flightcontrolhq · Oct 22, 2023 · Oct 23, 2023 · Oct 23, 2023 · Oct 23, 2023 · Oct 23, 2023
Showing with 52 additions and 4 deletions.

+21 −1 .all-contributorsrc

+8 −2 README.md

+2 −1 package.json

+11 −0 src/index.test.ts

+10 −0 src/plainer.ts
diff --git a/.all-contributorsrc b/.all-contributorsrc
@@ -268,6 +268,25 @@
       "contributions": [
         "doc"
       ]
+    },
+    {
+      "login": "kidqueb",
+      "name": "Nick Quebbeman",
+      "avatar_url": "https://avatars.githubusercontent.com/u/884128?v=4",
+      "profile": "https://github.com/kidqueb",
+      "contributions": [
+        "doc"
+      ]
+    },
+    {
+      "login": "tmcw",
+      "name": "Tom MacWright",
+      "avatar_url": "https://avatars.githubusercontent.com/u/32314?v=4",
+      "profile": "https://macwright.com/",
+      "contributions": [
+        "bug",
+        "code"
+      ]
     }
   ],
   "badgeTemplate": "<a href=\"#contributors\"><img src=\"https://img.shields.io/badge/all_contributors-<%= contributors.length %>-orange.svg?style=flat-square\" alt=\"All Contributors\"/></a>",
@@ -277,5 +296,6 @@
   "repoType": "github",
   "repoHost": "https://github.com",
   "skipCi": true,
-  "commitConvention": "angular"
+  "commitConvention": "angular",
+  "commitType": "docs"
 }
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 
 <p align="center">
   <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-<a href="#contributors"><img src="https://img.shields.io/badge/all_contributors-28-orange.svg?style=flat-square" alt="All Contributors"/></a>
+<a href="#contributors"><img src="https://img.shields.io/badge/all_contributors-29-orange.svg?style=flat-square" alt="All Contributors"/></a>
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
   <a href="https://www.npmjs.com/package/superjson">
     <img alt="npm" src="https://img.shields.io/npm/v/superjson" />
@@ -75,7 +75,9 @@ const jsonString = superjson.stringify({ date: new Date(0) });
 And parse your JSON like so:
 
 ```js
-const object = superjson.parse < { date: Date } > jsonString;
+const object = superjson.parse<
+{ date: Date }
+>(jsonString);
 
 // object === { date: new Date(0) }
 ```
@@ -322,6 +324,10 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
       <td align="center" valign="top" width="14.28%"><a href="http://www.maxmalm.se"><img src="https://avatars.githubusercontent.com/u/430872?v=4?s=100" width="100px;" alt="Max Malm"/><br /><sub><b>Max Malm</b></sub></a><br /><a href="https://github.com/blitz-js/superjson/commits?author=benjick" title="Documentation">📖</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/tylercollier"><img src="https://avatars.githubusercontent.com/u/366538?v=4?s=100" width="100px;" alt="Tyler Collier"/><br /><sub><b>Tyler Collier</b></sub></a><br /><a href="https://github.com/blitz-js/superjson/commits?author=tylercollier" title="Documentation">📖</a></td>
     </tr>
+    <tr>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/kidqueb"><img src="https://avatars.githubusercontent.com/u/884128?v=4?s=100" width="100px;" alt="Nick Quebbeman"/><br /><sub><b>Nick Quebbeman</b></sub></a><br /><a href="https://github.com/blitz-js/superjson/issues?q=author%3Akidqueb" title="Bug reports">🐛</a> <a href="https://github.com/blitz-js/superjson/commits?author=kidqueb" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://macwright.com/"><img src="https://avatars.githubusercontent.com/u/32314?v=4?s=100" width="100px;" alt="Tom MacWright"/><br /><sub><b>Tom MacWright</b></sub></a><br /><a href="https://github.com/blitz-js/superjson/issues?q=author%3Atmcw" title="Bug reports">🐛</a> <a href="https://github.com/blitz-js/superjson/commits?author=tmcw" title="Code">💻</a></td>
+    </tr>
   </tbody>
 </table>
 

diff --git a/package.json b/package.json
@@ -1,8 +1,9 @@
 {
-  "version": "2.0.0",
+  "version": "2.1.0",
   "license": "MIT",
   "type": "module",
   "typings": "dist/index.d.ts",
+  "main": "./dist/index.js",
   "exports": {
     ".": "./dist/index.js"
   },

diff --git a/src/index.test.ts b/src/index.test.ts
@@ -1054,6 +1054,17 @@ test('regression: `Object.create(null)` / object without prototype', () => {
   expect(parsed.date).toBeInstanceOf(Date);
 });
 
+test.each(['__proto__', 'prototype', 'constructor'])(
+  'serialize prototype pollution: %s',
+  forbidden => {
+    expect(() => {
+      SuperJSON.serialize({
+        [forbidden]: 1,
+      });
+    }).toThrowError(/This is a prototype pollution risk/);
+  }
+);
+
 test('prototype pollution - __proto__', () => {
   expect(() => {
     SuperJSON.parse(

diff --git a/src/plainer.ts b/src/plainer.ts
@@ -216,6 +216,16 @@ export const walker = (
   const innerAnnotations: Record<string, Tree<TypeAnnotation>> = {};
 
   forEach(transformed, (value, index) => {
+    if (
+      index === '__proto__' ||
+      index === 'constructor' ||
+      index === 'prototype'
+    ) {
+      throw new Error(
+        `Detected property ${index}. This is a prototype pollution risk, please remove it from your object.`
+      );
+    }
+
     const recursiveResult = walker(
       value,
       identities,