Fixed security issue in U.set() and U.get().

petersirka · petersirka · commit 887b0fa9e162 · 2021-06-04T11:39:41.000+02:00
diff --git a/changes.txt b/changes.txt
@@ -4,6 +4,7 @@
 - added `insecure` flag into the `U.request()` method
 - added `RESTBuilder.insecure()` method
 - fixed security issue when parsing query arguments (reported by <https://github.com/fl4x>)
+- fixed security in `U.get()` and `U.set()` (reported by Agustin Gianni)
 
 ======= 3.4.8
 
diff --git a/utils.js b/utils.js
@@ -6617,12 +6617,16 @@ exports.parseTheme = function(value) {
 	return value === '?' ? CONF.default_theme : value;
 };
 
+
 exports.set = function(obj, path, value) {
 	var cachekey = 'S+' + path;
 
 	if (F.temporary.other[cachekey])
 		return F.temporary.other[cachekey](obj, value);
 
+	if ((/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/).test(path))
+		return value;
+
 	var arr = parsepath(path);
 	var builder = [];
 
@@ -6636,12 +6640,9 @@ exports.set = function(obj, path, value) {
 	var ispush = v.lastIndexOf('[]') !== -1;
 	var a = builder.join(';') + ';var v=typeof(a)===\'function\'?a(U.get(b)):a;w' + (v[0] === '[' ? '' : '.') + (ispush ? v.replace(REGREPLACEARR, '.push(v)') : (v + '=v')) + ';return v';
 
-	if ((/__proto__|constructor|prototype|eval/).test(a))
-		throw new Error('Potential vulnerability');
-
 	var fn = new Function('w', 'a', 'b', a);
 	F.temporary.other[cachekey] = fn;
-	fn(obj, value, path);
+	return fn(obj, value, path);
 };
 
 exports.get = function(obj, path) {
@@ -6651,6 +6652,9 @@ exports.get = function(obj, path) {
 	if (F.temporary.other[cachekey])
 		return F.temporary.other[cachekey](obj);
 
+	if ((/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/).test(path))
+		return;
+
 	var arr = parsepath(path);
 	var builder = [];
 
