From 41dd4559d44de14767915bd88cfdb5864bf0db2d Mon Sep 17 00:00:00 2001
From: Eric Hwang <e@lever.co>
Date: Tue, 5 Dec 2023 10:31:34 -0800
Subject: [PATCH 1/2] Guard against prototype pollution in json0

---
 lib/json0.js      |  7 ++++++-
 test/json0.coffee | 10 ++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/json0.js b/lib/json0.js
index 9f538ee..591c940 100644
--- a/lib/json0.js
+++ b/lib/json0.js
@@ -32,6 +32,8 @@ var isObject = function(obj) {
   return (!!obj) && (obj.constructor === Object);
 };
 
+var hasOwn = Object.hasOwn || Object.prototype.hasOwnProperty.call;
+
 /**
  * Clones the passed object using JSON serialization (which is slow).
  *
@@ -55,7 +57,7 @@ var json = {
 // You can register another OT type as a subtype in a JSON document using
 // the following function. This allows another type to handle certain
 // operations instead of the builtin JSON type.
-var subtypes = {};
+var subtypes = Object.create(null);
 json.registerSubtype = function(subtype) {
   subtypes[subtype.name] = subtype;
 };
@@ -157,6 +159,9 @@ json.apply = function(snapshot, op) {
     for (var j = 0; j < c.p.length; j++) {
       var p = c.p[j];
 
+      if (p in elem && !hasOwn(elem, p))
+        throw new Error('Path invalid');
+
       parent = elem;
       parentKey = key;
       elem = elem[key];
diff --git a/test/json0.coffee b/test/json0.coffee
index e2ee6df..95b5403 100644
--- a/test/json0.coffee
+++ b/test/json0.coffee
@@ -418,6 +418,16 @@ genTests = (type) ->
       assert.deepEqual [], type.transform [{p:['k'], od:'x'}], [{p:['k'], od:'x'}], 'left'
       assert.deepEqual [], type.transform [{p:['k'], od:'x'}], [{p:['k'], od:'x'}], 'right'
 
+    it 'disallows reassignment of special JS property names', ->
+      assert.throws -> type.apply {x:'a'}, [{p:['__proto__'], oi:'oops'}]
+      assert.throws -> type.apply {x:{y:'a'}}, [{p:['x', '__proto__'], oi:'oops'}]
+      assert.throws -> type.apply {x:'a'}, [{p:['constructor'], oi:'oops'}]
+      assert.throws -> type.apply {x:{y:'a'}}, [{p:['x', 'constructor'], oi:'oops'}]
+
+    it 'disallows modification of prototype property objects', ->
+      obj = {x:'a'}
+      assert.throws -> type.apply obj, [{p:['toString', 'name'], oi:'oops'}]
+
     it 'throws when the insertion key is a number', ->
       assert.throws -> type.apply {'1':'a'}, [{p:[2], oi: 'a'}]
 

From 7c4ff7ab3e80d679f6c1516f43c1e8c992c842d9 Mon Sep 17 00:00:00 2001
From: Eric Hwang <e@lever.co>
Date: Tue, 5 Dec 2023 10:32:28 -0800
Subject: [PATCH 2/2] Pin to non-broken version of colors, used by ot-fuzzer >
 cli-progress

---
 package.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package.json b/package.json
index 5a3b2aa..64e1cf0 100644
--- a/package.json
+++ b/package.json
@@ -12,6 +12,7 @@
   "dependencies": {},
   "devDependencies": {
     "coffee-script": "^1.7.1",
+    "colors": "1.4.0",
     "mocha": "^9.0.2",
     "ot-fuzzer": "^1.0.0"
   },