Merge pull request #641 from AikidoSec/data-schema-non-string-keys

Simplify getDataSchema & add __proto__ test

Author: hansott

library/agent/api-discovery/getDataSchema.test.ts

@@ -185,3 +185,25 @@ t.test("test max properties", async (t) => {
   const schema2 = getDataSchema(obj2);
   t.same(Object.keys(schema2.properties!).length, 100);
 });
+
+t.test("it ignores __proto__ property", async (t) => {
+  const data = {
+    __proto__: { malicious: "data" },
+    test: "value",
+    0: "zero",
+    [Symbol("sym")]: "symbolValue",
+  };
+
+  const schema = getDataSchema(data);
+  t.same(schema, {
+    type: "object",
+    properties: {
+      test: {
+        type: "string",
+      },
+      0: {
+        type: "string",
+      },
+    },
+  });
+});

library/agent/api-discovery/getDataSchema.ts

@@ -65,17 +65,15 @@ export function getDataSchema(data: unknown, depth = 0): DataSchema {
   // If the depth is less than the maximum depth, get the schema for each property
   if (depth < maxDepth) {
     let propertiesCount = 0;
-    for (const key in data) {
+    for (const key of Object.keys(data)) {
       if (propertiesCount >= maxProperties) {
         break;
       }
       propertiesCount++;
-      if (Object.prototype.hasOwnProperty.call(data, key)) {
-        schema.properties![key] = getDataSchema(
-          (data as { [index: string]: unknown })[key],
-          depth + 1
-        );
-      }
+      schema.properties![key] = getDataSchema(
+        (data as { [index: string]: unknown })[key],
+        depth + 1
+      );
     }
   }