Merge pull request from GHSA-prfq-f66g-43mp

Steve Hobbs · web-flow · commit 355ca749b229 · 2020-04-09T09:22:45.000+01:00
* Applied #1085 from auth0.js (fixes broken tests) * Added an object helper for setting properties at a deep level * Masking password in original error object
diff --git a/src/helper/object.js b/src/helper/object.js
@@ -168,6 +168,28 @@ function trimUserDetails(options) {
   return trimMultiple(options, ['username', 'email', 'phoneNumber']);
 }
 
+/**
+ * Updates the value of a property on the given object, using a deep path selector.
+ * @param {object} obj The object to set the property value on
+ * @param {string|array} path The path to the property that should have its value updated. e.g. 'prop1.prop2.prop3' or ['prop1', 'prop2', 'prop3']
+ * @param {any} value The value to set
+ */
+function updatePropertyOn(obj, path, value) {
+  if (typeof path === 'string') {
+    path = path.split('.');
+  }
+
+  var next = path[0];
+
+  if (obj.hasOwnProperty(next)) {
+    if (path.length === 1) {
+      obj[next] = value;
+    } else {
+      updatePropertyOn(obj[next], path.slice(1), value);
+    }
+  }
+}
+
 export default {
   toSnakeCase: toSnakeCase,
   toCamelCase: toCamelCase,
@@ -178,5 +200,6 @@ export default {
   extend: extend,
   getOriginFromUrl: getOriginFromUrl,
   getLocationFromUrl: getLocationFromUrl,
-  trimUserDetails: trimUserDetails
+  trimUserDetails: trimUserDetails,
+  updatePropertyOn: updatePropertyOn
 };
diff --git a/src/helper/response-handler.js b/src/helper/response-handler.js
@@ -27,6 +27,12 @@ function wrapCallback(cb, options) {
         original: err
       };
 
+      objectHelper.updatePropertyOn(
+        errObj,
+        'original.response.req._data.password',
+        '*****'
+      );
+
       if (err.response && err.response.statusCode) {
         errObj.statusCode = err.response.statusCode;
       }
diff --git a/test/helper/object.test.js b/test/helper/object.test.js
@@ -707,4 +707,62 @@ describe('helpers', function() {
       });
     });
   });
+
+  describe('setPropertyValue', function() {
+    it('can set a property at the first level of the object', function() {
+      var obj = {
+        one: 1,
+        two: 2,
+        three: 3
+      };
+
+      objectHelper.updatePropertyOn(obj, 'one', 'one');
+
+      expect(obj).to.eql({
+        one: 'one',
+        two: 2,
+        three: 3
+      });
+    });
+
+    it('can set a nested property', function() {
+      var obj = {
+        one: {
+          two: {
+            three: 3
+          }
+        }
+      };
+
+      objectHelper.updatePropertyOn(obj, 'one.two.three', 'three');
+
+      expect(obj).to.eql({
+        one: {
+          two: {
+            three: 'three'
+          }
+        }
+      });
+    });
+
+    it("does not add new values if the key doesn't already exist", function() {
+      var obj = {
+        one: {
+          two: {
+            three: 3
+          }
+        }
+      };
+
+      objectHelper.updatePropertyOn(obj, 'one.two.four', 4);
+
+      expect(obj).to.eql({
+        one: {
+          two: {
+            three: 3
+          }
+        }
+      });
+    });
+  });
 });
diff --git a/test/helper/response-handler.test.js b/test/helper/response-handler.test.js
@@ -241,4 +241,88 @@ describe('helpers responseHandler', function() {
       { keepOriginalCasing: true }
     )(null, assert_data);
   });
+
+  it('should mask the password object in the original response object', function(done) {
+    var assert_err = {
+      code: 'the_error_code',
+      error: 'The error description.',
+      response: {
+        req: {
+          _data: {
+            realm: 'realm',
+            client_id: 'client_id',
+            username: 'username',
+            password: 'this is a password'
+          }
+        }
+      }
+    };
+
+    responseHandler(function(err, data) {
+      expect(data).to.be(undefined);
+
+      expect(err).to.eql({
+        original: {
+          code: 'the_error_code',
+          error: 'The error description.',
+          response: {
+            req: {
+              _data: {
+                realm: 'realm',
+                client_id: 'client_id',
+                username: 'username',
+                password: '*****'
+              }
+            }
+          }
+        },
+        code: 'the_error_code',
+        description: 'The error description.'
+      });
+
+      done();
+    })(assert_err, null);
+  });
+
+  it('should mask the password object in the data object', function(done) {
+    var assert_err = {
+      code: 'the_error_code',
+      error: 'The error description.',
+      response: {
+        req: {
+          _data: {
+            realm: 'realm',
+            client_id: 'client_id',
+            username: 'username',
+            password: 'this is a password'
+          }
+        }
+      }
+    };
+
+    responseHandler(function(err, data) {
+      expect(data).to.be(undefined);
+
+      expect(err).to.eql({
+        original: {
+          code: 'the_error_code',
+          error: 'The error description.',
+          response: {
+            req: {
+              _data: {
+                realm: 'realm',
+                client_id: 'client_id',
+                username: 'username',
+                password: '*****'
+              }
+            }
+          }
+        },
+        code: 'the_error_code',
+        description: 'The error description.'
+      });
+
+      done();
+    })(assert_err, null);
+  });
 });
