correct name rule on docs * refact(NA): use dedent in the template literals * refact(NA): check for undefined * fix(NA): introduces support for eslint-disable-line * chore(NA): fix extra space * test(NA): created more test cases * chore(NA): rename plugin to eslint-plugin-disable * docs(NA): update nav and operations landing page ids for eslint rule * test(NA): use messageIds on test * chore(NA): complete naked eslint disables with specific rules * chore(NA): specific rules for a few naked eslint disable * chore(NA): add focused eslint disable on big reindex_operation_with_large_error_message.ts file * chore(NA): changes according PR feedback * chore(NA): include specific eslint rules on latest naked eslint disable * chore(NA): missing eslint disable specific rule * fix(NA): remove comment for js annotator * chore(NA): re add eslint focused disable rule to x-pack/plugins/osquery/cypress/support/coverage.ts * chore(NA): re add eslint focused disable rule to x-pack/plugins/osquery/cypress/support/coverage.ts * chore(NA): re add eslint focused disable rule to x-pack/plugins/osquery/cypress/support/coverage.ts Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| fp | ||
| lodash | ||
| scripts | ||
| test | ||
| .gitignore | ||
| .npmignore | ||
| BUILD.bazel | ||
| index.d.ts | ||
| index.js | ||
| LICENSE | ||
| package.json | ||
| README.md | ||
| set.d.ts | ||
| set.js | ||
| setWith.d.ts | ||
| setWith.js | ||
| tsconfig.json | ||
@elastic/safer-lodash-set
This module adds protection against prototype pollution to the set
and setWith functions from Lodash and are API compatible with
Lodash v4.x.
Example Usage
const { set } = require('@elastic/safer-loadsh-set');
const object = { a: [{ b: { c: 3 } }] };
set(object, 'a[0].b.c', 4);
console.log(object.a[0].b.c); // => 4
set(object, ['x', '0', 'y', 'z'], 5);
console.log(object.x[0].y.z); // => 5
API
The main module exposes two functions, set and setWith:
const { set, setWith } = require('@elastic/safer-lodash-set');
Besides the main module, it's also possible to require each function individually:
const set = require('@elastic/safer-lodash-set/set');
const setWith = require('@elastic/safer-lodash-set/setWith');
The APIs of these functions are identical to the equivalent Lodash
set and setWith functions. Please refer to the Lodash
documentation for the respective functions for details.
Functional Programming support (fp)
This module also supports the lodash/fp api and hence exposes the
following fp compatible functions:
const { set, setWith } = require('@elastic/safer-lodash-set/fp');
Besides the main fp module, it's also possible to require each function individually:
const set = require('@elastic/safer-lodash-set/fp/set');
const setWith = require('@elastic/safer-lodash-set/fp/setWith');
Limitations
The safety improvements in this module is achieved by adding the
following limitations to the algorithm used to walk the path given as
the 2nd argument to the set and setWith functions:
Only own properties are followed when walking the path
const parent = { foo: 1 };
const child = { bar: 2 };
Object.setPrototypeOf(child, parent);
// Now `child` can access `foo` through prototype inheritance
console.log(child.foo); // 1
set(child, 'foo', 3);
// A different `foo` property has now been added directly to the `child`
// object and the `parent` object has not been modified:
console.log(child.foo); // 3
console.log(parent.foo); // 1
console.log(Object.prototype.hasOwnProperty.call(child, 'foo')); // true
The path must not access function prototypes
const object = {
fn1: function () {},
fn2: () => {},
};
// Attempting to access any function prototype will result in an
// exception being thrown:
assert.throws(() => {
// Throws: Illegal access of function prototype
set(object, 'fn1.prototype.toString', 'bang!');
});
// This also goes for arrow functions even though they don't have a
// prototype property. This is just to keep things consistent:
assert.throws(() => {
// Throws: Illegal access of function prototype
set(object, 'fn2.prototype.toString', 'bang!');
});