Skip to content

Commit

Permalink
Avoid calling hasOwnProperty of user-controlled objects
Browse files Browse the repository at this point in the history
  • Loading branch information
rlidwka committed Dec 7, 2020
1 parent 34e5072 commit 9586ebe
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).


## [3.14.1] - 2020-12-07
### Security
- Fix possible code execution in (already unsafe) `.load()` (in &anchor).


## [3.14.0] - 2020-05-22
### Changed
- Support `safe/loadAll(input, options)` variant of call.
Expand Down
2 changes: 1 addition & 1 deletion lib/js-yaml/loader.js
Original file line number Diff line number Diff line change
Expand Up @@ -1272,7 +1272,7 @@ function readAlias(state) {

alias = state.input.slice(_position, state.position);

if (!state.anchorMap.hasOwnProperty(alias)) {
if (!_hasOwnProperty.call(state.anchorMap, alias)) {
throwError(state, 'unidentified alias "' + alias + '"');
}

Expand Down

0 comments on commit 9586ebe

Please # to comment.