Fix Prototype Pollution

.gitignore

@@ -1,2 +1,4 @@
 lib-cov
 node_modules
+.vscode
+package-lock.json

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 2.0.2
+
+- fix(security): :lock: Prototype Pollution in cli-tableau
+- feat(test): :lock: Prototype Pollution security test
+
 ## 2.0.0
 
 - add borders: false option
@@ -12,55 +17,54 @@
 0.3.1 / 2014-10-22
 ==================
 
- * fix example for new paths
- * Readme badges
- * Lighter production installs
- * Safe colors
- * In addition to 256-xterm ansi colors, handle 24-bit colors
- * set up .travis.yml
+- fix example for new paths
+- Readme badges
+- Lighter production installs
+- Safe colors
+- In addition to 256-xterm ansi colors, handle 24-bit colors
+- set up .travis.yml
 
 0.3.0 / 2014-02-02
 ==================
 
- * Switch version of colors to avoid npm broken-ness
- * Handle custom colored strings correctly
- * Removing var completely as return var width caused other problems.
- * Fixing global leak of width variable.
- * Omit horizontal decoration lines if empty
- * Add a test for the the compact mode
- * Make line() return the generated string instead of appending it to ret
- * Customize the vertical cell separator separately from the right one
- * Allow newer versions of colors to be used
- * Added test for bordercolor
- * Add bordercolor in style options and enable deepcopy of options
+- Switch version of colors to avoid npm broken-ness
+- Handle custom colored strings correctly
+- Removing var completely as return var width caused other problems.
+- Fixing global leak of width variable.
+- Omit horizontal decoration lines if empty
+- Add a test for the the compact mode
+- Make line() return the generated string instead of appending it to ret
+- Customize the vertical cell separator separately from the right one
+- Allow newer versions of colors to be used
+- Added test for bordercolor
+- Add bordercolor in style options and enable deepcopy of options
 
 0.2.0 / 2012-10-21
 ==================
 
-  * test: avoid module dep in tests
-  * fix type bug on integer vertical table value
-  * handle newlines in vertical and cross tables
-  * factor out common style setting function
-  * handle newlines in body cells
-  * fix render bug when no header provided
-  * correctly calculate width of cells with newlines
-  * handles newlines in header cells
-  * ability to create cross tables
-  * changing table chars to ones that windows supports
-  * allow empty arguments to Table constructor
-  * fix headless tables containing empty first row
-  * add vertical tables
-  * remove reference to require.paths
-  * compact style for dense tables
-  * fix toString without col widths by cloning array
-  * [api]: Added abiltity to strip out ANSI color escape codes when calculating cell padding
+- test: avoid module dep in tests
+- fix type bug on integer vertical table value
+- handle newlines in vertical and cross tables
+- factor out common style setting function
+- handle newlines in body cells
+- fix render bug when no header provided
+- correctly calculate width of cells with newlines
+- handles newlines in header cells
+- ability to create cross tables
+- changing table chars to ones that windows supports
+- allow empty arguments to Table constructor
+- fix headless tables containing empty first row
+- add vertical tables
+- remove reference to require.paths
+- compact style for dense tables
+- fix toString without col widths by cloning array
+- [api]: Added abiltity to strip out ANSI color escape codes when calculating cell padding
 
 0.0.1 / 2011-01-03
 ==================
 
 Initial release
 
-
 ## Jun 28, 2017
 
 Fork of `Automattic/cli-table`

README.md

@@ -5,8 +5,8 @@
   <img src="https://travis-ci.org/keymetrics/cli-tableau.svg?branch=master" alt="Build Status"/>
 </a>
 
-
 ### Horizontal Tables
+
 ```javascript
 var Table = require('cli-tableau');
 
@@ -39,6 +39,7 @@ console.log(table.toString());
 ```
 
 ### Cross Tables
+
 Cross tables are very similar to vertical tables, with two key differences:
 
 1. They require a `head` setting when instantiated that has an empty string as the first header
@@ -59,6 +60,7 @@ console.log(table.toString());
 ### Custom styles
 
 The ```chars``` property controls how the table is drawn:
+
 ```javascript
 var table = new Table({
   chars: {
@@ -86,6 +88,7 @@ console.log(table.toString());
 
 Empty decoration lines will be skipped, to avoid vertical separator rows just
 set the 'mid', 'left-mid', 'mid-mid', 'right-mid' to the empty string:
+
 ```javascript
 var table = new Table({ chars: {'mid': '', 'left-mid': '', 'mid-mid': '', 'right-mid': ''} });
 table.push(
@@ -104,6 +107,7 @@ console.log(table.toString());
 By setting all chars to empty with the exception of 'middle' being set to a
 single space and by setting padding to zero, it's possible to get the most
 compact layout with no decorations:
+
 ```javascript
 var table = new Table({
   chars: {

examples/revs.js

@@ -1,55 +1,80 @@
-
 /**
  * Module requirements.
  */
 
-var Table = require('../lib')
+var Table = require("../lib");
 
 /**
  * Example.
  */
 
 /* col widths */
 var table = new Table({
-  head: ['Rel', 'Change', 'By', 'When'],
-  colWidths: [6, 21, 25, 17]
-})
+  head: ["Rel", "Change", "By", "When"],
+  colWidths: [6, 21, 25, 17],
+});
 
 table.push(
-    ['v0.1', 'Testing something cool', '[email protected]', '7 minutes ago']
-  , ['v0.1', 'Testing something cool', '[email protected]', '8 minutes ago']
-)
+  ["v0.1", "Testing something cool", "[email protected]", "7 minutes ago"],
+  ["v0.1", "Testing something cool", "[email protected]", "8 minutes ago"]
+);
 
-console.log(table.toString())
+console.log(table.toString());
 
 /* compact */
 var table2 = new Table({
-  head: ['Rel', 'Change', 'By', 'When'],
+  head: ["Rel", "Change", "By", "When"],
   colWidths: [6, 21, 25, 17],
-  style: {compact: true, 'padding-left': 1}
-})
+  style: { compact: true, "padding-left": 1 },
+});
 
 table2.push(
-    ['v0.1', 'Testing something cool', '[email protected]', '7 minutes ago']
-  , ['v0.1', 'Testing something cool', '[email protected]', '8 minutes ago']
-  , []
-  , ['v0.1', 'Testing something cool', '[email protected]', '8 minutes ago']
-)
+  ["v0.1", "Testing something cool", "[email protected]", "7 minutes ago"],
+  ["v0.1", "Testing something cool", "[email protected]", "8 minutes ago"],
+  [],
+  ["v0.1", "Testing something cool", "[email protected]", "8 minutes ago"]
+);
 
-console.log(table.toString())
+console.log(table.toString());
 
 /* headless */
-var headlessTable = new Table()
-headlessTable.push(['v0.1', 'Testing something cool', '[email protected]', '7 minutes ago'])
-console.log(headlessTable.toString())
+var headlessTable = new Table();
+headlessTable.push([
+  "v0.1",
+  "Testing something cool",
+  "[email protected]",
+  "7 minutes ago",
+]);
+console.log(headlessTable.toString());
 
 /* vertical */
-var verticalTable = new Table()
-verticalTable.push({'Some Key': 'Some Value'}, {'Another much longer key': 'And its corresponding longer value'})
+var verticalTable = new Table();
+verticalTable.push(
+  { "Some Key": "Some Value" },
+  { "Another much longer key": "And its corresponding longer value" }
+);
 
-console.log(verticalTable.toString())
+console.log(verticalTable.toString());
 
 /* cross */
-var crossTable = new Table({head: ['', 'Header #1', 'Header #2']})
-crossTable.push({'Header #3': ['Value 1', 'Value 2']}, {'Header #4': ['Value 3', 'Value 4']})
-console.log(crossTable.toString())
+var crossTable = new Table({ head: ["", "Header #1", "Header #2"] });
+crossTable.push(
+  { "Header #3": ["Value 1", "Value 2"] },
+  { "Header #4": ["Value 3", "Value 4"] }
+);
+console.log(crossTable.toString());
+
+/* Prototype Pollution in cli-tableau */
+let attackerObject =
+  '{"__proto__":{"attackerControlledValue":"Attackers Payload"},"proto":{"attackPropFromProto":"changed"},"constructor":{"prototype":{"attackPropFromConstructorProto":"changed"}}}';
+
+let attackedTable = new Table(JSON.parse(attackerObject));
+
+attackedTable.push({
+  Vulnerability: [
+    "Prototype Pollution",
+    !!attackedTable.options.attackerControlledValue,
+  ],
+});
+
+console.log(attackedTable.toString());