Ignore settings on Object.prototype

expressjs · Feb 26, 2022 · e49bb35 · e49bb35
1 parent 6faf26d
commit e49bb35
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 7 deletions.
diff --git a/History.md b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Ignore `Object.prototype` values in settings
+
 5.0.0-beta.1 / 2022-02-14
 =========================
 

diff --git a/lib/application.js b/lib/application.js
@@ -56,7 +56,7 @@ app.init = function init() {
 
   this.cache = {};
   this.engines = {};
-  this.settings = {};
+  this.settings = Object.create(null);
 
   this.defaultConfiguration();
 

diff --git a/test/app.locals.js b/test/app.locals.js
@@ -1,16 +1,17 @@
 
+var assert = require('assert');
 var express = require('../')
 
 describe('app', function(){
   describe('.locals(obj)', function(){
     it('should merge locals', function(){
       var app = express();
-      Object.keys(app.locals).should.eql(['settings']);
+      assert.deepStrictEqual(Object.keys(app.locals), ['settings']);
       app.locals.user = 'tobi';
       app.locals.age = 2;
-      Object.keys(app.locals).should.eql(['settings', 'user', 'age']);
-      app.locals.user.should.equal('tobi');
-      app.locals.age.should.equal(2);
+      assert.deepStrictEqual(Object.keys(app.locals), ['settings', 'user', 'age']);
+      assert.strictEqual(app.locals.user, 'tobi');
+      assert.strictEqual(app.locals.age, 2);
     })
   })
 
@@ -19,8 +20,8 @@ describe('app', function(){
       var app = express();
       app.set('title', 'House of Manny');
       var obj = app.locals.settings;
-      obj.should.have.property('env', 'test');
-      obj.should.have.property('title', 'House of Manny');
+      assert.strictEqual(obj.env, 'test');
+      assert.strictEqual(obj.title, 'House of Manny');
     })
   })
 })
diff --git a/test/config.js b/test/config.js
@@ -10,6 +10,12 @@ describe('config', function () {
       assert.equal(app.get('foo'), 'bar');
     })
 
+    it('should set prototype values', function () {
+      var app = express()
+      app.set('hasOwnProperty', 42)
+      assert.strictEqual(app.get('hasOwnProperty'), 42)
+    })
+
     it('should return the app', function () {
       var app = express();
       assert.equal(app.set('foo', 'bar'), app);
@@ -20,6 +26,17 @@ describe('config', function () {
       assert.equal(app.set('foo', undefined), app);
     })
 
+    it('should return set value', function () {
+      var app = express()
+      app.set('foo', 'bar')
+      assert.strictEqual(app.set('foo'), 'bar')
+    })
+
+    it('should return undefined for prototype values', function () {
+      var app = express()
+      assert.strictEqual(app.set('hasOwnProperty'), undefined)
+    })
+
     describe('"etag"', function(){
       it('should throw on bad value', function(){
         var app = express();
@@ -50,6 +67,11 @@ describe('config', function () {
       assert.strictEqual(app.get('foo'), undefined);
     })
 
+    it('should return undefined for prototype values', function () {
+      var app = express()
+      assert.strictEqual(app.get('hasOwnProperty'), undefined)
+    })
+
     it('should otherwise return the value', function(){
       var app = express();
       app.set('foo', 'bar');
@@ -124,6 +146,12 @@ describe('config', function () {
       assert.equal(app.enable('tobi'), app);
       assert.strictEqual(app.get('tobi'), true);
     })
+
+    it('should set prototype values', function () {
+      var app = express()
+      app.enable('hasOwnProperty')
+      assert.strictEqual(app.get('hasOwnProperty'), true)
+    })
   })
 
   describe('.disable()', function(){
@@ -132,6 +160,12 @@ describe('config', function () {
       assert.equal(app.disable('tobi'), app);
       assert.strictEqual(app.get('tobi'), false);
     })
+
+    it('should set prototype values', function () {
+      var app = express()
+      app.disable('hasOwnProperty')
+      assert.strictEqual(app.get('hasOwnProperty'), false)
+    })
   })
 
   describe('.enabled()', function(){
@@ -145,6 +179,11 @@ describe('config', function () {
       app.set('foo', 'bar');
       assert.strictEqual(app.enabled('foo'), true);
     })
+
+    it('should default to false for prototype values', function () {
+      var app = express()
+      assert.strictEqual(app.enabled('hasOwnProperty'), false)
+    })
   })
 
   describe('.disabled()', function(){
@@ -158,5 +197,10 @@ describe('config', function () {
       app.set('foo', 'bar');
       assert.strictEqual(app.disabled('foo'), false);
     })
+
+    it('should default to true for prototype values', function () {
+      var app = express()
+      assert.strictEqual(app.disabled('hasOwnProperty'), true)
+    })
   })
 })