fix: validator.isValid is not a function for certain objects

Objects with keys like `valueOf`, `toString`, and `__proto__` cause a `TypeError` to be raised when calling `jwt.sign`. This is because the key technically does exist on the `schema` param of `validate`, when checked with `if (schema[key]) {}`. Using `Object.prototype.hasOwnProperty` solves the issue.
auth0 · Nov 3, 2023 · fe2805f · fe2805f
1 parent bc28861
commit fe2805f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/sign.js b/sign.js
@@ -45,13 +45,13 @@ function validate(schema, allowUnknown, object, parameterName) {
   }
   Object.keys(object)
     .forEach(function(key) {
-      const validator = schema[key];
-      if (!validator) {
+      if (!Object.prototype.hasOwnProperty.call(schema, key)) {
         if (!allowUnknown) {
           throw new Error('"' + key + '" is not allowed in "' + parameterName + '"');
         }
         return;
       }
+      const validator = schema[key];
       if (!validator.isValid(object[key])) {
         throw new Error(validator.message);
       }

diff --git a/test/issue_945.tests.js b/test/issue_945.tests.js
@@ -0,0 +1,12 @@
+const jwt = require("..");
+
+const KEY = "any_key";
+
+describe("issue 945 - validator.isValid is not a function", () => {
+  it("should work", () => {
+    jwt.sign({ hasOwnProperty: null }, KEY);
+    jwt.sign({ valueOf: null }, KEY);
+    jwt.sign({ toString: null }, KEY);
+    jwt.sign({ __proto__: null }, KEY);
+  });
+});