Skip to content

Commit

Permalink
Merge pull request #766 from MichaelAquilina/fix/files-null-prototype
Browse files Browse the repository at this point in the history
fix: Use a null prototype object for this.files
  • Loading branch information
Stuk authored Jun 29, 2021
2 parents b7f472d + bb38812 commit 6d029b4
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 4 deletions.
5 changes: 4 additions & 1 deletion lib/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@ function JSZip() {
// "folder/" : {...},
// "folder/data.txt" : {...}
// }
this.files = {};
// NOTE: we use a null prototype because we do not
// want filenames like "toString" coming from a zip file
// to overwrite methods and attributes in a normal Object.
this.files = Object.create(null);

this.comment = null;

Expand Down
6 changes: 3 additions & 3 deletions lib/object.js
Original file line number Diff line number Diff line change
Expand Up @@ -179,16 +179,16 @@ var out = {
*/
forEach: function(cb) {
var filename, relativePath, file;
/* jshint ignore:start */
// ignore warning about unwanted properties because this.files is a null prototype object
for (filename in this.files) {
if (!this.files.hasOwnProperty(filename)) {
continue;
}
file = this.files[filename];
relativePath = filename.slice(this.root.length, filename.length);
if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root
cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn...
}
}
/* jshint ignore:end */
},

/**
Expand Down
13 changes: 13 additions & 0 deletions test/asserts/load.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,19 @@ QUnit.module("load", function () {
})['catch'](JSZipTestUtils.assertNoError);
});

JSZipTestUtils.testZipFile("Load files which shadow Object prototype methods", "ref/pollution.zip", function(assert, file) {
var done = assert.async();
assert.ok(typeof file === "string");
JSZip.loadAsync(file)
.then(function (zip) {
assert.notEqual(Object.getPrototypeOf(zip.files), zip.files.__proto__);
return zip.file("__proto__").async("string"); })
.then(function(result) {
assert.equal(result, "hello\n", "the zip was correctly read.");
done();
})['catch'](JSZipTestUtils.assertNoError);
});

JSZipTestUtils.testZipFile("load(string) handles bytes > 255", "ref/all.zip", function(assert, file) {
var done = assert.async();
// the method used to load zip with ajax will remove the extra bits.
Expand Down
Binary file added test/ref/pollution.zip
Binary file not shown.

0 comments on commit 6d029b4

Please sign in to comment.