1 | import { hasOwnProperty } from './object.js';
|
2 | /**
|
3 | * Get a property of a plain object
|
4 | * Throws an error in case the object is not a plain object or the
|
5 | * property is not defined on the object itself
|
6 | * @param {Object} object
|
7 | * @param {string} prop
|
8 | * @return {*} Returns the property value when safe
|
9 | */
|
10 |
|
11 | function getSafeProperty(object, prop) {
|
12 | // only allow getting safe properties of a plain object
|
13 | if (isPlainObject(object) && isSafeProperty(object, prop)) {
|
14 | return object[prop];
|
15 | }
|
16 |
|
17 | if (typeof object[prop] === 'function' && isSafeMethod(object, prop)) {
|
18 | throw new Error('Cannot access method "' + prop + '" as a property');
|
19 | }
|
20 |
|
21 | throw new Error('No access to property "' + prop + '"');
|
22 | }
|
23 | /**
|
24 | * Set a property on a plain object.
|
25 | * Throws an error in case the object is not a plain object or the
|
26 | * property would override an inherited property like .constructor or .toString
|
27 | * @param {Object} object
|
28 | * @param {string} prop
|
29 | * @param {*} value
|
30 | * @return {*} Returns the value
|
31 | */
|
32 | // TODO: merge this function into access.js?
|
33 |
|
34 |
|
35 | function setSafeProperty(object, prop, value) {
|
36 | // only allow setting safe properties of a plain object
|
37 | if (isPlainObject(object) && isSafeProperty(object, prop)) {
|
38 | object[prop] = value;
|
39 | return value;
|
40 | }
|
41 |
|
42 | throw new Error('No access to property "' + prop + '"');
|
43 | }
|
44 | /**
|
45 | * Test whether a property is safe to use for an object.
|
46 | * For example .toString and .constructor are not safe
|
47 | * @param {string} prop
|
48 | * @return {boolean} Returns true when safe
|
49 | */
|
50 |
|
51 |
|
52 | function isSafeProperty(object, prop) {
|
53 | if (!object || typeof object !== 'object') {
|
54 | return false;
|
55 | } // SAFE: whitelisted
|
56 | // e.g length
|
57 |
|
58 |
|
59 | if (hasOwnProperty(safeNativeProperties, prop)) {
|
60 | return true;
|
61 | } // UNSAFE: inherited from Object prototype
|
62 | // e.g constructor
|
63 |
|
64 |
|
65 | if (prop in Object.prototype) {
|
66 | // 'in' is used instead of hasOwnProperty for nodejs v0.10
|
67 | // which is inconsistent on root prototypes. It is safe
|
68 | // here because Object.prototype is a root object
|
69 | return false;
|
70 | } // UNSAFE: inherited from Function prototype
|
71 | // e.g call, apply
|
72 |
|
73 |
|
74 | if (prop in Function.prototype) {
|
75 | // 'in' is used instead of hasOwnProperty for nodejs v0.10
|
76 | // which is inconsistent on root prototypes. It is safe
|
77 | // here because Function.prototype is a root object
|
78 | return false;
|
79 | }
|
80 |
|
81 | return true;
|
82 | }
|
83 | /**
|
84 | * Validate whether a method is safe.
|
85 | * Throws an error when that's not the case.
|
86 | * @param {Object} object
|
87 | * @param {string} method
|
88 | */
|
89 | // TODO: merge this function into assign.js?
|
90 |
|
91 |
|
92 | function validateSafeMethod(object, method) {
|
93 | if (!isSafeMethod(object, method)) {
|
94 | throw new Error('No access to method "' + method + '"');
|
95 | }
|
96 | }
|
97 | /**
|
98 | * Check whether a method is safe.
|
99 | * Throws an error when that's not the case (for example for `constructor`).
|
100 | * @param {Object} object
|
101 | * @param {string} method
|
102 | * @return {boolean} Returns true when safe, false otherwise
|
103 | */
|
104 |
|
105 |
|
106 | function isSafeMethod(object, method) {
|
107 | if (object === null || object === undefined || typeof object[method] !== 'function') {
|
108 | return false;
|
109 | } // UNSAFE: ghosted
|
110 | // e.g overridden toString
|
111 | // Note that IE10 doesn't support __proto__ and we can't do this check there.
|
112 |
|
113 |
|
114 | if (hasOwnProperty(object, method) && Object.getPrototypeOf && method in Object.getPrototypeOf(object)) {
|
115 | return false;
|
116 | } // SAFE: whitelisted
|
117 | // e.g toString
|
118 |
|
119 |
|
120 | if (hasOwnProperty(safeNativeMethods, method)) {
|
121 | return true;
|
122 | } // UNSAFE: inherited from Object prototype
|
123 | // e.g constructor
|
124 |
|
125 |
|
126 | if (method in Object.prototype) {
|
127 | // 'in' is used instead of hasOwnProperty for nodejs v0.10
|
128 | // which is inconsistent on root prototypes. It is safe
|
129 | // here because Object.prototype is a root object
|
130 | return false;
|
131 | } // UNSAFE: inherited from Function prototype
|
132 | // e.g call, apply
|
133 |
|
134 |
|
135 | if (method in Function.prototype) {
|
136 | // 'in' is used instead of hasOwnProperty for nodejs v0.10
|
137 | // which is inconsistent on root prototypes. It is safe
|
138 | // here because Function.prototype is a root object
|
139 | return false;
|
140 | }
|
141 |
|
142 | return true;
|
143 | }
|
144 |
|
145 | function isPlainObject(object) {
|
146 | return typeof object === 'object' && object && object.constructor === Object;
|
147 | }
|
148 |
|
149 | var safeNativeProperties = {
|
150 | length: true,
|
151 | name: true
|
152 | };
|
153 | var safeNativeMethods = {
|
154 | toString: true,
|
155 | valueOf: true,
|
156 | toLocaleString: true
|
157 | };
|
158 | export { getSafeProperty };
|
159 | export { setSafeProperty };
|
160 | export { isSafeProperty };
|
161 | export { validateSafeMethod };
|
162 | export { isSafeMethod };
|
163 | export { isPlainObject }; |
\ | No newline at end of file |