Always securely use square brackets https://stackoverflow.com/questions/57960770/securely-set-unknown-property-mitigate-square-bracket-object-injection-attacks
// WORK IN PROGRESS... | |
const safeGet = (obj, key) => { | |
if (obj[key] == null) obj[key]; | |
if (typeof obj[key] === 'function') { | |
throw new Error('Cannot safely get '+key+' since it a function. Use square bracket syntax to directly access instead.'); | |
} | |
if (Object.prototype.hasOwnProperty.call(obj, key)) { | |
return obj[key]; | |
} else { | |
// This console log could be rather buggy: | |
// console.debug('object', obj, 'has no key', key); | |
return undefined; | |
} | |
}; | |
const safeSet = (obj, key, val) => { | |
if (typeof val === 'function') { | |
throw new Error('Cannot safely set '+key+' - supplied value is a function. Set directly via square bracket syntax.'); | |
} | |
// propertyBlacklist (could be some sort of const declared at top) | |
if (key === 'constructor' || key === 'innerHTML' || key === 'src') { | |
throw new Error('Cannot safely set '+key+' - can lead to remote code execution'); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment