momosecurity/mosec-node-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1. upgrade vulnerable package

Browse Source 
2. fix test unit
This commit is contained in:
retanoj
2022-03-22 18:10:50 +08:00
parent feee2d72ec
commit c5b6b804e0
4618 changed files with 1691378 additions and 1119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
test/vuln-project/node_modules/mpath/.travis.yml generated vendored Normal file
View File

@@ -0,0 +1,9 @@
language: node_js
node_js:
- "4"
- "5"
- "6"
- "7"
- "8"
- "9"
- "10"

59
test/vuln-project/node_modules/mpath/History.md generated vendored Normal file
View File

@@ -0,0 +1,59 @@
0.6.0 / 2019-05-01
==================
* feat: support setting dotted paths within nested arrays
0.5.2 / 2019-04-25
==================
* fix: avoid using subclassed array constructor when doing `map()`
0.5.1 / 2018-08-30
==================
* fix: prevent writing to constructor and prototype as well as __proto__
0.5.0 / 2018-08-30
==================
* BREAKING CHANGE: disallow setting/unsetting __proto__ properties
* feat: re-add support for Node < 4 for this release
0.4.1 / 2018-04-08
==================
* fix: allow opting out of weird `$` set behavior re: Automattic/mongoose#6273
0.4.0 / 2018-03-27
==================
* feat: add support for ES6 maps
* BREAKING CHANGE: drop support for Node < 4
0.3.0 / 2017-06-05
==================
* feat: add has() and unset() functions
0.2.1 / 2013-03-22
==================
* test; added for #5
* fix typo that breaks set #5 [Contra](https://github.com/Contra)
0.2.0 / 2013-03-15
==================
* added; adapter support for set
* added; adapter support for get
* add basic benchmarks
* add support for using module as a component #2 [Contra](https://github.com/Contra)
0.1.1 / 2012-12-21
==================
* added; map support
0.1.0 / 2012-12-13
==================
* added; set('array.property', val, object) support
* added; get('array.property', object) support
0.0.1 / 2012-11-03
==================
* initial release

22
test/vuln-project/node_modules/mpath/LICENSE generated vendored Normal file
View File

@@ -0,0 +1,22 @@
(The MIT License)
Copyright (c) 2012 [Aaron Heckmann](aaron.heckmann+github@gmail.com)
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
'Software'), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

4
test/vuln-project/node_modules/mpath/Makefile generated vendored Normal file
View File

@@ -0,0 +1,4 @@
bench:
node bench.js
.PHONY: test

278
test/vuln-project/node_modules/mpath/README.md generated vendored Normal file
View File

@@ -0,0 +1,278 @@
#mpath
{G,S}et javascript object values using MongoDB-like path notation.
###Getting
```js
var mpath = require('mpath');
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.get('comments.1.title', obj) // 'exciting!'
```
`mpath.get` supports array property notation as well.
```js
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.get('comments.title', obj) // ['funny', 'exciting!']
```
Array property and indexing syntax, when used together, are very powerful.
```js
var obj = {
array: [
{ o: { array: [{x: {b: [4,6,8]}}, { y: 10} ] }}
, { o: { array: [{x: {b: [1,2,3]}}, { x: {z: 10 }}, { x: 'Turkey Day' }] }}
, { o: { array: [{x: {b: null }}, { x: { b: [null, 1]}}] }}
, { o: { array: [{x: null }] }}
, { o: { array: [{y: 3 }] }}
, { o: { array: [3, 0, null] }}
, { o: { name: 'ha' }}
];
}
var found = mpath.get('array.o.array.x.b.1', obj);
console.log(found); // prints..
[ [6, undefined]
, [2, undefined, undefined]
, [null, 1]
, [null]
, [undefined]
, [undefined, undefined, undefined]
, undefined
]
```
#####Field selection rules:
The following rules are iteratively applied to each `segment` in the passed `path`. For example:
```js
var path = 'one.two.14'; // path
'one' // segment 0
'two' // segment 1
14 // segment 2
```
- 1) when value of the segment parent is not an array, return the value of `parent.segment`
- 2) when value of the segment parent is an array
- a) if the segment is an integer, replace the parent array with the value at `parent[segment]`
- b) if not an integer, keep the array but replace each array `item` with the value returned from calling `get(remainingSegments, item)` or undefined if falsey.
#####Maps
`mpath.get` also accepts an optional `map` argument which receives each individual found value. The value returned from the `map` function will be used in the original found values place.
```js
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.get('comments.title', obj, function (val) {
return 'funny' == val
? 'amusing'
: val;
});
// ['amusing', 'exciting!']
```
###Setting
```js
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.set('comments.1.title', 'hilarious', obj)
console.log(obj.comments[1].title) // 'hilarious'
```
`mpath.set` supports the same array property notation as `mpath.get`.
```js
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.set('comments.title', ['hilarious', 'fruity'], obj);
console.log(obj); // prints..
{ comments: [
{ title: 'hilarious' },
{ title: 'fruity' }
]}
```
Array property and indexing syntax can be used together also when setting.
```js
var obj = {
array: [
{ o: { array: [{x: {b: [4,6,8]}}, { y: 10} ] }}
, { o: { array: [{x: {b: [1,2,3]}}, { x: {z: 10 }}, { x: 'Turkey Day' }] }}
, { o: { array: [{x: {b: null }}, { x: { b: [null, 1]}}] }}
, { o: { array: [{x: null }] }}
, { o: { array: [{y: 3 }] }}
, { o: { array: [3, 0, null] }}
, { o: { name: 'ha' }}
]
}
mpath.set('array.1.o', 'this was changed', obj);
console.log(require('util').inspect(obj, false, 1000)); // prints..
{
array: [
{ o: { array: [{x: {b: [4,6,8]}}, { y: 10} ] }}
, { o: 'this was changed' }
, { o: { array: [{x: {b: null }}, { x: { b: [null, 1]}}] }}
, { o: { array: [{x: null }] }}
, { o: { array: [{y: 3 }] }}
, { o: { array: [3, 0, null] }}
, { o: { name: 'ha' }}
];
}
mpath.set('array.o.array.x', 'this was changed too', obj);
console.log(require('util').inspect(obj, false, 1000)); // prints..
{
array: [
{ o: { array: [{x: 'this was changed too'}, { y: 10, x: 'this was changed too'} ] }}
, { o: 'this was changed' }
, { o: { array: [{x: 'this was changed too'}, { x: 'this was changed too'}] }}
, { o: { array: [{x: 'this was changed too'}] }}
, { o: { array: [{x: 'this was changed too', y: 3 }] }}
, { o: { array: [3, 0, null] }}
, { o: { name: 'ha' }}
];
}
```
####Setting arrays
By default, setting a property within an array to another array results in each element of the new array being set to the item in the destination array at the matching index. An example is helpful.
```js
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.set('comments.title', ['hilarious', 'fruity'], obj);
console.log(obj); // prints..
{ comments: [
{ title: 'hilarious' },
{ title: 'fruity' }
]}
```
If we do not desire this destructuring-like assignment behavior we may instead specify the `$` operator in the path being set to force the array to be copied directly.
```js
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.set('comments.$.title', ['hilarious', 'fruity'], obj);
console.log(obj); // prints..
{ comments: [
{ title: ['hilarious', 'fruity'] },
{ title: ['hilarious', 'fruity'] }
]}
```
####Field assignment rules
The rules utilized mirror those used on `mpath.get`, meaning we can take values returned from `mpath.get`, update them, and reassign them using `mpath.set`. Note that setting nested arrays of arrays can get unweildy quickly. Check out the [tests](https://github.com/aheckmann/mpath/blob/master/test/index.js) for more extreme examples.
#####Maps
`mpath.set` also accepts an optional `map` argument which receives each individual value being set. The value returned from the `map` function will be used in the original values place.
```js
var obj = {
comments: [
{ title: 'funny' },
{ title: 'exciting!' }
]
}
mpath.set('comments.title', ['hilarious', 'fruity'], obj, function (val) {
return val.length;
});
console.log(obj); // prints..
{ comments: [
{ title: 9 },
{ title: 6 }
]}
```
### Custom object types
Sometimes you may want to enact the same functionality on custom object types that store all their real data internally, say for an ODM type object. No fear, `mpath` has you covered. Simply pass the name of the property being used to store the internal data and it will be traversed instead:
```js
var mpath = require('mpath');
var obj = {
comments: [
{ title: 'exciting!', _doc: { title: 'great!' }}
]
}
mpath.get('comments.0.title', obj, '_doc') // 'great!'
mpath.set('comments.0.title', 'nov 3rd', obj, '_doc')
mpath.get('comments.0.title', obj, '_doc') // 'nov 3rd'
mpath.get('comments.0.title', obj) // 'exciting'
```
When used with a `map`, the `map` argument comes last.
```js
mpath.get(path, obj, '_doc', map);
mpath.set(path, val, obj, '_doc', map);
```
[LICENSE](https://github.com/aheckmann/mpath/blob/master/LICENSE)

109
test/vuln-project/node_modules/mpath/bench.js generated vendored Normal file
View File

@@ -0,0 +1,109 @@
var mpath = require('./')
var Bench = require('benchmark');
var sha = require('child_process').exec("git log --pretty=format:'%h' -n 1", function (err, sha) {
if (err) throw err;
var fs = require('fs')
var filename = __dirname + '/bench.out';
var out = fs.createWriteStream(filename, { flags: 'a', encoding: 'utf8' });
/**
* test doc creator
*/
function doc () {
var o = { first: { second: { third: [3,{ name: 'aaron' }, 9] }}};
o.comments = [
{ name: 'one' }
, { name: 'two', _doc: { name: '2' }}
, { name: 'three'
, comments: [{},{ comments: [{val: 'twoo'}]}]
, _doc: { name: '3', comments: [{},{ _doc: { comments: [{ val: 2 }] }}] }}
];
o.name = 'jiro';
o.array = [
{ o: { array: [{x: {b: [4,6,8]}}, { y: 10} ] }}
, { o: { array: [{x: {b: [1,2,3]}}, { x: {z: 10 }}, { x: {b: 'hi'}}] }}
, { o: { array: [{x: {b: null }}, { x: { b: [null, 1]}}] }}
, { o: { array: [{x: null }] }}
, { o: { array: [{y: 3 }] }}
, { o: { array: [3, 0, null] }}
, { o: { name: 'ha' }}
];
o.arr = [
{ arr: [{ a: { b: 47 }}, { a: { c: 48 }}, { d: 'yep' }] }
, { yep: true }
]
return o;
}
var o = doc();
var s = new Bench.Suite;
s.add('mpath.get("first", obj)', function () {
mpath.get('first', o);
})
s.add('mpath.get("first.second", obj)', function () {
mpath.get('first.second', o);
})
s.add('mpath.get("first.second.third.1.name", obj)', function () {
mpath.get('first.second.third.1.name', o);
})
s.add('mpath.get("comments", obj)', function () {
mpath.get('comments', o);
})
s.add('mpath.get("comments.1", obj)', function () {
mpath.get('comments.1', o);
})
s.add('mpath.get("comments.2.name", obj)', function () {
mpath.get('comments.2.name', o);
})
s.add('mpath.get("comments.2.comments.1.comments.0.val", obj)', function () {
mpath.get('comments.2.comments.1.comments.0.val', o);
})
s.add('mpath.get("comments.name", obj)', function () {
mpath.get('comments.name', o);
})
s.add('mpath.set("first", obj, val)', function () {
mpath.set('first', o, 1);
})
s.add('mpath.set("first.second", obj, val)', function () {
mpath.set('first.second', o, 1);
})
s.add('mpath.set("first.second.third.1.name", obj, val)', function () {
mpath.set('first.second.third.1.name', o, 1);
})
s.add('mpath.set("comments", obj, val)', function () {
mpath.set('comments', o, 1);
})
s.add('mpath.set("comments.1", obj, val)', function () {
mpath.set('comments.1', o, 1);
})
s.add('mpath.set("comments.2.name", obj, val)', function () {
mpath.set('comments.2.name', o, 1);
})
s.add('mpath.set("comments.2.comments.1.comments.0.val", obj, val)', function () {
mpath.set('comments.2.comments.1.comments.0.val', o, 1);
})
s.add('mpath.set("comments.name", obj, val)', function () {
mpath.set('comments.name', o, 1);
})
s.on('start', function () {
console.log('starting...');
out.write('*' + sha + ': ' + String(new Date()) + '\n');
});
s.on('cycle', function (e) {
var s = String(e.target);
console.log(s);
out.write(s + '\n');
})
s.on('complete', function () {
console.log('done')
out.end('');
})
s.run()
})

52
test/vuln-project/node_modules/mpath/bench.out generated vendored Normal file
View File

@@ -0,0 +1,52 @@
*b566c26: Fri Mar 15 2013 14:14:04 GMT-0700 (PDT)
mpath.get("first", obj) x 3,827,405 ops/sec ±0.91% (90 runs sampled)
mpath.get("first.second", obj) x 4,930,222 ops/sec ±1.92% (91 runs sampled)
mpath.get("first.second.third.1.name", obj) x 3,070,837 ops/sec ±1.45% (97 runs sampled)
mpath.get("comments", obj) x 3,649,771 ops/sec ±1.71% (93 runs sampled)
mpath.get("comments.1", obj) x 3,846,728 ops/sec ±0.86% (94 runs sampled)
mpath.get("comments.2.name", obj) x 3,527,680 ops/sec ±0.95% (96 runs sampled)
mpath.get("comments.2.comments.1.comments.0.val", obj) x 2,046,982 ops/sec ±0.80% (96 runs sampled)
mpath.get("comments.name", obj) x 625,546 ops/sec ±2.02% (82 runs sampled)
*e42bdb1: Fri Mar 15 2013 14:19:28 GMT-0700 (PDT)
mpath.get("first", obj) x 3,700,783 ops/sec ±1.30% (95 runs sampled)
mpath.get("first.second", obj) x 4,621,795 ops/sec ±0.86% (95 runs sampled)
mpath.get("first.second.third.1.name", obj) x 3,012,671 ops/sec ±1.21% (100 runs sampled)
mpath.get("comments", obj) x 3,677,694 ops/sec ±0.80% (96 runs sampled)
mpath.get("comments.1", obj) x 3,798,862 ops/sec ±0.81% (91 runs sampled)
mpath.get("comments.2.name", obj) x 3,489,356 ops/sec ±0.66% (98 runs sampled)
mpath.get("comments.2.comments.1.comments.0.val", obj) x 2,004,076 ops/sec ±0.85% (99 runs sampled)
mpath.get("comments.name", obj) x 613,270 ops/sec ±1.33% (83 runs sampled)
*0521aac: Fri Mar 15 2013 16:37:16 GMT-0700 (PDT)
mpath.get("first", obj) x 3,834,755 ops/sec ±0.70% (100 runs sampled)
mpath.get("first.second", obj) x 4,999,965 ops/sec ±1.01% (98 runs sampled)
mpath.get("first.second.third.1.name", obj) x 3,125,953 ops/sec ±0.97% (100 runs sampled)
mpath.get("comments", obj) x 3,759,233 ops/sec ±0.81% (97 runs sampled)
mpath.get("comments.1", obj) x 3,894,893 ops/sec ±0.76% (96 runs sampled)
mpath.get("comments.2.name", obj) x 3,576,929 ops/sec ±0.68% (98 runs sampled)
mpath.get("comments.2.comments.1.comments.0.val", obj) x 2,149,610 ops/sec ±0.67% (97 runs sampled)
mpath.get("comments.name", obj) x 629,259 ops/sec ±1.30% (87 runs sampled)
mpath.set("first", obj, val) x 2,869,477 ops/sec ±0.63% (97 runs sampled)
mpath.set("first.second", obj, val) x 2,418,751 ops/sec ±0.62% (98 runs sampled)
mpath.set("first.second.third.1.name", obj, val) x 2,313,099 ops/sec ±0.69% (94 runs sampled)
mpath.set("comments", obj, val) x 2,680,882 ops/sec ±0.76% (99 runs sampled)
mpath.set("comments.1", obj, val) x 2,401,829 ops/sec ±0.68% (98 runs sampled)
mpath.set("comments.2.name", obj, val) x 2,335,081 ops/sec ±1.07% (96 runs sampled)
mpath.set("comments.2.comments.1.comments.0.val", obj, val) x 2,245,436 ops/sec ±0.76% (92 runs sampled)
mpath.set("comments.name", obj, val) x 2,356,278 ops/sec ±1.15% (100 runs sampled)
*97e85d3: Fri Mar 15 2013 16:39:21 GMT-0700 (PDT)
mpath.get("first", obj) x 3,837,614 ops/sec ±0.74% (99 runs sampled)
mpath.get("first.second", obj) x 4,991,779 ops/sec ±1.01% (94 runs sampled)
mpath.get("first.second.third.1.name", obj) x 3,078,455 ops/sec ±1.17% (96 runs sampled)
mpath.get("comments", obj) x 3,770,961 ops/sec ±0.45% (101 runs sampled)
mpath.get("comments.1", obj) x 3,832,814 ops/sec ±0.67% (92 runs sampled)
mpath.get("comments.2.name", obj) x 3,536,436 ops/sec ±0.49% (100 runs sampled)
mpath.get("comments.2.comments.1.comments.0.val", obj) x 2,141,947 ops/sec ±0.72% (98 runs sampled)
mpath.get("comments.name", obj) x 667,898 ops/sec ±1.62% (85 runs sampled)
mpath.set("first", obj, val) x 2,642,517 ops/sec ±0.72% (98 runs sampled)
mpath.set("first.second", obj, val) x 2,502,124 ops/sec ±1.28% (99 runs sampled)
mpath.set("first.second.third.1.name", obj, val) x 2,426,804 ops/sec ±0.55% (99 runs sampled)
mpath.set("comments", obj, val) x 2,699,478 ops/sec ±0.85% (98 runs sampled)
mpath.set("comments.1", obj, val) x 2,494,454 ops/sec ±1.05% (96 runs sampled)
mpath.set("comments.2.name", obj, val) x 2,463,894 ops/sec ±0.86% (98 runs sampled)
mpath.set("comments.2.comments.1.comments.0.val", obj, val) x 2,320,398 ops/sec ±0.82% (95 runs sampled)
mpath.set("comments.name", obj, val) x 2,512,408 ops/sec ±0.77% (95 runs sampled)

8
test/vuln-project/node_modules/mpath/component.json generated vendored Normal file
View File

@@ -0,0 +1,8 @@
{
"name": "mpath",
"version": "0.2.1",
"main": "lib/index.js",
"scripts": [
"lib/index.js"
]
}

1
test/vuln-project/node_modules/mpath/index.js generated vendored Normal file
View File

@@ -0,0 +1 @@
module.exports = exports = require('./lib');

308
test/vuln-project/node_modules/mpath/lib/index.js generated vendored Normal file
View File

@@ -0,0 +1,308 @@
// These properties are special and can open client libraries to security
// issues
var ignoreProperties = ['__proto__', 'constructor', 'prototype'];
/**
* Returns the value of object `o` at the given `path`.
*
* ####Example:
*
* var obj = {
* comments: [
* { title: 'exciting!', _doc: { title: 'great!' }}
* , { title: 'number dos' }
* ]
* }
*
* mpath.get('comments.0.title', o) // 'exciting!'
* mpath.get('comments.0.title', o, '_doc') // 'great!'
* mpath.get('comments.title', o) // ['exciting!', 'number dos']
*
* // summary
* mpath.get(path, o)
* mpath.get(path, o, special)
* mpath.get(path, o, map)
* mpath.get(path, o, special, map)
*
* @param {String} path
* @param {Object} o
* @param {String} [special] When this property name is present on any object in the path, walking will continue on the value of this property.
* @param {Function} [map] Optional function which receives each individual found value. The value returned from `map` is used in the original values place.
*/
exports.get = function (path, o, special, map) {
var lookup;
if ('function' == typeof special) {
if (special.length < 2) {
map = special;
special = undefined;
} else {
lookup = special;
special = undefined;
}
}
map || (map = K);
var parts = 'string' == typeof path
? path.split('.')
: path
if (!Array.isArray(parts)) {
throw new TypeError('Invalid `path`. Must be either string or array');
}
var obj = o
, part;
for (var i = 0; i < parts.length; ++i) {
part = parts[i];
if (Array.isArray(obj) && !/^\d+$/.test(part)) {
// reading a property from the array items
var paths = parts.slice(i);
// Need to `concat()` to avoid `map()` calling a constructor of an array
// subclass
return [].concat(obj).map(function (item) {
return item
? exports.get(paths, item, special || lookup, map)
: map(undefined);
});
}
if (lookup) {
obj = lookup(obj, part);
} else {
var _from = special && obj[special] ? obj[special] : obj;
obj = _from instanceof Map ?
_from.get(part) :
_from[part];
}
if (!obj) return map(obj);
}
return map(obj);
};
/**
* Returns true if `in` returns true for every piece of the path
*
* @param {String} path
* @param {Object} o
*/
exports.has = function (path, o) {
var parts = typeof path === 'string' ?
path.split('.') :
path;
if (!Array.isArray(parts)) {
throw new TypeError('Invalid `path`. Must be either string or array');
}
var len = parts.length;
var cur = o;
for (var i = 0; i < len; ++i) {
if (cur == null || typeof cur !== 'object' || !(parts[i] in cur)) {
return false;
}
cur = cur[parts[i]];
}
return true;
};
/**
* Deletes the last piece of `path`
*
* @param {String} path
* @param {Object} o
*/
exports.unset = function (path, o) {
var parts = typeof path === 'string' ?
path.split('.') :
path;
if (!Array.isArray(parts)) {
throw new TypeError('Invalid `path`. Must be either string or array');
}
var len = parts.length;
var cur = o;
for (var i = 0; i < len; ++i) {
if (cur == null || typeof cur !== 'object' || !(parts[i] in cur)) {
return false;
}
// Disallow any updates to __proto__ or special properties.
if (ignoreProperties.indexOf(parts[i]) !== -1) {
return false;
}
if (i === len - 1) {
delete cur[parts[i]];
return true;
}
cur = cur instanceof Map ? cur.get(parts[i]) : cur[parts[i]];
}
return true;
};
/**
* Sets the `val` at the given `path` of object `o`.
*
* @param {String} path
* @param {Anything} val
* @param {Object} o
* @param {String} [special] When this property name is present on any object in the path, walking will continue on the value of this property.
* @param {Function} [map] Optional function which is passed each individual value before setting it. The value returned from `map` is used in the original values place.
*/
exports.set = function (path, val, o, special, map, _copying) {
var lookup;
if ('function' == typeof special) {
if (special.length < 2) {
map = special;
special = undefined;
} else {
lookup = special;
special = undefined;
}
}
map || (map = K);
var parts = 'string' == typeof path
? path.split('.')
: path
if (!Array.isArray(parts)) {
throw new TypeError('Invalid `path`. Must be either string or array');
}
if (null == o) return;
for (var i = 0; i < parts.length; ++i) {
// Silently ignore any updates to `__proto__`, these are potentially
// dangerous if using mpath with unsanitized data.
if (ignoreProperties.indexOf(parts[i]) !== -1) {
return;
}
}
// the existance of $ in a path tells us if the user desires
// the copying of an array instead of setting each value of
// the array to the one by one to matching positions of the
// current array. Unless the user explicitly opted out by passing
// false, see Automattic/mongoose#6273
var copy = _copying || (/\$/.test(path) && _copying !== false)
, obj = o
, part
for (var i = 0, len = parts.length - 1; i < len; ++i) {
part = parts[i];
if ('$' == part) {
if (i == len - 1) {
break;
} else {
continue;
}
}
if (Array.isArray(obj) && !/^\d+$/.test(part)) {
var paths = parts.slice(i);
if (!copy && Array.isArray(val)) {
for (var j = 0; j < obj.length && j < val.length; ++j) {
// assignment of single values of array
exports.set(paths, val[j], obj[j], special || lookup, map, copy);
}
} else {
for (var j = 0; j < obj.length; ++j) {
// assignment of entire value
exports.set(paths, val, obj[j], special || lookup, map, copy);
}
}
return;
}
if (lookup) {
obj = lookup(obj, part);
} else {
var _to = special && obj[special] ? obj[special] : obj;
obj = _to instanceof Map ?
_to.get(part) :
_to[part];
}
if (!obj) return;
}
// process the last property of the path
part = parts[len];
// use the special property if exists
if (special && obj[special]) {
obj = obj[special];
}
// set the value on the last branch
if (Array.isArray(obj) && !/^\d+$/.test(part)) {
if (!copy && Array.isArray(val)) {
_setArray(obj, val, part, lookup, special, map);
} else {
for (var j = 0; j < obj.length; ++j) {
item = obj[j];
if (item) {
if (lookup) {
lookup(item, part, map(val));
} else {
if (item[special]) item = item[special];
item[part] = map(val);
}
}
}
}
} else {
if (lookup) {
lookup(obj, part, map(val));
} else if (obj instanceof Map) {
obj.set(part, map(val));
} else {
obj[part] = map(val);
}
}
}
/*!
* Recursively set nested arrays
*/
function _setArray(obj, val, part, lookup, special, map) {
for (var item, j = 0; j < obj.length && j < val.length; ++j) {
item = obj[j];
if (Array.isArray(item) && Array.isArray(val[j])) {
_setArray(item, val[j], part, lookup, special, map);
} else if (item) {
if (lookup) {
lookup(item, part, map(val[j]));
} else {
if (item[special]) item = item[special];
item[part] = map(val[j]);
}
}
}
}
/*!
* Returns the value passed to it.
*/
function K (v) {
return v;
}

60
test/vuln-project/node_modules/mpath/package.json generated vendored Normal file
View File

@@ -0,0 +1,60 @@
{
"_from": "mpath@0.6.0",
"_id": "mpath@0.6.0",
"_inBundle": false,
"_integrity": "sha1-qpIgKfyk8PZB82DnTFwbakxHB44=",
"_location": "/mpath",
"_phantomChildren": {},
"_requested": {
"type": "version",
"registry": true,
"raw": "mpath@0.6.0",
"name": "mpath",
"escapedName": "mpath",
"rawSpec": "0.6.0",
"saveSpec": null,
"fetchSpec": "0.6.0"
},
"_requiredBy": [
"/mongoose"
],
"_resolved": "http://npm.wemomo.com/mpath/-/mpath-0.6.0.tgz",
"_shasum": "aa922029fca4f0f641f360e74c5c1b6a4c47078e",
"_spec": "mpath@0.6.0",
"_where": "/Users/momo/Documents/momo/security/opensource/mosec-node-plugin/test/vuln-project/node_modules/mongoose",
"author": {
"name": "Aaron Heckmann",
"email": "aaron.heckmann+github@gmail.com"
},
"bugs": {
"url": "https://github.com/aheckmann/mpath/issues"
},
"bundleDependencies": false,
"deprecated": false,
"description": "{G,S}et object values using MongoDB-like path notation",
"devDependencies": {
"benchmark": "~1.0.0",
"mocha": "5.x"
},
"engines": {
"node": ">=4.0.0"
},
"homepage": "https://github.com/aheckmann/mpath#readme",
"keywords": [
"mongodb",
"path",
"get",
"set"
],
"license": "MIT",
"main": "index.js",
"name": "mpath",
"repository": {
"type": "git",
"url": "git://github.com/aheckmann/mpath.git"
},
"scripts": {
"test": "mocha test/*"
},
"version": "0.6.0"
}

1879
test/vuln-project/node_modules/mpath/test/index.js generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff