Headline
CVE-2022-41713: GitHub - mattphillips/deep-object-diff: Deep diffs two objects, including nested structures of arrays and objects, and returns the difference. ❄️
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the 'proto' property to be edited.
deep-object-diff
❄️
Deep diff two JavaScript Objects
A small library that can deep diff two JavaScript Objects, including nested structures of arrays and objects.
Installation
yarn add deep-object-diff
npm i --save deep-object-diff
Functions available:
diff(originalObj, updatedObj) returns the difference of the original and updated objects
addedDiff(original, updatedObj) returns only the values added to the updated object
deletedDiff(original, updatedObj) returns only the values deleted in the updated object
updatedDiff(original, updatedObj) returns only the values that have been changed in the updated object
detailedDiff(original, updatedObj) returns an object with the added, deleted and updated differences
Importing
import { diff, addedDiff, deletedDiff, updatedDiff, detailedDiff } from 'deep-object-diff’;
Usage:****diff:
const lhs = { foo: { bar: { a: ['a’, ‘b’], b: 2, c: ['x’, ‘y’], e: 100 // deleted } }, buzz: ‘world’ };
const rhs = { foo: { bar: { a: [‘a’], // index 1 (‘b’) deleted b: 2, // unchanged c: ['x’, 'y’, ‘z’], // ‘z’ added d: ‘Hello, world!’ // added } }, buzz: ‘fizz’ // updated };
console.log(diff(lhs, rhs)); // => /* { foo: { bar: { a: { '1’: undefined }, c: { '2’: ‘z’ }, d: 'Hello, world!’, e: undefined } }, buzz: ‘fizz’ } */
addedDiff:
const lhs = { foo: { bar: { a: ['a’, ‘b’], b: 2, c: ['x’, ‘y’], e: 100 // deleted } }, buzz: ‘world’ };
const rhs = { foo: { bar: { a: [‘a’], // index 1 (‘b’) deleted b: 2, // unchanged c: ['x’, 'y’, ‘z’], // ‘z’ added d: ‘Hello, world!’ // added } }, buzz: ‘fizz’ // updated };
console.log(addedDiff(lhs, rhs));
/* { foo: { bar: { c: { '2’: ‘z’ }, d: ‘Hello, world!’ } } } */
deletedDiff:
const lhs = { foo: { bar: { a: ['a’, ‘b’], b: 2, c: ['x’, ‘y’], e: 100 // deleted } }, buzz: ‘world’ };
const rhs = { foo: { bar: { a: [‘a’], // index 1 (‘b’) deleted b: 2, // unchanged c: ['x’, 'y’, ‘z’], // ‘z’ added d: ‘Hello, world!’ // added } }, buzz: ‘fizz’ // updated };
console.log(deletedDiff(lhs, rhs));
/* { foo: { bar: { a: { '1’: undefined }, e: undefined } } } */
updatedDiff:
const lhs = { foo: { bar: { a: ['a’, ‘b’], b: 2, c: ['x’, ‘y’], e: 100 // deleted } }, buzz: ‘world’ };
const rhs = { foo: { bar: { a: [‘a’], // index 1 (‘b’) deleted b: 2, // unchanged c: ['x’, 'y’, ‘z’], // ‘z’ added d: ‘Hello, world!’ // added } }, buzz: ‘fizz’ // updated };
console.log(updatedDiff(lhs, rhs));
/* { buzz: ‘fizz’ } */
detailedDiff:
const lhs = { foo: { bar: { a: ['a’, ‘b’], b: 2, c: ['x’, ‘y’], e: 100 // deleted } }, buzz: ‘world’ };
const rhs = { foo: { bar: { a: [‘a’], // index 1 (‘b’) deleted b: 2, // unchanged c: ['x’, 'y’, ‘z’], // ‘z’ added d: ‘Hello, world!’ // added } }, buzz: ‘fizz’ // updated };
console.log(detailedDiff(lhs, rhs));
/* { added: { foo: { bar: { c: { '2’: ‘z’ }, d: ‘Hello, world!’ } } }, deleted: { foo: { bar: { a: { '1’: undefined }, e: undefined } } }, updated: { buzz: ‘fizz’ } } */
License
MIT
Related news
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.