Skip to content

Commit

Permalink
Ignore Object.prototype values in settings through app.set/app.get
Browse files Browse the repository at this point in the history
closes #4802
closes #4803
  • Loading branch information
EvanHahn authored and dougwilson committed Mar 24, 2022
1 parent 87279c0 commit c17fe05
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 1 deletion.
1 change: 1 addition & 0 deletions History.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
unreleased
==========

* Ignore `Object.prototype` values in settings through `app.set`/`app.get`
* Support proper 205 responses using `res.send`

4.17.3 / 2022-02-16
Expand Down
19 changes: 18 additions & 1 deletion lib/application.js
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ var flatten = require('array-flatten');
var merge = require('utils-merge');
var resolve = require('path').resolve;
var setPrototypeOf = require('setprototypeof')

/**
* Module variables.
* @private
*/

var hasOwnProperty = Object.prototype.hasOwnProperty
var slice = Array.prototype.slice;

/**
Expand Down Expand Up @@ -352,7 +359,17 @@ app.param = function param(name, fn) {
app.set = function set(setting, val) {
if (arguments.length === 1) {
// app.get(setting)
return this.settings[setting];
var settings = this.settings

while (settings && settings !== Object.prototype) {
if (hasOwnProperty.call(settings, setting)) {
return settings[setting]
}

settings = Object.getPrototypeOf(settings)
}

return undefined
}

debug('set "%s" to %o', setting, val);
Expand Down
44 changes: 44 additions & 0 deletions test/config.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ describe('config', function () {
assert.equal(app.get('foo'), 'bar');
})

it('should set prototype values', function () {
var app = express()
app.set('hasOwnProperty', 42)
assert.strictEqual(app.get('hasOwnProperty'), 42)
})

it('should return the app', function () {
var app = express();
assert.equal(app.set('foo', 'bar'), app);
Expand All @@ -21,6 +27,17 @@ describe('config', function () {
assert.equal(app.set('foo', undefined), app);
})

it('should return set value', function () {
var app = express()
app.set('foo', 'bar')
assert.strictEqual(app.set('foo'), 'bar')
})

it('should return undefined for prototype values', function () {
var app = express()
assert.strictEqual(app.set('hasOwnProperty'), undefined)
})

describe('"etag"', function(){
it('should throw on bad value', function(){
var app = express();
Expand Down Expand Up @@ -51,6 +68,11 @@ describe('config', function () {
assert.strictEqual(app.get('foo'), undefined);
})

it('should return undefined for prototype values', function () {
var app = express()
assert.strictEqual(app.get('hasOwnProperty'), undefined)
})

it('should otherwise return the value', function(){
var app = express();
app.set('foo', 'bar');
Expand Down Expand Up @@ -125,6 +147,12 @@ describe('config', function () {
assert.equal(app.enable('tobi'), app);
assert.strictEqual(app.get('tobi'), true);
})

it('should set prototype values', function () {
var app = express()
app.enable('hasOwnProperty')
assert.strictEqual(app.get('hasOwnProperty'), true)
})
})

describe('.disable()', function(){
Expand All @@ -133,6 +161,12 @@ describe('config', function () {
assert.equal(app.disable('tobi'), app);
assert.strictEqual(app.get('tobi'), false);
})

it('should set prototype values', function () {
var app = express()
app.disable('hasOwnProperty')
assert.strictEqual(app.get('hasOwnProperty'), false)
})
})

describe('.enabled()', function(){
Expand All @@ -146,6 +180,11 @@ describe('config', function () {
app.set('foo', 'bar');
assert.strictEqual(app.enabled('foo'), true);
})

it('should default to false for prototype values', function () {
var app = express()
assert.strictEqual(app.enabled('hasOwnProperty'), false)
})
})

describe('.disabled()', function(){
Expand All @@ -159,5 +198,10 @@ describe('config', function () {
app.set('foo', 'bar');
assert.strictEqual(app.disabled('foo'), false);
})

it('should default to true for prototype values', function () {
var app = express()
assert.strictEqual(app.disabled('hasOwnProperty'), true)
})
})
})

0 comments on commit c17fe05

Please sign in to comment.