From: Chris Duncan <chris@zoso.dev>
Date: Tue, 22 Apr 2025 15:19:55 +0000 (-0700)
Subject: Check for object prototype pollution and update variable names.
X-Git-Url: https://zoso.dev/?a=commitdiff_plain;h=593f52c51362bca41676b037a13444505f8b820c;p=nano-pow.git

Check for object prototype pollution and update variable names.
---

diff --git a/src/bin/server.ts b/src/bin/server.ts
index 59b46a6..700e032 100755
--- a/src/bin/server.ts
+++ b/src/bin/server.ts
@@ -87,16 +87,20 @@ process.on('SIGHUP', async (): Promise<void> => {
 	await loadConfig()
 })
 
-async function respond (res: http.ServerResponse, data: Buffer[]): Promise<void> {
+async function respond (res: http.ServerResponse, dataBuffer: Buffer[]): Promise<void> {
 	let statusCode: number = 500
 	let headers: http.OutgoingHttpHeaders = { 'Content-Type': 'application/json' }
 	let response: string = 'request failed'
 	try {
-		const datastring = Buffer.concat(data).toString()
+		const datastring = Buffer.concat(dataBuffer).toString()
 		if (Buffer.byteLength(datastring) > MAX_BODY_SIZE) {
 			throw new Error('Data too large.')
 		}
-		const { action, hash, work, difficulty }: WorkGenerateRequest | WorkValidateRequest = JSON.parse(datastring)
+		const data: WorkGenerateRequest | WorkValidateRequest = JSON.parse(datastring)
+		if (Object.getPrototypeOf(data) !== Object.prototype) {
+			throw new Error('Data corrupted.')
+		}
+		const { action, hash, work, difficulty } = data
 		if (action !== 'work_generate' && action !== 'work_validate') {
 			throw new Error('Action must be work_generate or work_validate.')
 		}