Skip to content

Commit e49bb35

Browse files
EvanHahnEvanHahn
committed
Ignore settings on Object.prototype
1 parent 6faf26d commit e49bb35

File tree

4 files changed

+57
-7
lines changed

4 files changed

+57
-7
lines changed

History.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
unreleased
2+
==========
3+
4+
* Ignore `Object.prototype` values in settings
5+
16
5.0.0-beta.1 / 2022-02-14
27
=========================
38

lib/application.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ app.init = function init() {
5656

5757
this.cache = {};
5858
this.engines = {};
59-
this.settings = {};
59+
this.settings = Object.create(null);
6060

6161
this.defaultConfiguration();
6262

test/app.locals.js

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,17 @@
11

2+
var assert = require('assert');
23
var express = require('../')
34

45
describe('app', function(){
56
describe('.locals(obj)', function(){
67
it('should merge locals', function(){
78
var app = express();
8-
Object.keys(app.locals).should.eql(['settings']);
9+
assert.deepStrictEqual(Object.keys(app.locals), ['settings']);
910
app.locals.user = 'tobi';
1011
app.locals.age = 2;
11-
Object.keys(app.locals).should.eql(['settings', 'user', 'age']);
12-
app.locals.user.should.equal('tobi');
13-
app.locals.age.should.equal(2);
12+
assert.deepStrictEqual(Object.keys(app.locals), ['settings', 'user', 'age']);
13+
assert.strictEqual(app.locals.user, 'tobi');
14+
assert.strictEqual(app.locals.age, 2);
1415
})
1516
})
1617

@@ -19,8 +20,8 @@ describe('app', function(){
1920
var app = express();
2021
app.set('title', 'House of Manny');
2122
var obj = app.locals.settings;
22-
obj.should.have.property('env', 'test');
23-
obj.should.have.property('title', 'House of Manny');
23+
assert.strictEqual(obj.env, 'test');
24+
assert.strictEqual(obj.title, 'House of Manny');
2425
})
2526
})
2627
})

test/config.js

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,12 @@ describe('config', function () {
1010
assert.equal(app.get('foo'), 'bar');
1111
})
1212

13+
it('should set prototype values', function () {
14+
var app = express()
15+
app.set('hasOwnProperty', 42)
16+
assert.strictEqual(app.get('hasOwnProperty'), 42)
17+
})
18+
1319
it('should return the app', function () {
1420
var app = express();
1521
assert.equal(app.set('foo', 'bar'), app);
@@ -20,6 +26,17 @@ describe('config', function () {
2026
assert.equal(app.set('foo', undefined), app);
2127
})
2228

29+
it('should return set value', function () {
30+
var app = express()
31+
app.set('foo', 'bar')
32+
assert.strictEqual(app.set('foo'), 'bar')
33+
})
34+
35+
it('should return undefined for prototype values', function () {
36+
var app = express()
37+
assert.strictEqual(app.set('hasOwnProperty'), undefined)
38+
})
39+
2340
describe('"etag"', function(){
2441
it('should throw on bad value', function(){
2542
var app = express();
@@ -50,6 +67,11 @@ describe('config', function () {
5067
assert.strictEqual(app.get('foo'), undefined);
5168
})
5269

70+
it('should return undefined for prototype values', function () {
71+
var app = express()
72+
assert.strictEqual(app.get('hasOwnProperty'), undefined)
73+
})
74+
5375
it('should otherwise return the value', function(){
5476
var app = express();
5577
app.set('foo', 'bar');
@@ -124,6 +146,12 @@ describe('config', function () {
124146
assert.equal(app.enable('tobi'), app);
125147
assert.strictEqual(app.get('tobi'), true);
126148
})
149+
150+
it('should set prototype values', function () {
151+
var app = express()
152+
app.enable('hasOwnProperty')
153+
assert.strictEqual(app.get('hasOwnProperty'), true)
154+
})
127155
})
128156

129157
describe('.disable()', function(){
@@ -132,6 +160,12 @@ describe('config', function () {
132160
assert.equal(app.disable('tobi'), app);
133161
assert.strictEqual(app.get('tobi'), false);
134162
})
163+
164+
it('should set prototype values', function () {
165+
var app = express()
166+
app.disable('hasOwnProperty')
167+
assert.strictEqual(app.get('hasOwnProperty'), false)
168+
})
135169
})
136170

137171
describe('.enabled()', function(){
@@ -145,6 +179,11 @@ describe('config', function () {
145179
app.set('foo', 'bar');
146180
assert.strictEqual(app.enabled('foo'), true);
147181
})
182+
183+
it('should default to false for prototype values', function () {
184+
var app = express()
185+
assert.strictEqual(app.enabled('hasOwnProperty'), false)
186+
})
148187
})
149188

150189
describe('.disabled()', function(){
@@ -158,5 +197,10 @@ describe('config', function () {
158197
app.set('foo', 'bar');
159198
assert.strictEqual(app.disabled('foo'), false);
160199
})
200+
201+
it('should default to true for prototype values', function () {
202+
var app = express()
203+
assert.strictEqual(app.disabled('hasOwnProperty'), true)
204+
})
161205
})
162206
})

0 commit comments

Comments
 (0)