Throw for invalid keys

Mrtenz · Mrtenz · commit 981cac7c8222 · 2024-12-10T14:03:55.000+01:00
diff --git a/packages/snaps-rpc-methods/src/permitted/getState.test.ts b/packages/snaps-rpc-methods/src/permitted/getState.test.ts
@@ -29,11 +29,15 @@ describe('get', () => {
     expect(get(object, 'a.b.c.d')).toBeNull();
   });
 
-  it('returns `null` if the key is a prototype pollution attempt', () => {
-    expect(get(object, '__proto__.polluted')).toBeNull();
+  it('throws an error if the key is a prototype pollution attempt', () => {
+    expect(() => get(object, '__proto__.polluted')).toThrow(
+      'Invalid params: Key contains forbidden characters.',
+    );
   });
 
   it('returns `null` if the key is a constructor pollution attempt', () => {
-    expect(get(object, 'constructor.polluted')).toBeNull();
+    expect(() => get(object, 'constructor.polluted')).toThrow(
+      'Invalid params: Key contains forbidden characters.',
+    );
   });
 });
diff --git a/packages/snaps-rpc-methods/src/permitted/getState.ts b/packages/snaps-rpc-methods/src/permitted/getState.ts
@@ -166,7 +166,9 @@ export function get(
 
   for (const currentKey of keys) {
     if (['__proto__', 'constructor'].includes(currentKey)) {
-      return null;
+      throw rpcErrors.invalidParams(
+        'Invalid params: Key contains forbidden characters.',
+      );
     }
 
     if (isPlainObject(result)) {
diff --git a/packages/snaps-rpc-methods/src/permitted/setState.test.ts b/packages/snaps-rpc-methods/src/permitted/setState.test.ts
@@ -88,4 +88,16 @@ describe('set', () => {
       },
     });
   });
+
+  it('throws an error if the key is a prototype pollution attempt', () => {
+    expect(() => set({}, '__proto__.polluted', 'value')).toThrow(
+      'Invalid params: Key contains forbidden characters.',
+    );
+  });
+
+  it('throws an error if the key is a constructor pollution attempt', () => {
+    expect(() => set({}, 'constructor.polluted', 'value')).toThrow(
+      'Invalid params: Key contains forbidden characters.',
+    );
+  });
 });
diff --git a/packages/snaps-rpc-methods/src/permitted/setState.ts b/packages/snaps-rpc-methods/src/permitted/setState.ts
@@ -202,7 +202,9 @@ export function set(
   for (let i = 0; i < keys.length; i++) {
     const currentKey = keys[i];
     if (['__proto__', 'constructor'].includes(currentKey)) {
-      return {};
+      throw rpcErrors.invalidParams(
+        'Invalid params: Key contains forbidden characters.',
+      );
     }
 
     if (i === keys.length - 1) {

Original file line number	Diff line number	Diff line change
`@@ -166,7 +166,9 @@ export function get(`
`166`	`166`
`167`	`167`	`for (const currentKey of keys) {`
`168`	`168`	`if (['__proto__', 'constructor'].includes(currentKey)) {`
`169`		`- return null;`
	`169`	`+ throw rpcErrors.invalidParams(`
	`170`	`+ 'Invalid params: Key contains forbidden characters.',`
	`171`	`+ );`
`170`	`172`	`}`
`171`	`173`
`172`	`174`	`if (isPlainObject(result)) {`